HIPAA: What It Protects and What It Doesn’t

HIPAA sets a national baseline for health privacy in the United States. It defines what counts as protected health information (PHI), who must safeguard it, and when it can be used or disclosed.

This guide explains the HIPAA Privacy and Security Rules, responsibilities for covered entities, the scope and limits of PHI, how state laws interact with HIPAA, and specific protections for genetic and reproductive health data.

HIPAA Privacy Rule Protections

The Privacy Rule governs how covered entities use and disclose PHI and what rights you have over your information. PHI includes data about your health status, care, or payment that can identify you, whether on paper, oral, or digital.

• Permitted uses without your authorization include treatment, payment, and health care operations, plus limited public interest purposes subject to strict conditions.
• The “minimum necessary” standard requires limiting uses and disclosures to the least amount needed for the purpose.
• You have rights to access, obtain copies, and request amendments to records in the designated record set, to request restrictions, to receive confidential communications, and to get an accounting of certain disclosures.
• Covered entities must provide a Notice of Privacy Practices explaining how your PHI is used and your rights.

While HIPAA focuses on privacy, other laws address discrimination based on health information in employment or insurance contexts. Together, these regimes aim to reduce privacy harms and unfair treatment.

HIPAA Security Rule Safeguards

The Security Rule applies to electronic protected health information and requires safeguards that ensure confidentiality, integrity, and availability. It is technology-neutral so organizations can tailor controls to their environment.

• Administrative safeguards: security risk analysis and risk management, workforce training, contingency plans, and vendor oversight.
• Physical safeguards: facility access controls, device and media controls, and workstation security.
• Technical safeguards: unique user access, audit controls, integrity protections, authentication, and transmission security (such as encryption in transit and at rest where appropriate).

Effective programs document decisions, monitor for incidents, and continuously improve controls as systems and threats evolve.

Covered Entities and Their Responsibilities

Covered entities include health plans, health care clearinghouses, and providers who conduct certain electronic transactions. Business associates that handle PHI for them must also comply through contracts and direct obligations.

Core covered entities compliance tasks include adopting policies, training staff, managing role-based access, executing business associate agreements, performing periodic security risk analysis, and applying sanctions for violations. They must mitigate improper disclosures and provide required breach notifications when PHI is compromised.

Scope of Protected Health Information

PHI is individually identifiable health information created or received by a covered entity or business associate that relates to your past, present, or future health, care, or payment. Identifiers can include names, addresses, device IDs, and many other data points.

Your access and amendment rights center on the designated record set—medical and billing records and other records used to make decisions about you. PHI remains protected whether it is on paper, spoken, or maintained as electronic protected health information.

Data that has been properly de-identified is not PHI. Limited data sets may be shared for specific purposes under a data use agreement with direct identifiers removed.

Exclusions from HIPAA Coverage

HIPAA does not cover all health-related data. Protection generally depends on who holds the information and why.

• Consumer health apps, wearables, and websites not offered by or on behalf of a covered entity are typically outside HIPAA, even if they track sensitive metrics.
• Employment records that an employer maintains (e.g., FMLA documentation or fit-for-duty notes) are not PHI, even when they contain health information.
• Education records subject to FERPA are excluded, including most school health records.
• Records held by life insurers, workers’ compensation carriers, and many other non-covered organizations are generally outside HIPAA.
• De-identified or aggregate data falls outside HIPAA; law enforcement or court records not received from a covered entity are also typically excluded.

State Laws Complementing HIPAA

HIPAA sets a federal floor for privacy. Under state law preemption rules, more stringent state laws that give you greater privacy protections or access rights usually are not preempted and therefore control.

States may impose tighter rules on sharing mental health, HIV, substance use, or reproductive health data, create stronger breach-notification duties, or regulate the sale of health-related data by non-HIPAA companies. If an organization operates in multiple states, it must align with HIPAA and all applicable, more protective state requirements.

Protections for Genetic and Reproductive Health Data

Genetic information held by covered entities is PHI and receives the same protections as other medical data. Separate federal laws also limit discrimination based on genetic information in health insurance and employment contexts.

Reproductive health data is PHI when held by covered entities and is subject to HIPAA’s use, disclosure, and verification rules. Providers must apply minimum necessary, verify requestors, and follow strict pathways before responding to law enforcement or other demands. Outside the health care system, reproductive health data confidentiality may instead be governed by consumer privacy or state health-data laws rather than HIPAA.

Conclusion

HIPAA robustly protects PHI within the health care system through the Privacy and Security Rules, yet leaves gaps for data held outside covered entities. Understanding the scope of PHI, common exclusions, how state laws layer on top, and the special considerations for genetic and reproductive data helps you navigate your rights and risks more confidently.

FAQs

What types of information does HIPAA protect?

HIPAA protects PHI—individually identifiable information about your health, care, or payment—when it is created or received by covered entities or their business associates. It spans paper, oral, and digital formats, including electronic protected health information, and covers data used to make decisions about you in the designated record set.

What health data is excluded from HIPAA protection?

Data outside HIPAA typically includes consumer health app and wearable data not offered by a covered entity, employment records kept by an employer, education records subject to FERPA, de-identified or aggregate datasets, many insurer or benefits records outside HIPAA’s scope, and law enforcement records not obtained from a covered entity.

How does HIPAA interact with state health privacy laws?

HIPAA establishes a federal baseline. Through state law preemption, more protective state laws generally prevail, so providers and plans must follow HIPAA plus any stricter state requirements—for example, enhanced consent rules or added protections for sensitive categories like mental health or reproductive care.

What protections does HIPAA provide for genetic information?

Genetic information held by covered entities is PHI and receives full HIPAA privacy and security protections, including limits on uses and disclosures and patient rights of access and amendment. Separate federal protections also restrict discrimination based on health information, including genetic data, in certain insurance and employment settings.