What the HIPAA Privacy Rule Doesn’t Apply To: Non‑Covered Entities, Apps, and Employers

HIPAA Privacy Rule Applicability

The HIPAA Privacy Rule protects Protected Health Information when it is created or held by Covered Entities—health plans (including a Group Health Plan), most healthcare providers that transmit data electronically, and healthcare clearinghouses—and by their Business Associates. HIPAA focuses on who has the data and for what purpose, not merely on whether the data is “health related.”

Information is PHI only when it is linked to a Covered Entity context. The same heart-rate reading can be PHI inside a hospital portal yet fall outside HIPAA when you record it in a consumer app you chose independently. De‑identified data and employment records maintained by an employer are also outside HIPAA.

When HIPAA applies

• You receive care from a provider and the provider stores or shares your PHI.
• Your Group Health Plan processes enrollment, claims, or appeals.
• A vendor handles PHI for a Covered Entity under a Business Associate Agreement.

When HIPAA doesn’t apply

• You enter data into a stand‑alone consumer app or wearable unrelated to your provider or plan.
• Your employer keeps workplace medical notes or accommodation records as Employer Health Records.
• An organization is neither a Covered Entity nor a Business Associate.

Non-Covered Entities

Many organizations that handle health‑related information are not Covered Entities. Examples include most consumer fitness or nutrition apps, wearable device makers, life insurers, gyms, many genetic or wellness testing services, and advertising or data analytics firms. Without a Business Associate role and BAA, their handling of your data generally falls outside HIPAA.

These entities may still be regulated by other laws and policies. Their promises to you are typically found in privacy notices and terms of service. Breach and transparency obligations can also arise under the FTC Health Breach Notification Rule and general consumer protection laws, as well as state privacy laws described later.

Health Apps and HIPAA

Most health apps you download for personal use are not subject to HIPAA because they collect data directly from you, not on behalf of a Covered Entity. If the app is offered by, branded with, or contracted by your provider or health plan—and the developer signs a BAA—then the data it handles for that Covered Entity is PHI and HIPAA applies.

How to tell if HIPAA covers an app

• Relationship: Is the app provided by your clinic or Group Health Plan, or contracted to serve them? That points to HIPAA.
• Agreement: Does the vendor state it will sign a Business Associate Agreement with providers or plans? That signals a Business Associate role.
• Source of data: Data you type directly into a consumer app, without a provider/plan relationship, is usually outside HIPAA.

Even when HIPAA doesn’t apply, you’re not unprotected. The FTC Health Breach Notification Rule can cover “personal health records” and their service providers, requiring notice if unsecured, identifiable health information is breached. Review app privacy settings, data‑sharing practices, and deletion options before connecting devices or importing medical records.

Employer-Sponsored Wellness Programs

HIPAA may or may not apply to wellness programs. If a wellness program is part of your employer’s Group Health Plan—such as a plan‑sponsored biometric screening—HIPAA typically applies, and participating vendors should operate under Business Associate Agreements. In that case, your rights under HIPAA (like access and restrictions) apply to PHI collected for the plan.

When a wellness program is offered by the employer outside the health plan—think step challenges or third‑party coaching apps paid as a workplace perk—HIPAA generally does not apply. However, other laws may govern, including the Americans with Disabilities Act for confidentiality of disability‑related inquiries and exams, and sometimes the FTC Health Breach Notification Rule if a vendor maintains a personal health record.

Practical tips

• Ask whether the wellness program is part of the Group Health Plan and whether vendors sign BAAs.
• If it’s outside the plan, treat it like any consumer app: check what data is collected, how it’s shared, and how to opt out or delete it.

Employer Health Information

HIPAA does not cover employment records held by an employer, even when those records include medical information. Employer Health Records such as doctor’s notes for sick leave, workers’ compensation files, drug test results, and ADA accommodation documents are not PHI because the employer is not acting as a Covered Entity in this context.

