HIPAA Protection for Social Determinants of Health (SDOH) Data: What’s Covered and How to Stay Compliant

Definition of Social Determinants of Health Data

Social Determinants of Health (SDOH) data captures nonmedical factors that shape outcomes—where you live, learn, work, and connect. It commonly spans seven themes: economic stability, education, employment, food access, housing stability and quality, transportation, and social or community context.

In practice, SDOH data includes details such as housing insecurity, utility shutoff risk, income range, food or transportation needs, caregiving burden, language preference, immigration or veteran status, and digital access. You might collect it through screening tools, care management notes, referral platforms, or patient-reported information, and you may enrich it with neighborhood-level indices.

Distinguish between individual-level and aggregate SDOH. Individual SDOH paired with a person’s record can affect care plans and risk models. Aggregate SDOH (for example, census-tract deprivation scores) guides population analytics, but by itself is generally not linked to a specific person.

HIPAA Coverage of SDOH Data

Not every SDOH element is automatically regulated by HIPAA. Coverage turns on whether SDOH is Individually Identifiable Health Information (IIHI) that a covered entity or its business associate creates, receives, maintains, or transmits, and whether it can reasonably identify the individual.

When SDOH becomes Protected Health Information

• SDOH appears in a medical record, care management platform, or claims file held by a covered entity (provider, health plan, clearinghouse) and can identify a person.
• SDOH is created or handled by a business associate on behalf of a covered entity under Business Associate Agreements (BAAs).
• SDOH relates to the individual’s health condition, the provision of care (including care coordination), or payment, and there is a reasonable basis to identify the individual—making it Protected Health Information (PHI).

When SDOH is not PHI

• Aggregate, de-identified SDOH used for population analytics with no reasonable re-identification risk.
• Individual SDOH held solely by a community organization that is neither a covered entity nor a business associate and not acting for a covered entity. Other laws may still apply, but HIPAA would not.

When in doubt, evaluate source, context, identifiability, and whether a BAA exists. The same housing detail may be PHI in a care plan but not PHI in an anonymized neighborhood index.

De-identification of SDOH Data

HIPAA recognizes two primary Data De-identification Standards. Once data is de-identified under either path, the HIPAA Privacy Rule no longer applies to that dataset; however, you should still manage re-identification risk through governance and contracts.

Two methods you can use

• Safe Harbor: Remove 18 direct identifiers, including names; full addresses below state (with limited three‑digit ZIP exceptions); phone, email, and account numbers; all elements of dates (except year) directly tied to the individual; device and vehicle IDs; URLs and IP addresses; biometric identifiers; full-face images; and any other unique codes. Ages over 89 must be grouped as 90+.
• Expert Determination: A qualified expert applies statistical or scientific principles to determine that the risk of re-identification is very small and documents methods and results.

Limited Data Set for research and operations

A limited data set is not fully de-identified but removes direct identifiers and can retain dates and city/state/ZIP. It requires a Data Use Agreement that sets purpose, safeguards, and no re-identification or contact rules.

Practical steps for SDOH de-identification

• Generalize sensitive fields (for example, income ranges instead of exact amounts; 3‑digit ZIP where permitted).
• Suppress rare combinations that could single out a person in small geographies.
• Test re-identification risk after linkage with external datasets, and keep a documented review cycle.

Understanding the HIPAA Privacy Rule

The Privacy Rule governs how you use and disclose PHI, including SDOH captured as part of care or payment. It also establishes patient rights and the “minimum necessary” standard—use or disclose only what is needed for the purpose.

Common permitted uses and disclosures (no authorization)

• Treatment, Payment, and Health Care Operations (TPO): Using SDOH for care planning, case management, prior authorization, utilization review, and quality improvement.
• Public health and oversight: Disclosures to public health authorities or oversight agencies when legally authorized.
• Research: With IRB/privacy board waiver, or via a limited data set under a Data Use Agreement.
• As required by law, for certain law enforcement or judicial processes under specified conditions.
• To avert a serious threat to health or safety, consistent with professional judgment and law.

Individual rights you must support

• Access and obtain copies of PHI; request amendments; request restrictions and confidential communications; and receive an accounting of certain disclosures.
• Provide a clear Notice of Privacy Practices that explains how SDOH PHI may be used or disclosed.

Disclosure Authorization Requirements

When a use or disclosure is not otherwise permitted, you need a valid patient authorization. It must describe the information, identify who may disclose and receive it, state the purpose, set an expiration date or event, include the individual’s signature and date, explain the right to revoke, and include redisclosure warnings as appropriate. Keep copies and honor revocations prospectively.

Ensuring Compliance with the HIPAA Security Rule

The Security Rule protects Electronic Protected Health Information (ePHI). Your safeguards must be reasonable and appropriate to risk and cover Administrative Safeguards, technical controls, and physical protections across systems that store or transmit SDOH PHI.

