What HIPAA Does Not Protect: Information That Isn't Covered (With Examples)

Non-Covered Entities

Covered Entity Definition (quick refresher)

HIPAA protects Protected Health Information when it is created or held by a covered entity or its business associate. The covered entity definition includes health plans, most health care providers that transmit health information electronically in standard transactions, and health care clearinghouses. If an organization is outside these categories—and not acting on behalf of one via a contract—it is generally not bound by HIPAA.

Who is typically not covered

• Employers and HR departments (outside their group health plan functions).
• Life insurers, disability insurers, and workers’ compensation carriers.
• Schools and school districts handling student records under other laws.
• Consumer apps, wearables, fitness trackers, and wellness platforms not contracted by a covered entity.
• Financial institutions, credit bureaus, data brokers, advertising networks, and most websites.
• Law enforcement agencies and many government offices that are not health plans, providers, or clearinghouses.

Examples

• You email your manager a doctor’s note. Your employer’s copy is an employment record, not HIPAA-protected PHI.
• You enter symptoms in a meditation app you found in an app store. The app developer is a non-covered entity unless it operates under a business associate agreement.
• You apply for life insurance and share medical history. The life insurer is not a covered entity.

What this means for you

When dealing with non-covered entities, HIPAA does not apply. Non-Covered Entity Compliance may still be required under other regimes (for example, consumer protection or state privacy laws), but those are distinct from HIPAA.

De-Identified Information

HIPAA’s de-identification standards

Data that has been de-identified under HIPAA’s De-Identification Standards is no longer PHI and falls outside HIPAA. De-identification can occur by removing specific identifiers (the “safe harbor” method) or by an expert’s determination that the risk of re-identification is very small.

What de-identified data looks like

• Aggregated statistics, such as “2,315 knee replacements in 2024 statewide,” with no patient-level identifiers.
• A research dataset where names, precise addresses, full dates, medical record numbers, and other direct identifiers have been removed, and risk is assessed by a qualified expert.
• Hospital dashboards showing monthly trends without any details that could single out a person.

Key cautions

Once de-identified, information may be used for analytics, product development, or quality improvement without HIPAA constraints. However, re-identification risks exist if data is combined with other sources. Some jurisdictions have Anonymized Data Regulations that set expectations for safeguards even when HIPAA no longer applies.

Employment Records

What HIPAA excludes

HIPAA does not protect employment records, even when they contain health-related details. This includes FMLA certifications, ADA accommodation files, drug test results maintained by an employer, and “fit for duty” assessments in a personnel file. These are not PHI because they are held in the employer’s capacity, not in a health plan or provider role.

Important distinction: the employer vs. the plan

If your employer sponsors a group health plan, the plan is a covered entity, but the employer is not. Firewalls must separate the plan’s PHI from the employer’s HR records. Employer Health Privacy obligations may still arise under workplace, disability, and anti-discrimination laws, but they are separate from HIPAA.

Examples

• Your supervisor files your medical leave forms in your HR folder—these are employment records, not HIPAA-protected PHI.
• The group health plan’s claims data is PHI; HR cannot freely access it without proper authorizations and need-to-know limits.

Education Records

FERPA, not HIPAA

Student health and counseling records maintained by a school or district are generally “education records” or “treatment records” governed by the Family Educational Rights and Privacy Act. Because FERPA applies, HIPAA expressly excludes these records from its scope.

When HIPAA may still apply

If a student receives care from an outside hospital or clinic unaffiliated with the school, those records are PHI under HIPAA. But once the school maintains the record as part of its education system, FERPA controls access and disclosures—not HIPAA.

Examples

• A school nurse’s log, immunization documentation kept by the school, and counseling notes at a university counseling center are FERPA records.
• A college student treated at a local non-university urgent care has HIPAA-protected records at that clinic.

Publicly Available Information

What counts as public

Information that is lawfully made public—news reports, court filings, public registries, or your own social media posts—is not protected by HIPAA simply because it relates to health. Publicly available information is not PHI in most contexts.

Examples

• You post on Instagram about your surgery; those posts are not HIPAA-protected.
• A newspaper story about a local outbreak is public information, not PHI.

Important caveat for providers

Covered entities remain bound by HIPAA. Even if a patient has made details public, a provider generally cannot confirm or disclose a patient’s PHI without appropriate authorization.

Data Used for Non-Health-Related Purposes

Outside treatment, payment, and operations

HIPAA focuses on how covered entities use PHI for health care functions. When data is collected or repurposed for non-health-related purposes by entities outside HIPAA—such as advertising, credit decisions, or general consumer analytics—HIPAA typically does not apply.

Examples

• Browsing data from a health website captured by an ad network and used for targeted ads by a non-covered company.
• Location analytics identifying visits to clinics, used for marketing by third parties not acting as business associates.
• Information you give a life insurer for underwriting; the insurer is not a HIPAA covered entity.

Nuance to remember

If a covered entity uses PHI for marketing, HIPAA generally requires patient authorization. But once the same or similar data sits with a non-covered entity and is not PHI, HIPAA does not regulate its non-health use. Other privacy laws may still apply.

Health Information Held by Non-Covered Entities

Common scenarios

Health-related details held by non-covered entities are not HIPAA-protected. This includes data in consumer wearables, fertility and period-tracking apps, nutrition and fitness platforms, mental wellness chatbots, and direct-to-consumer lab or genetic testing services—unless they are operating on behalf of a covered entity.

Examples

• Your smartwatch logs heart rate and sleep data in the device maker’s cloud; the company is typically not a covered entity.
• A fertility app collects cycle data and symptoms; unless it contracts with a provider or plan as a business associate, HIPAA does not apply.
• You download your medical records and store them in your personal drive; your copy is not regulated by HIPAA.

Compliance landscape

Non-Covered Entity Compliance may flow from consumer protection, unfair practices, or state privacy statutes rather than HIPAA. Knowing which framework applies helps you set appropriate consent, retention, and security controls even when the data is not PHI.

Conclusion

HIPAA protects PHI within a specific ecosystem—covered entities and their business associates. Information outside that ecosystem, de-identified datasets, employment and education records, publicly available details, and data used by non-covered entities for non-health purposes fall outside HIPAA. Anchor your policies to the covered entity definition and de-identification standards, and layer in other applicable privacy rules where HIPAA stops.

FAQs

Which entities are not covered by HIPAA?

Employers, life and disability insurers, most schools and school districts (for student records), consumer apps and wearables not acting for a covered entity, data brokers, advertising networks, financial institutions, and law enforcement agencies are typically not covered entities under HIPAA.

What types of health information does HIPAA exclude from protection?

HIPAA excludes de-identified data, employment records held by an employer, education records governed by FERPA, and information that is publicly available. Health details held by non-covered entities (like many consumer apps) are also outside HIPAA, even if they feel sensitive.

How is de-identified information treated under HIPAA?

Once information is de-identified under HIPAA’s standards—either via expert determination or safe harbor—it is no longer PHI and HIPAA restrictions no longer apply. Organizations may use such data for analytics, research, or product improvement, while still managing re-identification risk.

Are employment health records protected by HIPAA?

No. Health-related information in an employer’s HR files—such as sick notes, FMLA certifications, ADA accommodations, or drug test results—is an employment record, not PHI. HIPAA may protect data within a separate group health plan, but not the employer’s personnel files.