Is Medical Information Protected by HIPAA? What’s Covered (and What Isn’t)

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards for how health information is used and disclosed, and gives you rights over your records. It applies to Protected Health Information (PHI) in any form—electronic, paper, or oral—held by covered entities and certain vendors.

Under the HIPAA Privacy Rule, organizations may use or share PHI for treatment, payment, and health care operations without your authorization, while applying the “minimum necessary” standard. You also have rights to access, obtain copies, request corrections, and receive a Notice of Privacy Practices that explains how your data is handled.

Core principles

• Use and disclosure limits aligned to purpose and “minimum necessary.”
• Individual rights of access, amendment, and confidentiality requests.
• Administrative, technical, and physical safeguards for PHI security.
• Breach notification duties when unsecured PHI is compromised.

Covered Entities and Their Responsibilities

Covered entities include health care providers that conduct standard electronic transactions, health plans (such as insurers and group health plans), and health care clearinghouses. These organizations must follow HIPAA requirements end to end and are accountable for how workforce members handle PHI.

Business associates

Vendors that create, receive, maintain, or transmit PHI for a covered entity—such as billing companies, cloud services, and EHR vendors—are business associates. They must sign Business Associate Agreements, safeguard PHI, follow many HIPAA Privacy Rule obligations, and are directly liable if they fail to protect information.

Operational duties you should expect

• Provide a clear Notice of Privacy Practices and designate privacy and security officials.
• Train staff, manage role-based access, and apply the minimum necessary standard.
• Execute Business Associate Agreements before sharing PHI with vendors.
• Maintain risk analyses, respond to incidents, and issue breach notifications when required.
• Cooperate with Health Data Enforcement actions and implement corrective measures when needed.

Definition and Scope of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or business associate that relates to your past, present, or future physical or mental health, care received, or payment for care. If the information identifies you or could reasonably identify you, it is PHI.

What typically counts as PHI

• Clinical details (diagnoses, test results, medications, treatment plans).
• Billing and insurance data (claims, policy numbers, account numbers).
• Demographic and identifying elements linked to care (names, addresses, dates, contact info, photos, device IDs, and similar identifiers).
• Biometric identifiers and full-face images connected to health services.

De-identified Information and limited data sets

De-identified Information is not PHI because it no longer identifies you. De-identification is achieved either by removing specified identifiers under the “Safe Harbor” method or by expert determination that the risk of re-identification is very small. A limited data set, which excludes most direct identifiers but retains some elements like dates or ZIP codes, may be used for research or public health with a Data Use Agreement.

Exclusions and Exceptions under HIPAA

Information not treated as PHI under HIPAA

• De-identified Information that meets HIPAA’s de-identification standards.
• Employment records held by a covered entity in its role as an employer.
• Education records and certain student treatment records governed by FERPA.
• Health information of individuals deceased for more than 50 years.

Permitted uses and disclosures without your authorization

Covered entities may disclose PHI without authorization for narrow purposes when conditions are met and the minimum necessary standard applies. Common categories include:

• Treatment, payment, and health care operations.
• Required-by-law disclosures and compliance with court orders.
• Public Health Disclosures to prevent or control disease and to public health authorities.
• Health oversight activities, audits, and inspections.
• Law enforcement purposes and to avert a serious threat to health or safety.
• Organ and tissue donation, medical examiner and coroner functions.
• Research with Institutional Review Board waiver or under a limited data set agreement.
• Workers’ compensation and other programs as authorized by law.

Genetic Information Protections

Genetic information is PHI when held by a covered entity or business associate. Beyond HIPAA’s baseline protections, Genetic Information Nondiscrimination rules prohibit health plans from using genetic information for underwriting, and they treat family medical history as genetic information. These rules reduce incentives to request or use predictive genetic data for coverage decisions.

Practical takeaways

• If your clinician orders or stores genetic testing results, HIPAA applies.
• Health plans generally cannot use genetic information to set premiums or deny coverage based on genetic risk.
• Direct-to-consumer genetic services may fall outside HIPAA unless they act for a covered entity; their privacy promises are governed by other laws and contracts.

Health Information Outside HIPAA’s Scope

HIPAA does not automatically cover all health-related information. Data is usually outside HIPAA when it is collected by companies that are not covered entities or business associates. Common examples include wellness apps, fitness trackers, consumer DNA portals, and many personal health journals you maintain for yourself.

However, the same data may become PHI if a covered provider or health plan collects, integrates, or directs the app or device vendor as a business associate. Otherwise, these companies are generally regulated by consumer protection and other privacy laws rather than the HIPAA Privacy Rule.

Examples often outside HIPAA

• Wearable device metrics (steps, heart rate, sleep) stored by a consumer platform.
• Health-related website browsing or search activity on non-clinical sites.
• Employer-held records used for employment decisions rather than health care.
• Data that has been properly de-identified and aggregated for analytics.

State Laws and Additional Protections

HIPAA is a federal floor. States can impose stricter rules, and when they do, the stronger protection usually controls. Many states add heightened confidentiality for mental health, HIV status, reproductive health, and minors’ records, and they may regulate consumer health data that is not PHI.

Other privacy regimes can also apply in parallel—for example, confidentiality rules for substance use disorder treatment records, consumer privacy statutes, and general unfair or deceptive practices laws. State attorneys general and consumer protection agencies increasingly pursue health privacy cases alongside federal Health Data Enforcement.

What this means for you

• Ask who holds your data and in what role (covered entity, business associate, or neither).
• Review Notices of Privacy Practices for PHI and privacy policies for consumer apps.
• Use privacy settings, limit sharing, and prefer vendors that minimize data collection.

Conclusion

Medical information is protected by HIPAA when it is PHI in the hands of covered entities or their business associates. De-identified Information and most consumer-collected data fall outside the HIPAA Privacy Rule, though other laws may still apply. To understand what’s covered—and what isn’t—focus on who holds the data, why it was collected, and which legal framework governs its use.

FAQs

What types of medical information does HIPAA protect?

HIPAA protects PHI—any individually identifiable health information related to your condition, care, or payment for care—when held by a covered entity or business associate. That includes clinical notes, test results, prescriptions, billing records, insurance claims, and identifiers (like names, dates, contact details, images, and device or account numbers) when linked to health services.

Are fitness tracker data covered by HIPAA?

Usually no. Data from fitness trackers and wellness apps are typically outside HIPAA unless the device or app is provided by, integrated with, or acting on behalf of a covered entity under a Business Associate Agreement. Otherwise, those companies are governed by consumer privacy and other applicable laws, not the HIPAA Privacy Rule.

When can covered entities disclose PHI without authorization?

Common situations include:

• Treatment, payment, and health care operations.
• Required-by-law disclosures, subpoenas, and court orders with proper safeguards.
• Public Health Disclosures to report diseases, adverse events, or exposures.
• Health oversight, audits, and investigations.
• Law enforcement needs and to prevent or lessen a serious and imminent threat.
• Organ donation, medical examiner and coroner duties, and certain research with approvals.
• Workers’ compensation and similar programs authorized by law.

How are violations of HIPAA enforced?

The U.S. Department of Health and Human Services’ Office for Civil Rights investigates complaints, conducts compliance reviews, and resolves cases through corrective action plans and civil monetary penalties when appropriate. State attorneys general can also bring actions. Outcomes range from voluntary remediation to settlements and significant penalties, depending on the severity and persistence of violations.