HIPAA Privacy Rule Exclusions: What’s Not Covered, With Examples

The HIPAA Privacy Rule protects the confidentiality of Protected Health Information (PHI) held by covered entities and their business associates. Equally important are the boundaries—clear exclusions that fall outside HIPAA or are treated differently. Understanding these HIPAA Privacy Rule exclusions helps you decide when HIPAA applies, when it does not, and what safeguards remain prudent.

Below, you’ll find each exclusion area explained plainly, with practical examples and decision tips. Where relevant, you’ll see how De-Identification Standards, the Public Health Exception, Law Enforcement Inquiry Compliance, and research pathways like Institutional Review Board review or a Privacy Board Waiver fit in.

Employment Records

Employment records that an employer maintains in its role as employer are not PHI, even if they contain health information. HIPAA regulates covered providers, health plans, and clearinghouses—not employers acting as employers. The same hospital can be both a covered provider for patient care and an employer for HR matters; what counts is the role in which the information is held.

By contrast, the same individual’s medical chart created for clinical care remains PHI within the provider’s records. If any portion is shared with the employer, that employer-held copy becomes an employment record, not PHI, though other laws (for example, ADA, FMLA, or state privacy rules) may still apply.

Examples

• Fit-for-duty exam results sent to HR for staffing decisions (employment record, not PHI).
• FMLA certifications, workers’ compensation claim files, and ADA accommodation documents (employment records, not PHI).
• Workplace injury logs kept for safety reporting (employment records, not PHI).
• Caveat: The clinician’s underlying treatment notes in the hospital’s EHR remain PHI within the clinical record.

Education Records

Education records and certain treatment records that are subject to FERPA are excluded from HIPAA. Health records maintained by a school nurse or a university clinic in their capacity as part of the educational institution are generally FERPA records, not PHI, even if they contain health details.

However, when a student receives care at an unaffiliated community hospital, those hospital records are PHI because the hospital is a covered entity and not part of the school’s FERPA-covered environment.

Examples

• K–12 school nurse immunization logs and student health files (FERPA education records, not PHI).
• University counseling center notes used only for the student’s treatment within the institution (FERPA treatment records, not PHI).
• Emergency department visit at a non-university hospital (PHI in the hospital’s hands; not a FERPA record).

De-Identified Data

Health information that has been de-identified according to HIPAA De-Identification Standards is not PHI and falls outside the Privacy Rule. De-identification can be achieved in two ways: (1) Expert Determination that the re-identification risk is very small, or (2) the Safe Harbor method that removes 18 categories of direct identifiers.

De-identified data can be used or disclosed without HIPAA authorization. If you need some identifiers for specific purposes, a limited data set may be used for research, public health, or health care operations under a data use agreement; note that a limited data set is not fully de-identified and is still PHI, just subject to reduced identifiers.

Two paths to compliance

• Safe Harbor: Remove specified identifiers such as names; detailed addresses below the state level; all elements of dates (except year) related to the individual; phone, email, medical record, and account numbers; device and vehicle identifiers; URLs, IP addresses; biometric identifiers; full-face photos; and any other unique identifiers.
• Expert Determination: A qualified expert applies accepted statistical or scientific principles and documents that the probability of re-identification is very small.

Examples

• Dataset of hospital stays showing counts by condition and year only (de-identified, not PHI).
• Analytics feed where an expert certifies minimal re-identification risk (de-identified, not PHI).
• Limited data set with city, state, ZIP, and dates shared under a data use agreement (still PHI, but with reduced identifiers).

Non-Covered Entities

HIPAA applies to covered entities (health plans, most providers, and clearinghouses) and their business associates. If an organization is neither—and is not acting on behalf of a covered entity—HIPAA typically does not apply. In those cases, other frameworks (consumer protection, state privacy laws) may govern, but the HIPAA Privacy Rule does not.

Always ask whether the organization is a covered entity or a business associate. If not, the information it holds, even if health-related, is not PHI under HIPAA.

Common non-covered entities

• Life insurers, employers acting as employers, many fitness apps and wearables offered direct-to-consumer.
• Schools (for their FERPA records), law enforcement agencies, financial institutions handling payment data.
• Direct-to-consumer genetic testing companies and wellness platforms not operating for a covered entity.

Edge cases

• If a tech vendor processes data for a hospital or plan under a business associate agreement, HIPAA applies.
• When you, as an individual, share your own health information (for example, posting online), HIPAA does not apply to your disclosure.

Incidental Uses and Disclosures

Incidental disclosures are permissible when they are a byproduct of an otherwise permitted use or disclosure, provided you implement reasonable safeguards and adhere to the minimum necessary standard. HIPAA does not expect absolute secrecy in dynamic care settings, but it does require sensible protections.

Incidental does not excuse sloppy practices. If a disclosure stems from a failure to use reasonable safeguards, it is not incidental and may be a violation.

