Not Covered by HIPAA Privacy Rule: Exclusions, Risks, and Best Practices

Exclusions from HIPAA Privacy Rule

Not every piece of health-related information is regulated by HIPAA. The Privacy Rule protects “protected health information” (PHI) when created or held by covered entities or their business associates. Large categories of data fall outside that scope, and you must handle them with clear, risk-based controls even though they are not covered by HIPAA.

Employment Records Exclusion

Health information held by an employer in its role as an employer is not PHI. This Employment Records Exclusion applies even if the employer is also a covered entity for other activities. Examples include doctor’s notes for sick leave, fit-for-duty reports, drug test results used for HR decisions, and accommodation documentation.

• Treat these files as confidential employee records, separate from group health plan data.
• Apply HR-centric laws (for example, disability and leave laws) and corporate privacy policies.

FERPA Education Records

Student health records maintained by most schools and school districts are FERPA Education Records, not HIPAA PHI. That includes K–12 nurse records and many university student health records. Some campus clinics that bill insurance may operate under different rules, but FERPA generally governs student records, with specific rights for parents and eligible students.

De-Identified Health Information

Data that meet HIPAA’s de-identification standards are not PHI. De-Identified Health Information is created either by removing specified identifiers or through expert determination that the re-identification risk is very small. Because de-identification can be reversed if done poorly, document your method and monitor for linkage risks over time.

Law Enforcement Disclosures and Records

Law enforcement agencies are typically not covered entities, and information they maintain for law enforcement purposes is not PHI. Covered entities may make limited Law Enforcement Disclosures when an exception applies (for example, responding to a court order). Keep those disclosures narrow, documented, and consistent with “required by law” provisions.

Other Commonly Non-Covered Contexts

• Consumer health apps and wearables that are not acting as business associates of a covered entity.
• Life insurers, workers’ compensation programs, and employers when using information for underwriting, benefits eligibility, or claims not handled by a covered health plan component.
• Decedent information more than 50 years after death.
• Wellness programs offered by an employer outside the group health plan structure.

Risks of Non-Covered Information

“Not covered by HIPAA” is not “risk-free.” Sensitive health-related data can still trigger legal, operational, and reputational consequences if mishandled.

Legal and Regulatory Exposure

While HIPAA may not apply, you still face Data Breach Liability under state breach-notification laws, consumer-protection rules, and sector-specific requirements. FERPA, employment, and insurance statutes carry separate obligations and penalties. Contracts with clients, schools, or agencies may also impose enforceable privacy and security commitments.

Operational and Reputational Harm

Security incidents involving non-covered health data disrupt operations, increase support costs, and erode trust with patients, students, employees, and partners. Perceived misuse—for example, using wellness data in employment decisions—can damage morale and lead to attrition or grievances.

Re-Identification and Aggregation Risks

Combining datasets can undo de-identification, especially when unique dates, locations, or device identifiers are present. The risk grows as more third-party data are acquired, making robust controls and ongoing risk assessments essential.

Vendor and Ecosystem Dependencies

Cloud providers, app developers, and data brokers may not be business associates. Weak vendor controls or opaque data-sharing practices can introduce unanticipated liabilities and create challenges fulfilling deletion or access requests.

Best Practices for Handling Non-Covered Information

Inventory and Classify

Create a master inventory that flags which datasets are HIPAA-covered and which are not. For each non-covered set, record the legal basis, sensitivity level, retention rule, and approved uses. Clear classification drives appropriate safeguards and prevents accidental commingling with PHI.

Data Minimization and Purpose Limitation

Collect only what you need, keep it only as long as necessary, and limit downstream uses. Use aggregation, pseudonymization, and tokenization for analytics to reduce exposure without sacrificing insight.

De-Identification Governance

If you rely on De-Identified Health Information, specify the method, tools, and acceptance criteria. Require peer or expert review, log re-identification tests, and re-evaluate risk when context or linkable datasets change.

Transparent Notices and Consents

Provide plain-language privacy notices that explain how non-covered health data will be used, shared, and secured. Do not rely on the HIPAA Notice of Privacy Practices for these datasets; craft separate consumer or employee notices where appropriate.

Contracts and Vendor Management

When vendors are not business associates, use strong privacy and security addenda, incident-notification timelines, and data-return/destruction clauses. Prohibit secondary use or sale without explicit authorization, and verify subcontractor controls.

Retention and Secure Disposal

Adopt records schedules tailored to non-covered data. Use approved deletion workflows, cryptographic erasure for cloud storage, and certified media destruction for endpoints and backups.

Legal Compliance Considerations

Map each dataset to the right legal framework and your role in processing. When in doubt, seek counsel; this section provides general information, not legal advice.

Education Contexts

For school-held records, apply FERPA Education Records rules, including rights to inspect, amend, and control disclosures. Align incident response with education-agency requirements rather than HIPAA breach processes.

