Is HIPAA Universal? Where It Applies and Where It Doesn't

HIPAA Applicability to Covered Entities

HIPAA is a U.S. federal law that applies to specific organizations called Covered Entities and to certain partners that handle Protected Health Information. It is not universal; it applies only when defined roles, activities, and data types are involved.

Covered Entities include three groups: health plans, healthcare clearinghouses, and healthcare providers that conduct standard Electronic Health Transactions. If a provider never transmits standardized electronic claims, eligibility checks, or referrals, HIPAA may not apply to that provider, though in practice most modern providers do.

• Health plans: insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans.
• Healthcare clearinghouses: entities that translate nonstandard health data to standard formats and vice versa.
• Healthcare providers: clinicians, hospitals, labs, and pharmacies that transmit standard Electronic Health Transactions.

The HIPAA Privacy Rule governs how these entities use and disclose Protected Health Information (PHI), while the Security Rule sets safeguards for electronic PHI (ePHI). Together they establish baseline national standards for privacy, security, and permissible data flows.

Role of Business Associates

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a Covered Entity. Common examples include cloud hosting providers, billing firms, EHR vendors, telehealth platforms, and analytics consultants.

Business Associates must sign a business associate agreement (BAA) that binds them to Privacy and Security Rule obligations. Their subcontractors who handle PHI are also Business Associates and must accept equivalent protections downstream.

Key responsibilities include implementing technical, administrative, and physical safeguards, limiting uses to those allowed by the BAA, and providing breach notification. When a vendor does not touch PHI—or handles only De-identified Information—it typically is not a Business Associate.

Exemptions from HIPAA Coverage

Many organizations that handle health-related details do not fall under HIPAA. Coverage turns on who you are acting for and what data you process, not merely whether the information is “about health.”

• Employers: the company itself is not a Covered Entity, even if it pays for benefits; however, its group health plan is.
• Life insurers, auto insurers, and workers’ compensation carriers: generally outside HIPAA, though Covered Entities may disclose PHI to them as permitted by law.
• Schools and school districts: education records are usually governed by FERPA, not HIPAA.
• Consumer apps and devices: wellness apps, wearables, and direct-to-consumer services are often not subject to HIPAA unless they act for a Covered Entity as a Business Associate.
• Financial institutions, gyms, and many health websites: typically not Covered Entities or Business Associates.

Information that is properly de-identified under HIPAA is not PHI and can be used or disclosed outside HIPAA’s restrictions. A Limited Data Set, which still contains certain indirect identifiers, may be shared for research, public health, or operations under a data use agreement.

HIPAA and Personal Health Information

Protected Health Information is individually identifiable health information created or received by a Covered Entity or its Business Associate. It relates to a person’s condition, care, or payment and can exist in any form—paper, electronic, or oral.

Not all personal health information is PHI. If you enter fitness data into a consumer app that is not acting for your clinician or health plan, that data may be outside HIPAA even though it concerns your health. Other laws or the app’s policies may still protect it, but HIPAA would not apply.

De-identified Information and limited identifiers

HIPAA recognizes two de-identification methods: expert determination and safe harbor removal of specified direct identifiers. Once data is de-identified, it is no longer PHI. If only a Limited Data Set is shared, recipients must follow a data use agreement that restricts purpose and prohibits re-identification.

Core Privacy Rule principles

• Minimum Necessary: use, access, and disclose only what is reasonably needed.
• Individual rights: access, amendments, and an accounting of certain disclosures.
• Administrative requirements: policies, workforce training, and safeguards for PHI and ePHI.

Employment Records and HIPAA

Employment records held by an employer are not PHI, even if they contain health information. Examples include FMLA certifications, ADA accommodations, and drug test results maintained by the employer in its role as employer.

However, an employer’s group health plan is a Covered Entity. If the employer sponsors a self-insured plan, HIPAA requires firewalls and plan documents to limit employer access to PHI. Benefits staff may handle PHI on behalf of the plan, while HR files used for personnel decisions remain outside HIPAA but may be protected by other laws.

Onsite clinics can be Covered Entities if they provide healthcare services and transmit standard Electronic Health Transactions. In that case, clinic records are PHI, but separate HR files maintained by the employer are still not PHI.

Legal and Governmental Scope

HIPAA is U.S. federal law and applies within the United States and its territories. It does not create global obligations like the EU’s GDPR, but Covered Entities and Business Associates remain subject to HIPAA even if they store or process ePHI abroad.

Disclosures are allowed without authorization in limited situations, such as public health reporting, certain law enforcement requests, or when required by law or court orders. Each permitted disclosure has conditions and must adhere to the Minimum Necessary standard where applicable.

Enforcement is led by the U.S. Department of Health and Human Services Office for Civil Rights, with potential civil penalties and, in egregious cases, criminal liability. Risk analyses, Security Rule safeguards, and documented policies are central to demonstrating compliance.

State Laws and Additional Privacy Protections

HIPAA sets a federal “floor” of privacy protections. More protective State Privacy Regulations are not preempted and continue to apply. Covered Entities must therefore navigate both HIPAA and stricter state rules.

States often impose heightened protections for mental health, HIV/AIDS, genetic data, reproductive health, and minors’ records. Some states also have comprehensive consumer privacy laws that may cover health-related data outside HIPAA’s scope, affecting consumer apps and data brokers.

When both HIPAA and state law apply, entities must follow the rule that gives individuals greater privacy protection. Clear data inventories and purpose-based policies help ensure correct routing under overlapping regimes.

FAQs

Does HIPAA apply to all healthcare providers?

No. A provider becomes a Covered Entity when it conducts standard Electronic Health Transactions, such as submitting electronic claims or eligibility checks. Most do, so HIPAA commonly applies, but a provider that never performs standard electronic transactions may fall outside HIPAA while still being subject to state laws and professional ethics.

Who qualifies as a business associate under HIPAA?

A Business Associate is any vendor or partner that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity, including subcontractors that handle PHI. Typical examples are billing services, IT hosting, EHR vendors, telehealth platforms, consultants, and analytics firms, all operating under a business associate agreement.

Are employers subject to HIPAA for employee health records?

Generally, no. Employment records maintained by the employer are not PHI. However, the employer’s group health plan is a Covered Entity, and plan-related PHI must be protected under HIPAA with appropriate firewalls and limited access procedures.

How do state laws interact with HIPAA?

HIPAA preempts conflicting state laws unless a state rule is more protective of privacy, in which case the state rule controls. As a result, organizations must comply with HIPAA’s baseline and also with any applicable State Privacy Regulations that provide stronger protections for certain data or populations.