When HIPAA Applies (and When It Doesn’t): Covered Entities, PHI, and Everyday Scenarios

HIPAA Applicability Criteria

To understand when HIPAA applies, focus on two essentials: who is handling the data and what kind of data it is. HIPAA governs how specific organizations use, disclose, and safeguard protected health information under the HIPAA Privacy Rule and the HIPAA Security Rule.

The two-part test

• The information is PHI: it can identify a person and relates to health, care provided, or payment for care.
• The actor is a covered entity or a business associate acting on its behalf. If either element is missing, HIPAA generally does not apply.

When the criteria are met

• A physician e-prescribes medications and bills insurers electronically. The physician is a covered entity and must follow PHI Handling Standards.
• A cloud vendor stores a clinic’s electronic medical records. The vendor is a business associate and must sign and follow Business Associate Agreements.
• A health plan processes enrollment files and claims. The plan is a covered entity and must meet the Privacy and Security Rules.

Everyday scenarios, made clear

• Appointment reminders, telehealth sessions, and patient portals used by your provider are subject to HIPAA.
• Notes you keep on your phone or data from a consumer fitness tracker you use on your own are usually outside HIPAA unless a covered entity or business associate is involved.

Covered Entities Overview

Covered entities are the core organizations regulated by HIPAA. If you work for or with one of these, HIPAA likely applies to your handling of PHI.

Three types of covered entities

• Health care providers that transmit health information electronically in standard transactions (for example, claims, eligibility checks, referrals).
• Health plans, including insurers, HMOs, and employer-sponsored group health plans.
• Health care clearinghouses that convert nonstandard health data to standard formats and vice versa.

Covered Entity Designation and hybrids

Organizations that perform both covered and non-covered functions can use Covered Entity Designation to become a “hybrid entity,” isolating their health care component. This limits HIPAA’s scope to the designated component while allowing appropriate sharing for treatment, payment, and operations.

Organized arrangements

Affiliated covered entities and organized health care arrangements can coordinate operations and share PHI for joint activities, still following the minimum necessary standard and other PHI Handling Standards.

Business Associates Responsibilities

Business associates are vendors or partners that create, receive, maintain, or transmit PHI for a covered entity. Common examples include billing services, EHR hosting providers, IT support, e-fax and email relays, analytics firms, and certain consultants and attorneys.

Core obligations

• Execute Business Associate Agreements that define permitted uses/disclosures, safeguard requirements, breach reporting, and subcontractor flow-downs.
• Implement administrative, physical, and technical safeguards for ePHI under the HIPAA Security Rule, including risk analysis, access controls, and incident response.
• Limit uses and disclosures to the minimum necessary under the HIPAA Privacy Rule and honor restrictions in the agreement.
• Report security incidents and potential breaches to the covered entity within required timeframes and cooperate with investigations.

Subcontractors and liability

Subcontractors that handle PHI for a business associate are themselves business associates. They must sign downstream agreements and meet the same standards, creating an end-to-end chain of protection.

Protected Health Information Definition

Protected Health Information (PHI) is individually identifiable health information created or received by a covered entity or business associate that relates to a person’s health status, health care, or payment for care. PHI can exist in any form—paper, verbal, or electronic (ePHI).

Common identifiers that make data PHI

• Names, addresses, and full-face photos
• Dates related to an individual (for example, birthdate, admission/discharge dates)
• Phone numbers, email addresses, and IP addresses
• Medical record numbers and health plan beneficiary numbers
• Device identifiers, biometric identifiers, and vehicle IDs
• Account numbers, certificate/license numbers, and Social Security numbers

What is not PHI?

• De-identified data, stripped of specified identifiers using Safe Harbor or validated by expert determination.
• Limited data sets used under a data use agreement; still PHI, but with fewer identifiers and special rules for research, public health, and operations.
• Employment records held by a covered entity in its role as employer and student records covered by FERPA (explained below).

Handling expectations

When you handle PHI, you must apply PHI Handling Standards—access controls, role-based use, secure transmission/storage, auditing, and timely responses to rights requests—consistent with the Privacy and Security Rules.

Entities Exempt from HIPAA

Many organizations interact with health-related information without falling under HIPAA. Understanding who is exempt helps you set the right expectations and choose appropriate safeguards under other laws.

