HIPAA Scope Explained: Who Is Not a Covered Entity and Why

Understanding the Health Insurance Portability and Accountability Act (HIPAA) starts with knowing its boundaries. This guide clarifies the covered entity definition, pinpoints who is not a covered entity, and explains why that distinction matters for compliance, consumer trust, and modern health technology.

Definitions of Covered Entities

Under the HIPAA Privacy Rule, covered entities fall into three categories: health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. If an organization does not fit one of these categories, it is outside HIPAA’s direct scope and is generally a non-covered entity.

Health plans include insurers, HMOs, government programs that pay for health care, and employer-sponsored group health plans. Health care providers are covered only when they conduct HIPAA-standard electronic transactions, such as billing a health plan. Health care clearinghouses process nonstandard health information into standard formats and vice versa.

Protected health information (PHI) is individually identifiable health information created or received by a covered entity or its business associate and related to an individual’s health, care, or payment. PHI triggers HIPAA duties only when handled by covered entities or, through contract, by a business associate.

A Business Associate is a person or company that performs services for a covered entity involving PHI—think claims processing, analytics, cloud hosting, or patient communications. Business associates are not covered entities, but they must follow HIPAA via a Business Associate Agreement (BAA). This distinction is central to understanding who is and is not a covered entity.

Examples of Non-Covered Entities

Many organizations that handle health-related data are non-covered entities because they do not meet HIPAA’s covered entity definition and are not acting as a business associate. Common examples include:

• Consumer health and wellness apps that you download directly (e.g., fitness, fertility, meditation, nutrition) when they are not working on behalf of a provider or health plan.
• Wearables and device makers that collect activity, sleep, or heart-rate data for personal use rather than for a covered entity.
• Employers in their role as employers (HR files, workplace accommodations, and drug testing records are not PHI), though an employer’s group health plan is a covered entity.
• Life, disability, auto, and workers’ compensation insurers; they are not health plans under HIPAA, even though they may lawfully receive health information through authorizations or state laws.
• Schools and school nurses whose student records are governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA.
• Direct-to-consumer genetic testing companies, unless they are a business associate to a covered entity for a particular program.
• Personal injury law firms, third-party litigation support vendors, and expert witnesses handling medical records outside a business associate relationship.
• Marketing technology platforms, ad networks, and data brokers that collect health-related signals but do not act for a covered entity.
• Scheduling, teleconferencing, or messaging tools used by providers without a BAA; in such setups, the vendor remains a non-covered entity while the provider bears HIPAA risk.

Legal Implications for Non-Covered Entities

Non-covered entities are not directly regulated by HIPAA. That does not mean “no rules.” They face obligations under consumer protection laws (for deceptive or unfair practices), state privacy statutes, data breach notification laws, and contracts. If a non-covered entity misrepresents its practices or mishandles sensitive data, regulators can still act.

The Federal Trade Commission Health Breach Notification Rule applies to vendors of personal health records and related entities that are not subject to HIPAA. If they experience a qualifying breach, they must notify affected individuals and regulators. This rule has become especially relevant to standalone health apps and wearables.

Becoming a business associate changes everything. Once a non-covered entity signs a BAA and receives PHI on behalf of a covered entity, HIPAA applies to that PHI. The organization must implement required safeguards, limit uses and disclosures, and support individual rights, all as specified in the HIPAA Privacy Rule and related security and breach rules.

Comparison of HIPAA and Other Privacy Laws

HIPAA vs. FERPA

HIPAA and the Family Educational Rights and Privacy Act cover different records. FERPA governs student education records held by schools that receive U.S. Department of Education funds. In that setting, student health and immunization records maintained by the school are typically FERPA records, not PHI, so HIPAA does not apply. This is why most K–12 school health records fall outside HIPAA.

HIPAA vs. the FTC Health Breach Notification Rule

HIPAA covers PHI held by covered entities and business associates. The Federal Trade Commission Health Breach Notification Rule covers certain non-HIPAA vendors that maintain personal health records for consumers. When those vendors suffer a qualifying breach, they must notify consumers and the FTC, even though HIPAA does not apply to them.

HIPAA vs. State Consumer Privacy Laws

State laws such as comprehensive consumer privacy statutes can apply to health-related personal information outside HIPAA. These laws often grant rights to access, delete, or opt out of targeted advertising and impose data minimization and security duties. PHI is usually exempt because HIPAA already governs it, but the same data collected outside a HIPAA context can be covered by state law.

