HIPAA Privacy Rule: Excluded Records, Entities, and Practical Examples

Excluded Employment Records

What the exclusion covers

The HIPAA Privacy Rule does not apply to employment records held by an employer, even when the employer is also a covered entity. These files are not Protected Health Information (PHI) because they are maintained for employment purposes, not for health care operations or treatment.

Common scenarios

• Leave requests and certifications (for example, FMLA forms) stored by Human Resources.
• Workplace accommodation requests, fitness-for-duty notes, and drug or alcohol testing results kept in personnel files.
• Employee COVID-19 vaccination or test documentation collected and retained by the employer.

Key boundary to manage

Information remains PHI while it resides with a provider or health plan. Once disclosed to and kept by the employer as part of the employment record, that copy falls under the Employment Records Exclusion. You should still protect it under other laws and policies (for example, ADA confidentiality) and segregate it from clinical records.

Non-Covered Entities

Who is outside HIPAA

HIPAA applies to Covered Entities (health plans, health care clearinghouses, and most health care providers that conduct standard electronic transactions) and their Business Associates. Organizations that are neither covered entities nor acting as business associates are outside the Privacy Rule Scope.

• Employers and most life, disability, and workers’ compensation insurers.
• Consumer health apps, wearables, and wellness platforms that are not operating for a covered entity.
• Schools and universities when records are governed by FERPA rather than HIPAA.
• Law enforcement agencies, courts, and many community organizations not providing standard electronic billing.

When a non-covered organization performs a function for a covered entity that involves PHI, it must sign a business associate agreement; otherwise, HIPAA does not apply.

De-Identified Health Information

When data is no longer PHI

De-identified information is outside HIPAA because it does not identify an individual and cannot reasonably be used to do so. De-Identification Standards recognize two methods: (1) Safe Harbor—removal of specified direct identifiers; and (2) Expert Determination—documented analysis showing very small re-identification risk.

Related concept: limited data set

A limited data set removes most direct identifiers but may retain dates and certain geography. It is still protected health information and requires a data use agreement. Only fully de-identified data falls outside the Privacy Rule Scope.

Personal Health Records

When HIPAA applies

Personal Health Records (PHRs) provided by or on behalf of a provider or health plan—such as a patient portal hosted by a business associate—contain PHI and are protected by HIPAA. The covered entity remains responsible for Health Information Privacy, even when a vendor hosts the platform.

When HIPAA does not apply

Consumer-directed PHRs that you create or store with a standalone app or device vendor, without a connection to a covered entity, are typically not subject to HIPAA. Other laws (for example, consumer protection or state privacy statutes) may govern these records instead.

Public Health and Educational Exceptions

Public health disclosures

The Privacy Rule permits disclosures of PHI without authorization for public health activities, such as reporting communicable diseases, adverse events, or vital statistics. These disclosures must be limited to the minimum necessary for the stated purpose.

Educational records under FERPA

Education records and certain student treatment records maintained by schools or universities are governed by FERPA. Because FERPA applies, those records are excluded from HIPAA. For example, a K–12 school nurse’s student file is an education record, not HIPAA PHI.

Practical Examples of Exclusions

• HR keeps an employee’s medical leave certification: employment record, not PHI under HIPAA.
• A fitness app tracks your steps and heart rate for personal use: typically outside HIPAA unless the app operates for a covered entity.
• University student clinic records used solely for student treatment and not disclosed beyond the school: governed by FERPA, not HIPAA.
• A hospital provides a de-identified dataset to a researcher: not PHI if it meets De-Identification Standards.
• An employer-run wellness program collects health surveys directly and stores them in personnel files: generally not HIPAA, but other laws may apply.
• A life insurer requests medical records with your authorization: the insurer is usually not a covered entity; HIPAA obligations rest with the releasing provider or plan.
• Disclosure of PHI to a public health authority for disease reporting: permitted by HIPAA; the authority itself is not bound by HIPAA unless it is also a covered entity.
• Workers’ compensation claim files held by an employer or insurer: generally outside HIPAA; providers may disclose PHI as permitted by law for such claims.

Compliance Implications

Operational steps

• Map your Privacy Rule Scope: identify covered-entity functions, business associate roles, and non-covered activities.
• Classify records: distinguish PHI from employment records, FERPA education records, and de-identified data; document the basis.
• Segregate and secure: keep employment files separate from clinical records; apply role-based access and retention controls.
• Manage vendors: execute business associate agreements where PHI is handled; require safeguards and breach reporting.
• Apply De-Identification Standards when sharing datasets; use limited data sets and data use agreements when full de-identification is not feasible.
• Train your workforce on permitted uses and disclosures, minimum necessary, and the boundaries of excluded records.
• When HIPAA does not apply, assess other frameworks (for example, FERPA, FTC, ADA, state privacy laws) to ensure comprehensive Health Information Privacy compliance.

FAQs.

What records are excluded from HIPAA Privacy Rule coverage?

The primary exclusions are employment records held by an employer, education records and certain student treatment records governed by FERPA, and information that has been de-identified under HIPAA’s De-Identification Standards. Consumer PHR data maintained by standalone apps may also fall outside HIPAA.

Which entities are not covered by HIPAA?

Entities that are not covered entities or business associates—such as employers, many life and disability insurers, most schools under FERPA, law enforcement, and consumer health app vendors operating independently—are generally not subject to HIPAA.

How is de-identified information treated under HIPAA?

Once data is de-identified using Safe Harbor or Expert Determination so that individuals cannot reasonably be identified, it is no longer PHI and falls outside HIPAA. If a limited data set is used, HIPAA still applies and a data use agreement is required.

Are personal health records always protected by HIPAA?

No. PHRs are covered by HIPAA only when offered by or on behalf of a covered entity (for example, a provider’s patient portal). Standalone consumer PHRs not connected to a covered entity are typically outside HIPAA, though other privacy and consumer protection laws may apply.