• Employers in their general capacity (HR files, workplace injury logs), though their group health plans are covered entities.
• Life insurers, auto and home insurers paying medical claims, and workers’ compensation carriers (different statutes govern these).
• Schools and universities when FERPA applies to the records in question.
• Law enforcement agencies and many state or local agencies that do not provide health care services.
• Consumer health apps, wearables, and personal health record tools not acting for a covered entity or business associate.

Everyday non-HIPAA examples

• Your smartwatch logs heart rate for personal use—no covered entity or business associate is involved, so HIPAA doesn’t apply.
• You tell a friend about a diagnosis—HIPAA regulates organizations, not personal conversations.

Exceptions to HIPAA Coverage

HIPAA includes specific allowances and carve-outs that either place information outside its scope or permit certain disclosures without patient authorization.

Permitted uses and disclosures without authorization

• Treatment, payment, and health care operations (for example, care coordination, billing, quality improvement).
• Certain public interest and legal activities (for example, mandatory reporting, health oversight, judicial or law enforcement processes) as permitted by the Privacy Rule.

Incidental disclosures

Incidental disclosures that occur despite reasonable safeguards—such as a name overheard at a check-in desk—are permitted when you already follow minimum necessary and other protections.

De-identified information

Once data is properly de-identified, it is no longer PHI and HIPAA no longer applies to its use or disclosure. However, re-identification controls and governance remain best practice.

HIPAA Enforcement Exceptions

During emergencies or unique circumstances, regulators may announce limited enforcement discretion—temporary HIPAA Enforcement Exceptions—to prioritize access to care or technology. These do not rewrite the rules; they adjust how they are enforced for a defined period and scope.

Employer and Educational Records Exclusions

HIPAA draws clear lines around employment and student records to avoid overlap with other privacy regimes and to keep responsibilities well-defined.

Employment records held by covered entities

• HR files, FMLA/leave paperwork, and drug screening results maintained by the employer are not PHI.
• If a clinic (a covered entity) creates results for clinical purposes, those results are PHI in the clinic’s system; once placed in the employer’s HR record, they are employment records and outside HIPAA.

Group health plans versus employers

• An employer-sponsored group health plan is a covered entity; the employer itself is not.
• Sharing PHI from the plan to the employer is tightly restricted and typically requires plan document amendments, firewalls, and need-to-know limits.

Schools, clinics, and FERPA Compliance

• Student education records—and most student treatment records at schools—are governed by FERPA, not HIPAA.
• School-based clinics that bill insurers electronically may be covered entities for their clinic records, while the broader student education record remains under FERPA. Coordinate FERPA Compliance and HIPAA obligations carefully to avoid improper disclosures.

Wellness programs and apps

• If a wellness program is part of the group health plan, HIPAA applies to its PHI.
• If it is a stand-alone program run by a non-HIPAA vendor and not on behalf of the plan, HIPAA generally does not apply—though other privacy laws may.

Key takeaways

• HIPAA applies when PHI is handled by a covered entity or its business associate; otherwise, it likely does not.
• Privacy and Security Rules set the baseline; Business Associate Agreements extend those protections along the vendor chain.
• Employment and student education records sit outside HIPAA, primarily under employment law and FERPA, respectively.

FAQs.

When does HIPAA apply to healthcare providers?

HIPAA applies when a provider conducts standard electronic transactions (such as claims or eligibility checks) and creates, receives, maintains, or transmits PHI. In that role, the provider must follow the HIPAA Privacy Rule, HIPAA Security Rule for ePHI, and related PHI Handling Standards across their practice and systems.

When are business associates subject to HIPAA?

Vendors become business associates when they handle PHI for or on behalf of a covered entity. They must sign Business Associate Agreements, implement Security Rule safeguards, limit uses/disclosures under the Privacy Rule, and report incidents or breaches to the covered entity as required.

What types of information are protected under HIPAA?

Protected Health Information includes any identifiable data about health status, health care provided, or payment for care that a covered entity or business associate creates or receives, in any form. Names, contact details, medical record numbers, device IDs, and similar identifiers tied to clinical or billing details are common PHI elements.

When does HIPAA not apply to employers or educational institutions?

HIPAA does not cover employment records an employer maintains in its HR files, and it generally does not cover student education records, which fall under FERPA. However, a school-run clinic that bills electronically can be a covered entity for its clinic records, and an employer’s group health plan is a covered entity distinct from the employer itself.