Administrative Safeguards

• Conduct and document an enterprise risk analysis; implement risk management and periodic reassessment.
• Define role-based access aligned to minimum necessary; enforce workforce training, sanctions, and security awareness.
• Manage vendors with due diligence, Business Associate Agreements, and monitoring of BA performance and incidents.
• Establish contingency planning: backups, disaster recovery, and emergency operations testing.
• Maintain policies for incident response, breach assessment, and timely notification under the Breach Notification Rule.

Technical Safeguards

• Strong identity and access management: unique IDs, multi-factor authentication, session timeouts, and least-privilege design.
• Audit controls and immutable logs for access, queries, and exports; continuous monitoring and alerting.
• Encryption in transit and at rest; TLS for APIs; disk and key management with separation of duties.
• Integrity controls: hashing, checksums, and tamper-evident storage; secure APIs with input validation.
• Network safeguards: segmentation, allowlists for data exchanges, and secure endpoints for referral platforms.

Physical Safeguards

• Facility access controls; badge logs; visitor management.
• Workstation and device protections; screen privacy; auto-lock; secure mobile and removable media.
• Media disposal and re-use procedures for drives and devices containing SDOH ePHI.

Authorized Disclosure of SDOH Data

Sharing SDOH PHI is permissible in several scenarios, but scope and process matter. If the recipient is not a covered entity or business associate—for example, a community-based organization (CBO) offering housing or nutrition services—you generally need the individual’s authorization unless a HIPAA permission or legal requirement applies.

Disclosures without authorization

• TPO: To providers and health plans for treatment coordination, payment activities, and certain operations.
• Public health/oversight and required by law: Follow statutory limits and document the basis.
• Research: With a waiver or limited data set under a Data Use Agreement.
• Serious threat or safety concerns: Consistent with law and professional judgment.

Disclosures with patient authorization

• Share SDOH PHI with CBOs, social service agencies, or housing authorities to arrange services, when you have an authorization that meets the Disclosure Authorization Requirements.
• Specify the information types (for example, housing instability status), the recipient, purpose, expiration, and revocation terms; store the authorization and honor revocations going forward.

Business associates and agreements

When a vendor screens for SDOH, manages referrals, or analyzes SDOH on your behalf, treat them as business associates and execute Business Associate Agreements. The BAA must define permitted uses/disclosures, safeguard obligations, reporting of incidents, and return or destruction of PHI at termination.

Compliance Strategies for Protecting SDOH Data

Build a clear inventory and governance

• Map all SDOH touchpoints across EHR fields, care management notes, referral portals, and data lakes; classify sensitivity and sources.
• Set data owners and a privacy review board to approve new SDOH use cases and data-sharing arrangements.

Apply privacy-by-design to SDOH workflows

• Collect only what you need; default to minimum necessary in templates, exports, and reports.
• Segment SDOH fields in access rules; require explicit justification for bulk queries or downloads.
• Automate suppression or generalization for reports leaving clinical systems; prefer limited data sets for analytics.

Strengthen vendor and data-sharing controls

• Standardize Business Associate Agreements, Data Use Agreements, and referral MOUs; verify security attestations and right-to-audit clauses.
• Use secure APIs with OAuth 2.0 and signed tokens; block personal email or unapproved cloud storage for SDOH exports.

Operationalize de-identification and monitoring

• Stand up a repeatable de-identification pipeline with Safe Harbor checklists or Expert Determination where needed.
• Continuously monitor access patterns to high-risk SDOH fields; alert on anomalies and bulk transfers.

Educate the workforce and measure

• Train staff on SDOH sensitivity, cultural humility, “minimum necessary,” and secure referral practices.
• Track metrics: BAA coverage, risk findings closed, data-sharing reviews completed, and incident response times.

FAQs.

What types of SDOH data are protected under HIPAA?

SDOH becomes PHI when it is Individually Identifiable Health Information maintained by a covered entity or business associate and relates to health, care, or payment. Examples include housing instability noted in an EHR, food insecurity captured in a care plan, or transportation needs stored in a referral system linked to a patient.

How can covered entities de-identify SDOH data?

Use HIPAA’s Safe Harbor by removing 18 direct identifiers (with rules for ZIP codes, dates, and ages 90+) or rely on Expert Determination to show very small re-identification risk. For research and operations, consider a limited data set with a Data Use Agreement, which removes direct identifiers but permits dates and broader geography.

When is disclosure of SDOH data allowed without patient authorization?

Disclosures are permitted for treatment, payment, and health care operations; for public health and oversight; when required by law; to avert a serious threat; and for research with a waiver or via a limited data set. Otherwise—particularly when sharing with non‑covered community organizations—you generally need an authorization that satisfies HIPAA’s Disclosure Authorization Requirements.

What are best practices for HIPAA compliance with SDOH data?

Inventory SDOH sources, classify sensitivity, and enforce minimum necessary access. Execute Business Associate Agreements with vendors, apply Administrative Safeguards, and encrypt ePHI across systems. Use standardized de-identification or limited data sets for secondary use, monitor access and exports, educate staff, and document decisions in governance records.