Non-Covered Entities and HIPAA: Do You Need Compliance? Rules Explained

HIPAA is often invoked whenever organizations handle health-related data, but it does not apply to everyone. Understanding whether you are a covered entity, a HIPAA Business Associate, or a non-covered entity determines your compliance obligations and the controls you must implement.

This article clarifies the Covered Entities Definition, explains what counts as a non-covered entity, and outlines when Business Associate Agreements are required. It also offers practical steps and Data Protection Policies to safeguard Health Information Privacy. The information is general and not legal advice.

Definition of Non-Covered Entities

A non-covered entity is any organization or individual that is neither a HIPAA covered entity nor a HIPAA Business Associate. HIPAA’s Privacy, Security, and Breach Notification Rules apply directly only to covered entities and, by extension, to their business associates via contract.

Covered Entities Definition

Covered entities include: (1) health plans (for example, insurers and group health plans), (2) health care clearinghouses, and (3) health care providers who transmit health information electronically in standard transactions (such as billing). If you do not meet one of these categories and are not a business associate, you are generally a non-covered entity.

HIPAA Business Associates

A business associate is a person or organization that performs services for a covered entity and, as part of that work, receives, creates, maintains, or transmits protected health information (PHI). Business associates are contractually bound to follow specific HIPAA safeguards through a Business Associate Agreement.

Examples of Non-Covered Entities

Many organizations handle health-related data yet are not covered by HIPAA. Common examples include:

• Consumer wellness or fitness apps that collect exercise, diet, or sleep data directly from users without involvement of a covered entity.
• Wearable device manufacturers and platforms processing sensor data for personal insights rather than for a covered entity’s treatment, payment, or operations.
• Direct-to-consumer genetic, fertility, or at-home testing services operating directly with consumers, absent a covered entity relationship.
• Life, disability, or long-term care insurers (HIPAA applies primarily to health plans, not these lines).
• Employers in their role as employers (separate from any group health plan they sponsor).
• Schools handling student education records subject to other laws, not HIPAA, for those records.
• Personal health communities, forums, data brokers, advertising networks, or analytics vendors that receive health-related data directly from consumers.

Any of the above could become a HIPAA Business Associate if they start performing services for a covered entity and receive PHI for that purpose.

HIPAA Applicability to Non-Covered Entities

Non-covered entities are not required to comply with HIPAA’s Privacy or Security Rules unless they are acting as a business associate or otherwise become a covered entity. Simply handling health-related information does not trigger HIPAA by itself.

However, non-covered entities still face significant Compliance Obligations under other legal regimes and contracts. They should assess whether any data they handle originates from a covered entity, whether a Business Associate Agreement is needed, and what other statutory duties apply (for example, State Health Information Laws or consumer protection statutes).

Health Information Held by Non-Covered Entities

Health information held by a non-covered entity is usually not PHI under HIPAA because PHI is linked to a covered entity’s activities. Nevertheless, that data may be deeply sensitive, and mishandling it can create substantial risk for individuals and the organization.

Distinguish among categories of data you hold: direct identifiers (name, email, precise location), quasi-identifiers (device IDs, IP addresses), and health indicators (symptoms, measurements, behavioral signals). Even without HIPAA, strong Health Information Privacy practices are expected, including data minimization, purpose limitation, clear user notices, and careful management of tracking technologies.

When feasible, de-identify or aggregate data, document your methodology, and avoid re-identification. If re-linkage is possible, treat the dataset as sensitive and apply heightened safeguards.

Business Associate Agreements for Non-Covered Entities

If a non-covered entity provides services to a covered entity and touches PHI, it must execute a Business Associate Agreement. The BAA contractually imposes HIPAA-aligned safeguards on the business associate and flows down to relevant subcontractors.

When a BAA Is Required

• Receiving PHI from a covered entity to provide services such as claims processing, data hosting, analytics, telehealth enablement, or customer support.
• Creating or maintaining PHI on behalf of a covered entity, including backup, disaster recovery, or archival storage.

Essential BAA Clauses

• Permitted uses and disclosures of PHI and clear prohibition on unauthorized uses.
• Safeguards aligned with HIPAA’s Security Rule, including risk analysis, access controls, encryption, and audit logging.
• Breach and security incident notification requirements, with timelines and cooperation duties.
• Subcontractor flow-down obligations and right to audit or assurance reporting.
• Termination, return, or secure destruction of PHI and survival of key obligations.

Signing a BAA does not transform all your operations into HIPAA scope. HIPAA applies only to the PHI and systems in scope of the services performed for the covered entity; still, many organizations align broader controls for consistency.

Recommendations for Protecting Health Information

• Adopt formal Data Protection Policies: data mapping, privacy-by-design, secure development lifecycle, and documented retention/deletion schedules.
• Minimize collection: gather only what is necessary for stated purposes; avoid sensitive inferences unless essential.
• Strengthen technical safeguards: strong encryption in transit and at rest, multi-factor authentication, least-privilege access, endpoint hardening, and continuous monitoring.
• Manage vendors: perform due diligence, require appropriate contracts (including Business Associate Agreements when applicable), and verify security attestations.
• Be transparent with users: provide readable privacy notices, articulate purposes, and honor choices regarding data sharing and marketing.
• Control tracking technologies: inventory SDKs, tags, and pixels; restrict sharing of sensitive signals; use server-side tagging with strict access and data filters where appropriate.
• Prepare for incidents: maintain an incident response plan, practice tabletop exercises, and understand breach notification triggers under applicable laws.
• Train your workforce: role-based privacy and security training, clear escalation paths, and periodic testing.

Legal Considerations Beyond HIPAA

Even when HIPAA does not apply, other laws often do. Evaluate State Health Information Laws, state privacy statutes, and data breach notification laws that may regulate health-related or “sensitive” data collected directly from consumers.

Consider federal consumer protection requirements (for example, prohibitions on unfair or deceptive practices) and specialized rules that may govern health apps or connected devices. Sector-specific laws may also apply in certain contexts, such as education records, financial services, substance use disorder records, genetic data, biometric data, or employment-related information.

Map your data flows across jurisdictions, determine which frameworks apply, and document decisions. Align internal policies with your Compliance Obligations and keep them updated as your products and partnerships evolve.

Conclusion

Most organizations handling health-related data are non-covered entities unless they are covered entities or HIPAA Business Associates. HIPAA may not apply directly, but strong safeguards, clear contracts, and adherence to other legal regimes remain essential. Treat health data as sensitive by default and implement controls proportionate to the risks and laws that govern your operations.

FAQs.

Are non-covered entities required to comply with HIPAA?

No. HIPAA applies to covered entities and, by contract, to business associates handling PHI for them. Non-covered entities are not required to follow HIPAA unless they become business associates or otherwise qualify as covered entities. They may still be subject to other privacy and security laws.

What types of organizations are considered non-covered entities?

Examples include consumer wellness apps, wearable device platforms, direct-to-consumer testing services, life insurers, employers acting as employers, schools for education records, and advertising or analytics firms that collect health-related data directly from users without a covered entity relationship.

Can non-covered entities enter into Business Associate Agreements?

Yes. When a non-covered entity provides services for a covered entity and will receive, create, maintain, or transmit PHI, a Business Associate Agreement is required. The BAA imposes HIPAA-aligned obligations on the service provider for the PHI in scope.

How should non-covered entities handle health information privacy?

Implement robust Data Protection Policies: minimize data collection, encrypt and control access, vet vendors, be transparent with users, restrict tracking technologies, and maintain incident response procedures. Determine which State Health Information Laws and other frameworks apply, and align controls with your Compliance Obligations.