What the HIPAA Privacy Rule Specifically Excludes: Compliance Guide

Employment Records Exclusion

The HIPAA Privacy Rule excludes employment records held by a covered entity in its role as an employer. That means documents maintained for hiring, placement, discipline, benefits eligibility, fitness-for-duty, or leave administration are not Protected Health Information (PHI), even when they contain medical details.

Typical non-PHI employment records include pre-employment and return-to-work exams, drug and alcohol test results, ADA accommodation documents, FMLA certifications, vaccination compliance for workplace safety, and workers’ compensation claim files kept by Human Resources. When an employee receives personal medical care as a patient of the organization’s clinic or hospital, those treatment records are PHI; the same individual’s HR file is not.

• Maintain strict separation between HR systems and clinical systems (the “designated record set”).
• Limit access to employment files and avoid storing them in EHRs used for patient care.
• Clarify vendor roles: a payroll or occupational testing vendor handling employment records is not a Business Associate for that work; a vendor supporting clinical operations is.

Education Records Protection

Education records and student treatment records protected by the Family Educational Rights and Privacy Act (FERPA) are specifically excluded from HIPAA. In K–12 settings and most colleges that receive U.S. Department of Education funding, a school nurse’s or counseling center’s student files are FERPA records, not PHI.

Campus health centers often serve both students and non-students. Student records fall under FERPA; records for faculty, staff, or the public may be HIPAA PHI if the clinic is a covered component. Your compliance posture depends on who the patient is and which law applies.

• Use FERPA-consistent consent processes for sharing student information, not HIPAA authorizations.
• Train staff to route requests correctly when the same clinic handles both FERPA and HIPAA records.

De-identified Data Use

Information is not PHI once it meets HIPAA’s De-identification Standard. You can de-identify data by either: (1) Safe Harbor—removing 18 categories of identifiers (for example, names, detailed geographies, all elements of dates except year, contact numbers, account numbers, full-face photos, biometric identifiers, and unique codes), including grouping ages 90 and over; or (2) Expert Determination—an expert applies statistical methods to conclude re-identification risk is very small.

De-identified data may be used, disclosed, or commercialized without HIPAA restrictions. A limited data set (with certain identifiers removed but not all) is still PHI and requires a Data Use Agreement. De-identification must be reproducible, documented, and governed to prevent re-identification.

• Keep re-identification keys separate and access-controlled.
• Record methodology and residual risk decisions for audit readiness.
• Avoid combining de-identified data with other datasets that could raise re-identification risk.

Personal Health Records Exemption

Personal Health Records (PHRs) and consumer health apps are generally outside HIPAA when offered directly to individuals by companies that are not covered entities or their Business Associates. The same data may become PHI if the app provides services on behalf of a provider or health plan under a Business Associate Agreement.

As a rule: who you are and why you hold the data matters. If you hold data for a covered function (treatment, payment, health care operations) on behalf of a covered entity, it is PHI. If you collect information directly from consumers for their personal use, HIPAA typically does not apply, though other Legal Disclosure Requirements (such as federal or state consumer protection and breach notification laws) may.

• Determine your role for each feature—consumer-facing vs. covered-entity–sponsored—and segregate datasets accordingly.
• Use clear privacy notices and obtain separate consents for optional data sharing.
• Execute BAAs when integrating with provider EHRs or plan systems.

Wearable Device Data

Data generated by wearable fitness trackers, smartwatches, and direct-to-consumer health apps is usually not PHI because it is not created or received by a covered entity or Business Associate. When a hospital, physician group, or group health plan furnishes a device and collects the data for care management or plan operations, that same data may be PHI.

Employer wellness programs are a key boundary case. If a wellness program is part of a group health plan, HIPAA applies; if it is employer-sponsored outside the plan, HIPAA does not, though other laws (for example, anti-discrimination and consumer protection) still govern. Disclosures from a wearable vendor to a provider or plan can convert the shared data into PHI upon receipt.

• Map data flows to identify when wearable data enters a covered workflow.
• Apply minimum necessary access when importing device data into clinical or plan systems.
• Explain to users when data will be shared with covered entities and for what purposes.