Employment Contexts

Apply HR and labor laws to the Employment Records Exclusion. Keep HR files separate from plan data, restrict access to need-to-know HR personnel, and forbid use of wellness or screening data in employment decisions unless explicitly permitted.

Consumer Protection and Breach Rules

Many non-covered health apps and services fall under consumer-protection laws and, in some cases, federal or state breach-notification rules for health data. Build your incident playbook to address those obligations, including timelines and required content.

Disclosures Required by Law

For subpoenas, court orders, or Law Enforcement Disclosures, verify the legal authority, disclose only what is necessary, and maintain an auditable record of the request, response, and decision-making.

Data Security Strategies

Apply a pragmatic security baseline tailored to sensitivity, even for data not covered by HIPAA. Focus on prevention, detection, and rapid containment.

Access Control Measures

• Use least privilege, role-based or attribute-based access, and just-in-time elevation for administrators.
• Require strong multi-factor authentication and session timeouts for high-sensitivity systems.
• Segment environments so non-covered datasets cannot be easily correlated with PHI without authorization.
• Continuously review entitlements and remove dormant accounts promptly.

Encryption Standards

• Encrypt data at rest using widely accepted algorithms (for example, AES-256) with centralized key management and rotation.
• Use modern transport encryption (for example, TLS 1.2+), certificate pinning for mobile apps, and HSTS for web endpoints.
• Protect keys in hardware-backed modules where feasible, and separate key custody from data custody.

Secure Engineering and Operations

• Adopt secure SDLC practices: threat modeling, code scanning, dependency management, and pre-release security testing.
• Instrument logging at the data, application, and network layers; forward to a monitored SIEM.
• Deploy endpoint protection, mobile device management, and data loss prevention tuned to health-related fields.

Incident Response and Resilience

• Maintain a runbook that covers non-covered health data scenarios and applicable breach rules.
• Practice tabletop exercises, validate backup restoration, and define containment steps for re-identification events.

Employee Training and Awareness

Your people are the control surface. Train them to recognize boundaries, apply policy, and escalate issues quickly.

• Provide role-based training that distinguishes PHI from non-covered data, with examples from HR, school health, and app telemetry.
• Teach do’s and don’ts for Employment Records Exclusion and FERPA Education Records, including proper storage and sharing.
• Run frequent microlearning on phishing, social engineering, and safe data handling for exports and reports.
• Reinforce incident-reporting norms: “When in doubt, escalate.”

Auditing and Monitoring Practices

Build a risk-based audit program that validates your controls and produces actionable findings. Prioritize areas with sensitive non-covered data and complex sharing patterns.

Program Design

• Define scope, criteria, and evidence for each audit (access reviews, disclosure logs, vendor compliance, de-identification procedures).
• Use sampling across systems and teams; verify both process and technical enforcement.
• Track remediation to closure and report trends to leadership.

Key Controls to Test

• Access Control Measures: entitlement hygiene, MFA coverage, and break-glass procedures.
• Encryption Standards: key rotation, cipher configurations, and encrypted backups.
• Disclosure governance: documentation for Law Enforcement Disclosures and other “required by law” releases.
• Vendor oversight: contract clauses, security attestations, and incident-notification performance.

Conclusion

Many health-related datasets are not covered by HIPAA, but they still demand disciplined governance. By mapping the right laws, minimizing data, enforcing strong security, and auditing continuously, you reduce risk while maintaining trust with employees, students, consumers, and partners.

FAQs

What types of records are excluded from HIPAA Privacy Rule coverage?

Common exclusions include employment records held by an employer (Employment Records Exclusion), FERPA Education Records maintained by schools, De-Identified Health Information that meets HIPAA’s de-identification standard, records maintained by law enforcement for law enforcement purposes, certain workers’ compensation and insurance records, wellness data outside a group health plan, and decedent information more than 50 years after death.

How can organizations protect non-covered health information?

Start with a data inventory and classification, apply least-privilege Access Control Measures, and use strong Encryption Standards for data at rest and in transit. Minimize collection, document de-identification methods, require robust vendor contracts, provide transparent notices, and implement retention and secure disposal. Test these controls through audits and drills.

What are the legal risks of mishandling excluded information?

You may face Data Breach Liability under state or federal consumer-protection and breach-notification rules, contractual penalties, and sector-specific sanctions (such as FERPA consequences in education or employment-law violations for HR files). Reputational harm and loss of stakeholder trust often add significant indirect costs.

How often should audits be conducted to ensure compliance?

Use a risk-based cadence. Most organizations conduct at least annual audits of program controls, quarterly access and configuration reviews for high-risk systems, and continuous monitoring of critical logs. After major system changes or incidents, perform targeted, out-of-cycle audits to validate corrective actions.