Nick and HIPAA: What the Law Actually Covers (and What It Doesn't)

HIPAA Coverage Scope

HIPAA is a U.S. federal law that governs how protected health information (PHI) is used, disclosed, and safeguarded. It applies to covered entities and the business associates that handle PHI for them. The law sets data sharing limitations such as the “minimum necessary” standard and requires reasonable security safeguards.

Who is a covered entity?

• Health care providers that transmit standard electronic transactions (for example, claims or eligibility checks).
• Health plans, including employer-sponsored group health plans and insurers.
• Health care clearinghouses that translate health data between formats.

PHI is any individually identifiable information about your health, care, or payment for care that a covered entity creates or receives. If information is not PHI (for example, truly de-identified health information), HIPAA generally does not apply.

Business associates

Business associates are vendors and subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity. Examples include billing services, cloud storage providers, e-prescribing platforms, analytics firms, and IT support handling PHI. They must sign a business associate agreement (BAA) and follow HIPAA’s security and breach notification requirements.

Permitted uses and disclosures

• Treatment, payment, and health care operations without separate authorization.
• Public health, health oversight, and certain law enforcement or legal processes when conditions are met.
• Disclosures to you (your right of access) and to individuals you designate, plus uses you specifically authorize.
• Data sharing limitations such as using or disclosing only the minimum necessary information for non-treatment purposes.

Non-Covered Entities

Many organizations that handle health-related data are non-covered entities, meaning HIPAA does not apply to them directly. Their practices are instead shaped by privacy policies, the Federal Trade Commission, contracts, and state health privacy laws.

Common examples

• Employers in their role as employers (HR files, accommodation requests, and fitness-for-duty notes).
• Life insurers, most disability insurers, and workers’ compensation carriers.
• Consumer apps, wearable device makers, and wellness services not acting for a covered entity.
• Schools and school districts with student records governed by FERPA (addressed below).

Practical implications

Non-covered entities can collect and share health-related data according to their privacy terms, which may permit advertising or analytics uses. Because HIPAA’s data sharing limitations don’t bind them, you should review app settings, data retention details, and any options to restrict or delete data.

Consumer Health App Data

Most consumer health apps—like fitness trackers, meditation tools, and many period or symptom trackers—are not covered entities. Unless an app is acting as a business associate for your provider or health plan, HIPAA usually does not apply to the data you enter.

When HIPAA applies to apps

• Your provider or health plan directs you to use an app that connects to their system and a BAA is in place.
• The app is part of a patient portal or a plan’s official member application handling PHI.

When HIPAA does not apply

• Standalone, direct-to-consumer apps you choose yourself that do not work for a covered entity.
• Apps that collect data for coaching, advertising, or general wellness without provider oversight.

How to protect your data

• Check whether the developer is a business associate and whether a BAA exists.
• Review sharing settings, turn off personalized ads, and limit integrations to what you need.
• Prefer apps that explain encryption, retention timelines, and data deletion options in plain language.

De-Identified Data Rules

HIPAA excludes de-identified health information from its protections. Once data is properly de-identified, it is no longer PHI and may be used or disclosed outside HIPAA, though ethical and contractual limits can still apply.

Two paths to de-identification

• Safe Harbor: remove specific direct identifiers (for example, names and detailed addresses) and certain other elements so individuals cannot be readily identified.
• Expert Determination: a qualified expert applies statistical or scientific methods and documents that the re-identification risk is very small.

Limited data sets

A limited data set removes most direct identifiers but may keep certain elements like dates and general geography. It can be used for research, public health, or operations under a Data Use Agreement. It remains PHI, so data sharing limitations and safeguards still apply.

Re-identification cautions

Even de-identified data can sometimes be re-identified when combined with other datasets. HIPAA allows covered entities to use a code for re-identification if it is not derived from the data and is kept confidential.

Education and Employment Records

HIPAA specifically excludes two categories from its scope: education records and employment records. Understanding where FERPA compliance applies—and where group health plan rules apply—helps you know which protections cover your information.

Education records (FERPA)

Student health and immunization records maintained by a school or district are typically education records covered by FERPA, not HIPAA. University medical centers may be HIPAA-covered for non-student patients, while most student records maintained by the school fall under FERPA’s rules.

Employment records

Health information an employer keeps in HR files—such as leave certifications or accommodation requests—is an employment record and not PHI under HIPAA. By contrast, your employer’s group health plan is a covered entity; plan records it holds are PHI and subject to HIPAA’s privacy and security requirements.

What to ask

• Who is holding the record—your school, your employer, a provider, or a health plan?
• Is the information part of a student education record (FERPA) or a group health plan record (HIPAA)?
• What privacy notice governs access, sharing, and your rights?

State Laws on Health Data

HIPAA sets a national baseline, but state health privacy laws can be stricter. Several states now regulate “consumer health data” and sensitive categories (like reproductive or mental health information), often covering non-covered entities as well.

Where states go beyond HIPAA

• Applying requirements to apps, wearables, and websites outside HIPAA’s covered entities.
• Requiring consent for certain uses, imposing data sharing limitations, or restricting geofencing of health locations.
• Providing rights to access, delete, or restrict disclosures of consumer health data.
• Allowing stronger remedies or enforcement than federal rules.

What this means for you

Your rights can vary by state. You may have additional choices over profiling and advertising uses, stronger deletion rights, or tighter limits on selling or sharing health-related inferences—especially with non-covered entities.

Common Misconceptions about HIPAA

• “HIPAA applies to every business.” It applies to covered entities and their business associates—not to most employers, apps, or websites acting on their own.
• “Consumer wellness apps are protected by HIPAA.” Usually not, unless the app acts for a covered entity under a BAA.
• “Employers can’t ask about my health because of HIPAA.” HIPAA doesn’t govern employers’ HR records; other employment laws may limit what employers can ask or share.
• “Providers need my signed authorization to talk to me.” You have a right to access your own PHI; authorizations are mainly for uses or disclosures beyond HIPAA’s standard allowances.
• “PHI can never be shared without my permission.” HIPAA permits certain disclosures (for example, treatment, payment, operations, public health, or when required by law) subject to safeguards and the minimum necessary rule.
• “De-identified data is risk-free.” Properly de-identified data is outside HIPAA, but re-identification risk can exist, so governance still matters.
• “I can sue under HIPAA for damages.” HIPAA is primarily enforced by regulators; depending on your state, other legal avenues may exist for privacy harms.

Summary and Key Takeaways

HIPAA protects PHI held by covered entities and business associates, sets data sharing limitations, and excludes de-identified health information, education records, and most employment records. Many non-covered entities—especially consumer apps—are governed instead by contracts and state health privacy laws. Always identify who holds your data and which rulebook applies before you share.

FAQs

What entities are covered under HIPAA?

Covered entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. Business associates that handle PHI for them are also bound by HIPAA through BAAs and must follow security and breach notification requirements.

How does HIPAA apply to consumer health apps?

HIPAA applies to an app only when it acts on behalf of a covered entity—such as a provider-directed app integrated with an EHR or a health plan’s official app—with a business associate agreement in place. Standalone consumer apps are usually non-covered entities and rely on their own privacy policies and any applicable state laws.

Are employment health records protected by HIPAA?

No. Health information an employer maintains for employment purposes (for example, leave or accommodation documentation) is not PHI under HIPAA. However, records held by an employer’s group health plan are PHI and must follow HIPAA’s privacy and security rules.

Does HIPAA cover education records?

Education records, including most student health records kept by schools, are governed by FERPA, not HIPAA. University medical centers are generally HIPAA-covered for non-student patients, while student records maintained by the school typically fall under FERPA compliance.