Life Insurer Boundaries

Life insurers are not HIPAA covered entities and generally do not create or receive PHI for covered functions. They may request medical information from providers with a valid HIPAA authorization signed by the individual or via other Legal Disclosure Requirements under state law.

Providers should not release PHI to a life insurer without the individual’s authorization unless a law requires it. Health plans (insurers that pay for health care) are covered entities; life, disability, and many supplemental lines are not.

• Verify authorizations include a description of information, purpose, expiration, and the right to revoke.
• Disclose only the minimum necessary information to satisfy the request.
• Log non-routine disclosures for accountability.

Workers' Compensation Information

Workers’ compensation programs operate under a specific exception: covered entities may disclose PHI without authorization as necessary to comply with workers’ compensation laws or similar programs. This facilitates benefit determinations and payment while preserving Workers' Compensation Privacy expectations.

Minimum necessary still applies unless a law requires a specific disclosure. Typically, disclosures flow to employers’ carriers, state agencies, claims administrators, or independent medical examiners for claim adjudication.

• Release only the data the statute or request legitimately requires.
• Distinguish between claim-related occupational health records and unrelated treatment records.
• Document the legal basis for each disclosure and retain supporting paperwork.

International Data Sharing

HIPAA does not restrict cross-border transfers of PHI; it requires that the Privacy, Security, and Breach Notification Rules be met regardless of location. A foreign vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a Business Associate and must sign a BAA and implement appropriate safeguards.

When sharing internationally, apply defense-in-depth controls and assess non-U.S. privacy regimes that may also apply to the recipient. Where multiple frameworks overlap, meet the most stringent practical requirement while preserving HIPAA’s core standards.

• Execute BAAs with overseas processors and verify security controls contractually.
• Encrypt PHI in transit and at rest; monitor access and data residency constraints.
• Update your risk analysis and incident response plans to include foreign processors.

Law Enforcement Disclosures

The Privacy Rule permits—but does not mandate—certain disclosures to law enforcement without authorization. Examples include responding to court orders, warrants, or subpoenas; reporting specific injuries required by law; providing limited information to identify or locate a suspect, fugitive, witness, or missing person; or reporting crimes on the premises or in medical emergencies.

Only the information necessary for the permitted purpose may be disclosed. If a request does not meet HIPAA’s conditions or other Legal Disclosure Requirements, seek patient authorization or consult counsel before releasing PHI.

• Authenticate the requester’s identity and legal authority before disclosure.
• Disclose the minimum necessary and avoid sharing clinical notes unless required.
• Record the legal basis, scope, and date of each law enforcement disclosure.

Summary

In practice, the HIPAA Privacy Rule specifically excludes employment records and FERPA-governed education records from PHI, treats de-identified data as outside HIPAA, and draws bright lines around consumer PHRs and wearable data unless a covered entity or Business Associate is involved. It also carves out targeted pathways for workers’ compensation, international processing under BAAs, and limited law enforcement disclosures. Map roles, purposes, and data flows to decide when HIPAA applies, then tailor safeguards to that determination.

FAQs

What types of employment records are excluded from HIPAA?

Records an employer keeps for workforce management—such as pre-employment or fitness-for-duty exams, drug test results, accommodation and leave documentation, injury logs, and workers’ compensation claim files—are employment records, not PHI. If the same person receives personal medical care as a patient, those clinical records are PHI and must be kept separate.

How does FERPA protect education records differently from HIPAA?

FERPA gives parents and eligible students rights to access and control disclosure of education records, including student health and counseling files at FERPA-covered schools. Those records are excluded from HIPAA. HIPAA applies to PHI held by covered entities (like hospitals and health plans) for covered functions; FERPA governs student records in the educational setting.

When is health information considered de-identified under HIPAA?

Information is de-identified when it either meets the Safe Harbor method by removing 18 identifier categories (including detailed dates and direct identifiers) or an expert determines, using accepted techniques, that the risk of re-identification is very small. Properly de-identified data is not PHI and can be used or disclosed without HIPAA restrictions.

Are wearable fitness tracker data protected by HIPAA?

Generally no. Data collected directly by a consumer wearable or fitness app is outside HIPAA unless a covered entity or its Business Associate provides the device and collects the data for care, payment, or health care operations. Once wearable data flows into a provider’s or health plan’s systems for covered purposes, it is PHI within those systems.