What Records Are Not Protected by HIPAA? Examples and Exceptions You Should Know

HIPAA protects Protected Health Information (PHI) held by Covered Entities and their Business Associates. PHI means individually identifiable health information created or received by a health plan, provider, or clearinghouse. Not all health-related data falls under this rule, and knowing the boundaries helps you share and safeguard information wisely.

This guide explains what records are not protected by HIPAA, why they are outside the rule, and how adjacent laws—like the Family Educational Rights and Privacy Act (FERPA)—and HIPAA’s De-Identification Standards affect your data.

FERPA-Covered Education Records

Education records maintained by a school or school district are governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA. This includes student health information kept by a school nurse or clinic when the records are part of the student’s education record or FERPA “treatment records.”

• Examples: immunization records submitted to the school, student health screenings, sports physical forms, and counseling records maintained by the school for student care.
• When HIPAA may apply: if a university hospital or clinic treats non-students and bills electronically, those records are typically HIPAA-covered rather than FERPA-covered.

Key point: if the data is an education record or FERPA treatment record, HIPAA does not apply—even when the content describes health conditions.

Employment Records and Health Information

Employment records held by an employer, even if the employer is also a health care provider, are not PHI under HIPAA. The rule excludes information an employer keeps in its role as an employer rather than a provider or health plan.

• Not HIPAA-protected: workplace injury logs, drug test results held by HR, fitness-for-duty exams sent to the employer, COVID-19 screening logs, FMLA certifications, ADA accommodation paperwork, and pre-employment or return-to-work evaluations maintained in personnel files.
• Still HIPAA-protected elsewhere: the medical record your treating provider keeps about the same visit remains PHI in the provider’s system, even if a summary was sent to your employer.
• Workers’ compensation: records held by Workers' Compensation Carriers or employers for claims administration are generally outside HIPAA, though providers may disclose limited PHI as permitted by law.

Deceased Individuals' Records

HIPAA protects a decedent’s PHI for 50 years after the date of death. During that period, authorized persons—such as the personal representative of the estate—may exercise rights over the information.

After 50 years, the data is no longer PHI under HIPAA. Archives, historians, and others may access it without HIPAA restrictions, though professional ethics, donor agreements, or state laws may still apply.

Non-Covered Entities and HIPAA

HIPAA only applies to Covered Entities (health plans, most health care providers that transmit standard electronic transactions, and health care clearinghouses) and their Business Associates. Many organizations that handle health-related data are not covered by HIPAA.

• Common non-covered entities: employers, life or disability insurers, Workers' Compensation Carriers, law enforcement, many schools (for education records), gyms, wellness programs not run by a health plan, and most consumer apps and websites.
• Business associate twist: a vendor that handles PHI on behalf of a Covered Entity becomes a Business Associate for that function and is subject to HIPAA—yet data the same company collects directly from you for its own purposes may be outside HIPAA.

Always consider who holds the data and for what purpose. The same lab result can be PHI in a provider’s chart but not PHI when summarized in an employer’s personnel file.

De-Identified Health Information

Data that meets HIPAA’s De-Identification Standards is not PHI and is not protected by HIPAA. De-identification can be achieved by either the Safe Harbor method (removing specific identifiers such as names, detailed geography, full-face photos, and most date elements) or an Expert Determination that the risk of re-identification is very small.

• Safe Harbor: removal of 18 types of identifiers from the data set so individuals cannot reasonably be identified.
• Expert Determination: a qualified expert uses statistical or scientific principles to minimize re-identification risk and documents the process.
• Limited Data Set: a partially de-identified form that may include certain dates and geography; it remains PHI and requires a data use agreement.

Even when HIPAA no longer applies, responsible stewards still assess re-identification risks, especially with rare conditions or small populations.

Personal Health Records and Devices

Personal Health Records (PHRs), fitness trackers, smartwatches, and many health apps often fall outside HIPAA because they are offered directly to you, not on behalf of a Covered Entity. Data you enter or that a device collects for your personal use is typically not PHI.

• Usually outside HIPAA: direct-to-consumer PHRs, symptom trackers, menstrual cycle or fertility apps, nutrition and sleep apps, and most wearable device dashboards.
• When HIPAA may apply: if your provider or health plan offers the app or device and integrates it with your medical record, the data they receive and maintain may be PHI.

Practical tip: check whether the tool is provided by your provider/health plan (more likely HIPAA-covered) or sold directly to consumers (usually not). Review privacy settings and data-sharing practices carefully.

Health Information on Social Media

HIPAA does not protect information you voluntarily post on social media. If you share your diagnosis, lab results, or hospital wristband online, those posts are not PHI under HIPAA—even though they reveal health details.

• Covered Entities must not disclose PHI on social media without valid authorization, and they cannot confirm a patient’s status in comments or replies.
• Your direct messages to a clinic’s public account may not be secure; once the provider brings the message into their official system, it becomes PHI there, but your platform-side copy remains outside HIPAA.

Bottom line: HIPAA follows PHI in the hands of Covered Entities and Business Associates. If the information is FERPA-covered, kept as an employer record, held by a non-covered entity, properly de-identified, older than 50 years post-death, or self-disclosed on social media, it generally falls outside HIPAA.

FAQs

What types of records are excluded from HIPAA protection?

Records outside HIPAA include FERPA-covered education and treatment records, employment records held by an employer, health information maintained by non-covered entities (such as many apps, employers, life and disability insurers, and Workers' Compensation Carriers), properly de-identified data, and records of individuals deceased for more than 50 years.

Are employer-maintained health records subject to HIPAA?

No. Health information an employer keeps in personnel or benefits files—like FMLA forms, drug test results, return-to-work notes, and accommodation paperwork—is not PHI under HIPAA. The same information may still be PHI in your provider’s medical record.

How does HIPAA treat de-identified health information?

Data that meets HIPAA’s De-Identification Standards—either through Safe Harbor removal of specified identifiers or via Expert Determination that re-identification risk is very small—is not PHI and is not regulated by HIPAA. A Limited Data Set is only partially de-identified and remains PHI subject to a data use agreement.

What happens to medical records after an individual has been deceased for over 50 years?

After 50 years from the date of death, a decedent’s health information is no longer PHI under HIPAA. Access may still be influenced by archival policies, ethical commitments, or state law, but HIPAA’s privacy protections no longer apply.