What Information HIPAA Does Not Protect: Examples and Exceptions

HIPAA protects Protected Health Information (PHI) held by Covered Entities and their Business Associates, but the Privacy Rule also draws bright lines around data it does not cover. Understanding these boundaries helps you handle Health Data Disclosure responsibly and spot Privacy Rule Exceptions before you share or request information.

De-Identified Health Information

De-Identified Data is not PHI and therefore falls outside HIPAA. Data qualifies as de-identified when it cannot reasonably identify an individual. This can be achieved by removing direct and indirect identifiers (the “safe harbor” approach) or through documented expert determination that the re-identification risk is very small.

What counts as de-identified

• Removal of identifiers such as names, street addresses, phone numbers, email addresses, full-face photos, Social Security numbers, and medical record numbers.
• Dates linked to an individual are generalized to the year; ages over 89 are grouped as “age 90 or older.”
• Aggregate statistics, such as hospital-wide readmission rates, when no individual can be singled out.

Important boundaries

• Once information is properly de-identified, HIPAA no longer applies to its use or disclosure. That said, re-identification efforts can raise ethical, contractual, or other legal issues.
• A “limited data set” (for research, public health, or operations) is not fully de-identified; it remains PHI and requires a data use agreement.

Education Records Under FERPA

Student health and counseling records maintained by schools are typically governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA. Because they are “education records,” they are excluded from HIPAA’s definition of PHI.

Examples

• K–12 school nurse files documenting vaccinations, medications administered at school, and care plans maintained as part of the student’s education record.
• University student health or counseling center records maintained for students and kept by the institution in a FERPA-covered record system.

Nuances to know

• At the postsecondary level, “treatment records” used only for treatment are not education records unless shared for non-treatment purposes; when shared beyond treatment, they become education records and remain under FERPA.
• If a clinic is independent of the school and treats non-students, those non-student records may be HIPAA PHI, while the student records remain FERPA records.

Employment Records Exclusion

Employment Records held by an employer are not PHI, even if they contain health information. HIPAA regulates Covered Entities in their healthcare role, not employers in their HR role.

Examples

• Doctor’s notes submitted to Human Resources for sick leave, FMLA certifications, workers’ compensation reports, or fitness-for-duty evaluations kept in the personnel file.
• Results of pre-employment drug screens or vaccination proofs collected for workplace compliance and stored by the employer.

Key distinctions

• If a hospital (a Covered Entity) treats an individual, those clinical records are PHI. But once similar information is maintained by the hospital’s HR department about its employee, it is an employment record, not PHI.
• Other laws—such as the ADA, FMLA, and state Employment Records Privacy requirements—may still govern how employers store and share employee health information.

Health Information of Deceased Individuals

HIPAA protects a decedent’s PHI for a limited period after death. After that period ends, the information is no longer PHI under HIPAA and is outside the Privacy Rule.

Practical implications

• For a set number of years after death, disclosures generally require authorization or must fit a Privacy Rule Exception (for example, disclosures to coroners, medical examiners, or funeral directors for their duties).
• Beyond that period, records may be used for historical or genealogical purposes without HIPAA restrictions, though professional ethics or state laws can still apply.

Non-Covered Entities and Their Data

HIPAA applies to Covered Entities—health plans, most healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses—and to their Business Associates that process PHI for them. Many organizations that handle health-related data are not in these categories, so their data falls outside HIPAA.

Common non-covered entities

• Direct-to-consumer wellness and fitness apps, wearable device providers, and nutrition or meditation platforms that collect health metrics but do not act for a Covered Entity.
• Employers in their role as employers, life insurers, schools covered by FERPA, and many technology companies or data brokers handling consumer health-related data.

What this means for you

• Data you enter into a consumer app may not be PHI, so HIPAA may not limit how it is used or shared. Your rights will often come from the app’s privacy policy and other privacy laws, not HIPAA.
• If a consumer service contracts with a Covered Entity as a Business Associate, the data it handles for that entity is PHI; the same service may also collect non-PHI directly from you for its own purposes.

Conclusion

HIPAA focuses on PHI held by Covered Entities and their Business Associates. De-Identified Data, FERPA education records, employer-held Employment Records, certain post-mortem information, and data controlled by non-covered entities usually fall outside HIPAA. Knowing these Privacy Rule Exceptions helps you decide what protections apply and what policies or laws you should look to next.

FAQs.

What types of information are excluded from HIPAA protection?

Information that is not PHI or not held by a Covered Entity/Business Associate is outside HIPAA. Common examples include properly de-identified datasets, FERPA-covered student records, employer-held Employment Records, certain data about deceased individuals beyond HIPAA’s protection period, and consumer health data collected by non-covered entities.

How does HIPAA treat education and employment records?

Education records maintained by schools are governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA. Employment Records kept by an employer—such as leave certifications or drug test results—are also excluded from HIPAA, even when they contain health information.

Is health data of deceased individuals protected by HIPAA?

Yes, but only for a limited period after death. During that time, disclosures generally require authorization or must fit a Privacy Rule Exception. After the protection period ends, HIPAA no longer applies, though other laws or ethical rules may still influence use and disclosure.

Who are considered non-covered entities under HIPAA?

Non-covered entities are organizations that are not health plans, healthcare clearinghouses, or qualifying healthcare providers conducting standard electronic transactions—nor Business Associates of those entities. Examples include many consumer health apps, wearable device makers, life insurers, employers acting as employers, and schools covered by FERPA.