HIPAA vs. Other Sectoral Laws

Other federal laws may apply in niche areas—for example, financial privacy laws for bank-held data or substance use disorder confidentiality rules for certain programs. The key takeaway is that “not HIPAA” does not equal “unregulated,” particularly when sensitive health signals are involved.

Responsibilities of Non-Covered Entities

Even when you are not a covered entity, you should adopt safeguards that reflect the sensitivity of health data and your promises to users. Clear governance builds trust and reduces regulatory risk.

• Be transparent: publish accurate, plain-language privacy notices that match reality. Avoid vague terms about sharing with “partners”.
• Limit collection and sharing: gather only what you need, turn off unnecessary SDKs and tracking pixels by default, and prohibit downstream reidentification.
• Secure the data: encrypt in transit and at rest, enforce strong authentication, segment environments, and monitor for anomalous access.
• Respect user choices: honor opt-outs from targeted advertising and sensitive data processing where state law requires, and document request workflows.
• Plan for incidents: maintain an incident response plan that covers state breach laws and the FTC Health Breach Notification Rule if it applies to your product.
• Vet vendors: perform diligence, require data protection terms, and sign a BAA if you begin handling PHI for a covered entity.
• Minimize retention: define retention schedules and delete data that no longer serves a legitimate purpose.
• De-identify thoughtfully: use robust techniques and guard against re-linkage when sharing or analyzing datasets.

Impact on Consumer Health Technology

As health and wellness features spread across phones, wearables, and smart homes, the line between PHI and consumer health data can blur. If your app connects directly to a patient’s provider portal under a BAA, you are likely a business associate handling PHI. If the same app is used solely by consumers without a provider relationship, you are a non-covered entity and HIPAA does not apply—yet the data remains highly sensitive.

Design choices matter. Embedding advertising SDKs, using cross-site tracking, or sharing granular location can create regulatory risk and erode user trust. Conversely, privacy-by-design, local processing, and clear in-product controls can differentiate your product and reduce exposure under state privacy laws and the FTC Act.

Interoperability introduces additional nuance. When you enable data imports from EHRs or payers, confirm whether PHI is involved and whether a BAA is required. Map data flows so you can explain what is HIPAA-covered, what is consumer data, and how each category is protected.

Enforcement and Compliance Considerations

HIPAA is enforced by the U.S. Department of Health and Human Services’ Office for Civil Rights. The HIPAA framework uses tiered civil penalties and requires corrective action plans tailored to risk. For non-covered entities, the FTC and state attorneys general can enforce against unfair or deceptive practices, improper disclosures, and failures to provide required notices after a breach.

Practical compliance comes down to documentation and accountability. Keep a current data map, perform regular risk assessments, train staff, and test incident response. Monitor your public promises against actual data flows to prevent misrepresentation. If your role changes—say you sign a BAA—update policies, security controls, and vendor contracts to meet HIPAA standards for PHI.

Conclusion

HIPAA’s scope is precise: it binds covered entities and, by contract, their business associates. Many organizations that handle health-related data are non-covered entities, but they still face meaningful duties under the HIPAA-adjacent landscape—the HIPAA Privacy Rule framework, the Federal Trade Commission Health Breach Notification Rule, FERPA for schools, and modern state privacy laws. Knowing where you stand helps you protect users and build a defensible compliance program.

FAQs

Who is exempt from being a covered entity under HIPAA?

“Exempt” isn’t the best term. HIPAA simply applies to health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. Organizations outside those categories—and not acting as a business associate for a covered entity—are not covered entities and are generally outside HIPAA’s direct scope.

What types of organizations are considered non-covered entities?

Common non-covered entities include consumer health apps and wearables used outside a provider relationship, employers in their role as employers, life and disability insurers, schools governed by FERPA, direct-to-consumer genetic testing companies, marketing and ad-tech vendors, data brokers, and law firms handling medical records outside a business associate arrangement.

How does HIPAA differ from FERPA in protecting health information?

HIPAA protects PHI held by covered entities and their business associates. FERPA protects student education records, including most school health records, at institutions that receive federal education funds. When FERPA applies to a record, HIPAA does not, which is why K–12 student health files are generally not PHI.

Are consumer health apps regulated by HIPAA?

Usually no. A consumer health app becomes subject to HIPAA only when it acts as a business associate to a covered entity and receives PHI under a BAA. Otherwise, it is a non-covered entity, but it can still be regulated by the FTC Act, the Federal Trade Commission Health Breach Notification Rule, and state consumer privacy laws.