Still, those records are not a free‑for‑all. The Americans with Disabilities Act requires that medical information obtained by the employer be kept confidential and stored separately, and shared only on a need‑to‑know basis. If your employer also sponsors a Group Health Plan, plan PHI must be segregated from general HR files, with strict access limits and no use for employment decisions.

Employee pointers

• Send claims or medical details directly to the health plan or insurer, not general HR inboxes.
• When authorizing disclosures, limit scope and duration to the specific need.
• Confirm that supervisors receive only functional work restrictions, not diagnoses.

Business Associate Agreements

A Business Associate Agreement is the contract that allows a vendor to create, receive, maintain, or transmit PHI for a Covered Entity. BAAs require privacy and security safeguards, define permitted uses and disclosures, and set breach‑notification duties. Without a BAA, the vendor is not a Business Associate and HIPAA generally doesn’t apply to its consumer‑facing services.

Common Business Associates include cloud hosting for electronic health records, claims processors, secure messaging providers, and analytics firms serving plans or providers. By contrast, a stand‑alone fitness or fertility app you choose yourself is usually not a Business Associate, even if it handles sensitive data, unless it has a contract with your provider or plan.

What to look for

• Vendors that openly state they will sign BAAs for healthcare clients are signaling HIPAA obligations.
• If an app will not sign a BAA and collects data directly from you, rely on its privacy policy and applicable consumer laws, not HIPAA.

State Privacy Laws

HIPAA is a federal floor. States can and do provide stronger protections for certain health data categories, especially outside HIPAA’s scope. Comprehensive state privacy laws and specialized health‑privacy statutes may grant rights to access, delete, or restrict use of consumer health data and may limit targeted advertising, sales, or geofencing around sensitive locations.

Many states treat areas like mental health, substance use disorder, HIV status, and reproductive or sexual health as especially sensitive, often imposing stricter consent and disclosure rules. State data‑breach laws also require notification when certain personal information is compromised. When HIPAA doesn’t apply, these state rules and the FTC Health Breach Notification Rule often fill the gap.

Key takeaways

• HIPAA protects PHI held by Covered Entities and their Business Associates, not all health‑related data everywhere.
• Consumer apps, employers, and many wellness programs often fall outside HIPAA, though other laws may apply.
• Ask who collects your data, for whom, and under what agreement; that determines whether HIPAA applies.
• Use your rights under state privacy laws and app controls to manage health data outside HIPAA.

This overview is general information to help you navigate boundaries; for a specific situation, consult counsel or your plan’s privacy office.

FAQs.

Which entities are exempt from the HIPAA Privacy Rule?

Entities that are not Covered Entities and not acting as Business Associates are generally outside HIPAA. Common examples include most consumer health and fitness apps, wearable device makers, life insurers, employers managing Employer Health Records, and advertising or analytics firms. Schools are typically governed by FERPA rather than HIPAA, and many wellness vendors fall outside HIPAA unless they serve a Group Health Plan under a Business Associate Agreement.

How does HIPAA apply to health apps?

HIPAA applies to an app only when it handles Protected Health Information for a Covered Entity under a Business Associate Agreement—such as a hospital‑provided portal app or a plan‑sponsored tool. If you choose a stand‑alone app and share data directly with it, the app is usually outside HIPAA. In that case, your protections come from the app’s privacy policy, state privacy laws, and the FTC Health Breach Notification Rule.

What protections exist for employer-held health information?

Employment records are not PHI, so HIPAA does not apply to Employer Health Records held by your employer. However, the Americans with Disabilities Act requires confidentiality for medical information obtained through disability‑related inquiries or exams, and such records must be stored separately with limited access. If your employer sponsors a Group Health Plan, plan PHI must be walled off from HR records and used only for plan administration.

How do state privacy laws affect health data outside HIPAA?

State privacy laws can give you rights to access, delete, or restrict use of consumer health data, and can limit targeted advertising or data sales involving sensitive health information. Many states also impose stricter rules for areas like mental health, reproductive health, HIV status, and substance use. When HIPAA doesn’t apply, these state protections—along with the FTC Health Breach Notification Rule—often govern how your health data is handled.