Not a HIPAA Covered Entity? Organizations and Roles Excluded, With Examples

Definition of HIPAA Covered Entities

What “covered entity” means

Under HIPAA’s administrative simplification rules, a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions (for example, eligibility checks, claims, or remittance advice). If you don’t meet one of these definitions, you are not a HIPAA covered entity.

What counts as protected health information (PHI)

PHI is individually identifiable health information about a person’s health, care, or payment for care that is created or received by a covered entity or its business associate. PHI can be paper, oral, or electronic. De-identified information and education or employment records that are specifically excluded are not PHI.

Categories of Covered Entities

Health plans

• Health insurance issuers and HMOs.
• Government programs that pay for health care, such as Medicare and Medicaid.
• Employer-sponsored group health plans and certain health care flexible spending arrangements.

Health care providers

• Clinicians and organizations (e.g., physicians, clinics, pharmacies, laboratories, hospitals) that conduct standard electronic transactions.
• Cash-only providers that never conduct standard electronic transactions may fall outside HIPAA, but using a vendor or clearinghouse for claims typically brings them within scope.

Health care clearinghouses

• Entities that translate nonstandard health information into standard formats or vice versa (for example, billing clearinghouses).

Roles of Business Associates

Who is a business associate

A business associate (BA) is a person or organization that performs services for or on behalf of a covered entity and, as part of that work, creates, receives, maintains, or transmits PHI. Common examples include billing services, cloud storage providers that host ePHI, claims processors, and certain analytics vendors.

Key compliance obligations for BAs

• Implement administrative, physical, and technical safeguards for ePHI under the Security Rule.
• Use and disclose PHI only as permitted by the business associate agreement (BAA) and HIPAA.
• Report breaches to the covered entity and flow down BAA terms to subcontractors.
• Support access, amendment, and accounting requests that the covered entity must fulfill.

Business associate agreement essentials

A BAA defines allowed uses/disclosures, security controls, breach notification timelines, and oversight rights. Without a BAA in place, a vendor should not receive PHI. Signing a BAA does not make the vendor a covered entity, but it does trigger direct HIPAA compliance obligations and potential HIPAA enforcement exposure.

Entities Excluded from HIPAA

Who is generally out of scope

• Companies that do not function as a health plan, clearinghouse, or qualifying health care provider.
• Vendors that do not handle PHI for a covered entity (for example, they process only de-identified or aggregate data).
• Organizations interacting directly with consumers outside the health care system and without a BAA (many wellness, fitness, or nutrition apps).
• Employers acting in their capacity as employers (HR files are typically employment records, not PHI).
• Schools and school nurses when records are education records governed by FERPA.
• Insurers that are not health plans (e.g., life, disability, auto, or workers’ compensation carriers for those lines of business).
• Law enforcement agencies and most public health authorities, although they may lawfully receive PHI from covered entities in specific circumstances.

Caveats that can change status

• Contracting with a covered entity to handle PHI transforms a vendor into a business associate.
• Submitting standard electronic transactions (even through a billing service) can make a provider subject to HIPAA.
• Mixing consumer data and PHI without data segmentation can inadvertently create PHI across systems.

Examples of Non-Covered Entities

• A direct-to-consumer fitness tracker that collects steps, heart rate, or sleep data from users and does not work on behalf of any covered entity.
• A meal-planning or nutrition app that users download on their own and that does not sign a BAA.
• An employer’s HR department managing sick notes or accommodation requests; these are employment records, not PHI.
• A life insurance company underwriting policies; it is not a HIPAA health plan for that product line.
• A school district maintaining student health records covered by FERPA rather than HIPAA.
• A social media platform hosting user-posted health stories; it is not a covered entity or BA.
• A research organization analyzing de-identified datasets without a BAA and without receiving PHI.
• A payment processor handling card transactions for a clinic but never accessing PHI beyond cardholder data.

HIPAA Applicability Limits

When HIPAA applies—and when it doesn’t

• HIPAA protects PHI held by covered entities and their business associates. It does not protect personal health information collected solely by non-covered apps or devices unless those companies act as BAs.
• De-identified information is outside HIPAA; a documented de-identification method is essential.
• Education records under FERPA and employment records held by an employer are excluded from PHI.
• The Privacy Rule covers PHI in any form; the Security Rule applies to ePHI only.

Practical boundaries

• Patient-to-vendor sharing alone does not create a BA relationship; the relationship and purpose matter.
• Standard transactions are the HIPAA trigger for providers; purely paper or nonstandard workflows may be outside scope, but adding a clearinghouse or practice system typically brings HIPAA back into play.
• Use data segmentation to separate PHI from consumer data, minimize access, and prevent scope creep.

Implications for Non-Covered Entities

What you still need to do

• Map your data: identify health information privacy touchpoints, distinguish PHI from consumer data, and document data flows.
• Decide your role: if you perform services for a covered entity involving PHI, you are a BA and must sign a business associate agreement and meet HIPAA compliance obligations.
• Adopt a security baseline: risk assessment, encryption in transit/at rest, access control, logging/monitoring, vendor due diligence, and an incident response plan.
• Honor your promises: your privacy policy and user notices are enforceable; avoid deceptive practices.
• Plan for breach response: if you are a BA, follow HIPAA breach notification; if you are not covered, other rules may apply based on your business model and location.
• Use data segmentation and minimization to reduce the footprint of sensitive data and the likelihood of becoming a BA unintentionally.

Regulatory exposure and enforcement

• Covered entities and BAs face HIPAA enforcement for violations.
• Non-covered entities can face other enforcement for unfair or deceptive practices or for mishandling sensitive consumer health data.
• Contractual liability is real: customers may require HIPAA-aligned controls even when HIPAA does not directly apply.

Bottom line: If you are not a HIPAA covered entity, confirm whether you are a business associate. If neither, align with best practices—transparent notices, strong security, and careful data segmentation—to protect users and reduce risk while meeting your compliance obligations.

FAQs

What organizations are excluded from HIPAA coverage?

Organizations that are not health plans, health care clearinghouses, or qualifying health care providers—and that do not perform services for those entities involving PHI—are excluded. Common examples include consumer wellness apps, employers acting as employers, life and disability insurers, schools covered by FERPA, many research groups using de-identified data, and law enforcement agencies.

How does HIPAA define a covered entity?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions under HIPAA’s administrative simplification rules. Meeting any one of these definitions brings the organization under HIPAA for its handling of protected health information.

Are business associates considered covered entities?

No. Business associates are separate from covered entities, but they are directly regulated by HIPAA for the PHI they handle on behalf of covered entities. They must sign a business associate agreement and comply with security, privacy, and breach notification requirements.

What are the compliance requirements for non-covered entities?

Non-covered entities should still implement strong privacy and security programs: map and minimize data, publish accurate notices, safeguard sensitive information, and prepare for incidents. If they start handling PHI for a covered entity, they become business associates and must meet HIPAA obligations, including executing a business associate agreement.