Permitted incidental examples

• A visitor overhears a patient’s name being called in a waiting room.
• A passerby glimpses a patient’s name on a sign-in sheet limited to necessary information.
• Clinicians speaking quietly at a nursing station where others might overhear snippets.

Not incidental

• Leaving detailed charts openly viewable or discussing cases loudly in public areas.
• Emailing PHI without encryption where required by policy.
• Sharing more than the minimum necessary for a non-treatment purpose.

Safeguards

• Use privacy screens, low voices, and need-to-know access controls.
• Configure paging and whiteboards to minimize identifiers.
• Apply minimum necessary for non-treatment disclosures.

Public Interest and Benefit Activities

The Privacy Rule permits certain disclosures without authorization for specific public and institutional needs. These are not “free-for-all” exceptions: each has conditions, documentation, and scope limits. This is where the Public Health Exception, Law Enforcement Inquiry Compliance, and research pathways often appear.

For research without authorization, an Institutional Review Board or a Privacy Board Waiver can permit use/disclosure when criteria are met, including minimal risk to privacy and impracticability of obtaining authorization.

Common scenarios

• Public health activities: reporting certain diseases, adverse events, or exposure under the Public Health Exception.
• Health oversight: audits, investigations, or inspections by oversight agencies.
• Judicial/administrative proceedings: responding to court orders or subpoenas with required safeguards.
• Law enforcement: limited disclosures for Law Enforcement Inquiry Compliance (for example, locating a suspect or responding to a court order), subject to strict conditions.
• To avert a serious threat to health or safety: consistent with applicable law and standards of ethical conduct.
• Decedents: certain disclosures to coroners/medical examiners; PHI protections end 50 years after death.
• Organ, eye, or tissue donation: to procurement organizations.
• Workers’ compensation: as authorized by workers’ compensation laws.
• Research: with individual authorization, or without authorization under an IRB or Privacy Board Waiver; a limited data set with a data use agreement may also be used.

Documentation essentials

• Verify legal authority (for example, specific statute, court order, or IRB/Privacy Board documentation).
• Limit information to what is required (minimum necessary where applicable).
• Recordkeeping: maintain disclosures as required by policy and regulation.

Health Information Shared Outside the U.S.

HIPAA does not stop at the water’s edge: if a covered entity or its business associate stores, processes, or transmits PHI outside the United States, HIPAA still applies to that entity. Cross-border vendors typically need a business associate agreement and appropriate safeguards.

However, information handled entirely by a non–U.S. organization that is neither a covered entity nor a business associate is generally outside HIPAA. The act of crossing a border does not create HIPAA coverage; the status and role of the entity do.

What’s not covered

• Data collected by a foreign health app that is not acting for a covered entity (not PHI under HIPAA).
• Health details you voluntarily send to family abroad or post on social media (your disclosure, not HIPAA-regulated).
• Employer-held copies of medical notes used for HR decisions, even if the employer is multinational (employment records, not PHI).

Good practices for cross-border PHI

• Use business associate agreements with offshore vendors handling PHI.
• Apply encryption and access controls; document data flows and locations.
• Confirm that foreign subcontractors meet the same safeguard obligations as domestic ones.

FAQs

What types of records are excluded from HIPAA coverage?

Key exclusions include: (1) employment records held by an employer in its role as employer; (2) education records and certain student treatment records governed by FERPA; and (3) de-identified health information that meets HIPAA De-Identification Standards. Information held by non-covered entities (organizations that are neither covered entities nor business associates) is also not PHI under HIPAA. Additionally, PHI protections for decedents end 50 years after death.

When can PHI be disclosed without authorization?

HIPAA permits disclosures without authorization for treatment, payment, and health care operations; to the individual; as incidental to a permitted disclosure with safeguards; and for specified public interest and benefit activities. Examples include public health reporting, health oversight, certain court orders and subpoenas, Law Enforcement Inquiry Compliance within defined limits, organ and tissue donation, workers’ compensation, and to avert a serious threat. PHI may also be used for research under an Institutional Review Board approval or a Privacy Board Waiver, or disclosed as a limited data set under a data use agreement.

How does HIPAA handle de-identified health information?

De-identified data are not PHI and are outside the Privacy Rule. You can de-identify by removing the Safe Harbor identifiers or through Expert Determination documenting a very small risk of re-identification. If you need some identifiers (for example, dates, city, ZIP), a limited data set with a data use agreement can be used for research, public health, or health care operations, but it remains PHI and is not fully de-identified.

What protections exist for psychotherapy notes under HIPAA?

Psychotherapy Notes Protection is robust. Psychotherapy notes—separately maintained notes that analyze the content of private counseling sessions—are excluded from the patient’s right of access and generally require a specific authorization for use or disclosure. Limited exceptions apply, such as use by the originator for treatment, training programs, defending legal actions, and certain disclosures required by law or needed to prevent a serious threat. Routine treatment, payment, and operations do not justify using or disclosing psychotherapy notes without that specific authorization.