Is a PHR a Covered Entity Under HIPAA? Requirements Explained

PHR Definition

A personal health record (PHR) is a consumer-controlled record of health information that you create, manage, and share. It can live in a mobile app, cloud account, or web portal and often aggregates data from you, your devices, and—when you choose to connect them—your clinicians.

Unlike an electronic health record (EHR) maintained by a provider, a PHR is typically maintained by you or a consumer technology company. When a PHR receives information from a provider or health plan, that information may be Protected Health Information if it is handled by a HIPAA-regulated party, but the same data in a standalone consumer app may fall outside HIPAA.

• What a PHR may store: medications, labs, vitals, device data, care plans, immunizations, and notes you enter yourself.
• Common uses: tracking conditions, coordinating care, and sharing snapshots of Personal Health Records with family or clinicians.

HIPAA Applicability

Short answer: a PHR is not, by itself, a HIPAA covered entity. HIPAA Covered Entities are health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. HIPAA applies based on who holds and uses the information—not the technology label “PHR.”

When a PHR is offered by or on behalf of a covered entity (for example, a hospital’s patient portal or an insurer’s member app), information in that PHR is Protected Health Information and the HIPAA Privacy, Security, and Breach Notification Rules apply. Your rights and the organization’s duties are then defined by HIPAA.

By contrast, if you use a direct-to-consumer PHR that operates independently from any provider or health plan, HIPAA generally does not apply to that app. Simply transmitting your records at your direction to a consumer app does not automatically make the app a HIPAA-regulated party.

Non-HIPAA PHRs

PHRs outside HIPAA still handle sensitive health data and are governed by their own privacy notices, state privacy laws, and consumer protection rules. You should look for clear disclosures about what is collected, how it is used, and who it is shared with.

• Core expectations: transparent notices, meaningful consent for sensitive uses, data minimization, and strong security (encryption, authentication, and access controls).
• Accountability: internal governance, vendor oversight, and clear user controls to access, export, and delete data where required.
• Health Privacy Compliance programs should map data flows, restrict third-party tracking technologies, and document risk assessments.

Business Associates and PHR Vendors

A PHR vendor becomes a HIPAA Business Associate when it creates, receives, maintains, or transmits Protected Health Information on behalf of a covered entity or provides services that require routine access to PHI. In these cases, a Business Associate Agreement (BAA) must be in place before PHI flows.

• Typically a Business Associate: a vendor powering a provider’s patient portal; a remote patient monitoring platform contracted by a clinic; a cloud service that stores a health plan’s member PHR data.
• Typically not a Business Associate: a direct-to-consumer PHR that you choose and use independently of any covered entity relationship.
• Conduit caveat: simple transmission-only services are a narrow exception; persistent storage or routine access usually requires a BAA.

• BA obligations under HIPAA include safeguarding PHI, limiting use and disclosure, reporting breaches to the covered entity, flowing down protections to subcontractors, and complying with the Security Rule and applicable Privacy Rule provisions.

FTC Health Breach Notification Rule

The FTC’s Health Breach Notification Rule applies to vendors of Personal Health Records, PHR-related entities, and their service providers when they are not covered by HIPAA. It requires notice following a breach of unsecured PHR identifiable health information, which can include unauthorized disclosures—not just hacking incidents.

• Who must notify: PHR vendors and related entities notify affected individuals and the FTC; service providers notify their PHR clients.
• What to include: descriptions of the incident, the types of data involved, steps individuals can take, and what the company is doing to secure data.
• Timing matters: the rule sets strict deadlines; larger incidents trigger faster reporting to the FTC than smaller ones.

If your product is outside HIPAA but processes health data, expect the Health Breach Notification obligations to apply alongside state privacy requirements.

State Privacy Laws Affecting PHRs

Several states regulate consumer health data even when HIPAA does not apply. These laws often treat health data as “sensitive,” require consent for certain processing or sharing, and impose detailed notices and contractual controls with vendors.

• California: the Confidentiality of Medical Information Act (CMIA) protects “medical information” and can reach certain consumer-facing services that maintain such information, in addition to the broader California privacy law framework for sensitive data.
• Washington: the My Health My Data Act places consent, disclosure, and geofencing restrictions on consumer health data, with strong enforcement tools.
• Nevada: consumer health data law mandates notices, consent for sales, data processing agreements, and restrictions on sharing.
• Colorado and others: comprehensive privacy laws require opt-in consent for sensitive data, data protection assessments, and user rights to access and delete.

Bottom line: most PHRs are not HIPAA Covered Entities. A PHR tied to a provider or health plan will bring HIPAA (and a Business Associate Agreement for vendors), while independent PHRs face the FTC Health Breach Notification Rule and a fast-evolving patchwork of state laws. Building a robust Health Privacy Compliance program—spanning data mapping, consent, contracts, and security—keeps you aligned across these regimes.

FAQs.

What makes a PHR subject to HIPAA regulations?

HIPAA applies when a PHR is offered by or on behalf of a HIPAA Covered Entity and holds PHI for that entity’s regulated functions. In that scenario, the PHR is part of the covered entity’s operations (or a Business Associate’s services), so HIPAA’s Privacy, Security, and Breach Notification Rules apply.

Are all PHR vendors considered business associates?

No. A vendor is a Business Associate only when it handles Protected Health Information for or on behalf of a covered entity or provides services that require such access. Direct-to-consumer PHR vendors that operate independently are generally not Business Associates and are not governed by HIPAA.

What are the privacy rules for non-HIPAA PHRs?

Non-HIPAA PHRs must honor their privacy notices, comply with the FTC Health Breach Notification Rule after qualifying incidents, and follow state privacy laws governing consumer health data. Expect requirements around consent, transparency, data minimization, security, and honoring access and deletion requests.

How do state laws impact PHR privacy protections?

State laws can impose additional, sometimes stricter, protections for Personal Health Records—such as consent before collecting or sharing sensitive data, limits on geofencing, detailed notice obligations, and contractual controls with processors. California’s CMIA and comprehensive privacy laws in states like Washington, Nevada, and Colorado are key examples shaping PHR practices.