Blog

When HIPAA Rules Do Not Apply

HIPAA
May 11, 2025
When HIPAA Rules Do Not Apply: Understanding where HIPAA rules do not apply is just as important as knowing when they do.

Understanding where HIPAA rules do not apply is just as important as knowing when they do. While HIPAA sets strict standards for protecting health information, there are clear limits to its reach. Many people assume every piece of health-related data is protected, but in reality, HIPAA exemptions and scenarios outside HIPAA scope are more common than you might think.

HIPAA’s protections are designed for specific types of organizations and information. Non-covered entities under HIPAA, certain types of records, and de-identified PHI all fall outside these protections. That means not every situation involving health information is regulated by HIPAA, and knowing these exceptions can help you better safeguard your privacy, especially in contexts such as HIPAA compliance & photography rules.

In this article, we’ll cover the main HIPAA applicability limits and clarify what HIPAA does not cover. We’ll walk through real-world scenarios like educational records, employment files, and disclosures made by organizations that aren’t considered “covered entities” under HIPAA. Our goal is to make these boundaries clear, so you know exactly when and where HIPAA rules do not apply, including how administrative safeguards in HIPAA relate to these exceptions. For a broader perspective on compliance frameworks, see What Is GRC and Why Does It Matter?. For more on compliance pitfalls, review the most common HIPAA violations and how to avoid them. Organizations seeking to demonstrate their commitment to HIPAA best practices may consider the HIPAA Seal Of Compliance.

De-identified Health Information

De-identified Health Information is a key concept when it comes to understanding HIPAA applicability limits. While HIPAA strictly regulates protected health information (PHI), it draws a clear line when health data is stripped of certain identifiers. This is what’s known as de-identified PHI.

When health data is de-identified, all information that could reasonably identify an individual is removed. According to HIPAA, this means taking out names, addresses, birthdates, and other direct identifiers. Once information is de-identified, it no longer falls under HIPAA’s protections, opening up a range of scenarios outside HIPAA scope.

  • De-identified data cannot be traced back to a specific person. This means it can be used for research, public health studies, and other purposes without violating HIPAA rules.
  • HIPAA exemptions apply because the data is no longer considered PHI. Organizations can share or analyze this information freely, as long as re-identification is not possible.
  • Non-covered entities HIPAA also benefit, as they can receive or use de-identified data without being subject to HIPAA regulations.

It's important to remember that simply removing a name isn’t enough. HIPAA has strict standards for de-identification to ensure that data truly cannot be linked to an individual. This process may involve expert statistical analysis or the removal of a comprehensive list of identifiers. For those interested in the consequences of non-compliance, understanding the penalties of HIPAA violations is crucial.

In summary, de-identified health information is one of the most significant HIPAA exemptions. If you’re working with, managing, or sharing health data, understanding what HIPAA does not cover—like de-identified PHI—helps you navigate compliance confidently and make informed decisions about data use.

Certain Educational Records (FERPA)

Certain educational records are a classic example of information that falls under HIPAA exemptions—meaning HIPAA rules simply do not apply. Many people are surprised to learn that health information maintained by schools and educational institutions is usually not protected by HIPAA at all. Instead, these records are covered by a different federal law: the Family Educational Rights and Privacy Act (FERPA).

Under FERPA, schools that receive funding from the U.S. Department of Education must protect the privacy of student education records—which can include health information kept by school nurses, psychologists, or counselors. This creates a clear distinction in the world of privacy regulations:

  • HIPAA applicability limits: HIPAA does not apply to student health records held by schools or school employees if the records are considered part of the student’s education record under FERPA.
  • Scenarios outside HIPAA scope: If a student receives care at a university health clinic, and the clinic only serves students, those records are typically protected by FERPA, not HIPAA.
  • What HIPAA does not cover: Immunization records, health screenings, counseling notes, and other information maintained as part of the educational process are all managed under FERPA, not HIPAA.

There are non-covered entities HIPAA does not regulate, and schools often fall into this category. The key takeaway is that HIPAA exemptions exist specifically to prevent regulatory overlap and confusion. If privacy protection is needed for school health records, it’s FERPA—not HIPAA—that sets the rules. If you’re dealing with de-identified PHI or healthcare information outside a medical provider’s office, be sure to check which law applies. Understanding these boundaries helps us make smarter choices about privacy and know our rights in every setting.

Some Employment Records

Some Employment Records

When it comes to workplace health information, it's easy to assume that HIPAA always applies. However, many employment records are not protected by HIPAA—even when they contain health details. This is one of the most common scenarios outside HIPAA scope that often surprises people.

Why? HIPAA only covers health information held by specific organizations, like healthcare providers, health plans, or their business associates. But most employers are non-covered entities under HIPAA. That means the health data they collect for employment purposes falls under different rules.

  • Doctor’s notes for sick leave submitted to your HR department are usually part of your personnel file, not your medical record at a hospital or clinic. These are employment records and are not protected by HIPAA.
  • Results from workplace drug testing or physical exams required for a job are also considered employment records, not protected health information (PHI) under HIPAA.
  • Any health information gathered for benefits administration (like FMLA or workers’ comp) may be regulated by other laws, but HIPAA does not cover it unless it is managed by a HIPAA-covered entity for treatment, payment, or healthcare operations.

Instead, these records may be protected by other federal or state employment laws—such as the Americans with Disabilities Act (ADA) or the Family and Medical Leave Act (FMLA)—but HIPAA exemptions apply here. This illustrates clear HIPAA applicability limits and helps us understand what HIPAA does not cover.

For privacy at work, it’s smart to know which laws apply to your records. When in doubt, ask your employer about their privacy policies and how your health information is handled outside the healthcare setting.

Information Not Held by Covered Entities

Information Not Held by Covered Entities

Many people are surprised to learn that HIPAA exemptions extend to a wide range of health-related data simply because it is not held by organizations defined as “covered entities” under the law. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. But if your health information is managed by a business or app that doesn’t fit these categories, HIPAA does not apply.

Let’s look at some common scenarios outside HIPAA scope that highlight these limitations:

  • Fitness and Wellness Apps: Information you enter into fitness trackers, calorie counters, or health-monitoring apps is not protected by HIPAA if the company is not a covered entity. These companies may collect health data, but they are not bound by HIPAA privacy or security rules.
  • Employers: Workplace wellness programs and your employer’s records about sick leave or disability are typically non-covered entities HIPAA. This means your employer is not subject to HIPAA when handling your health information in most cases.
  • Life, Auto, or Home Insurers: While health insurers are covered by HIPAA, other types of insurance companies are not. If you share health information with a life insurer, it’s not protected under HIPAA.
  • Schools and Educational Institutions: Student health records maintained by schools are generally protected by FERPA, not HIPAA, so HIPAA’s rules do not apply.
  • De-identified PHI: Once health information is stripped of all identifiers that could link it to an individual, it becomes de-identified PHI. HIPAA does not regulate the use or disclosure of this de-identified information, expanding the HIPAA applicability limits.

What HIPAA does not cover comes down to who holds the information and how it is managed. If your health data is outside the hands of covered entities or their business associates, or if it’s been stripped of identifying details, it likely falls outside HIPAA’s protection. Understanding these boundaries empowers us to make informed decisions about where and how we share our health information in the digital age.

Disclosures by Non-Covered Entities

Disclosures by Non-Covered Entities are a major area where HIPAA protections do not apply, and understanding this helps us navigate the boundaries of privacy in healthcare data. While HIPAA governs how covered entities like healthcare providers and insurers handle protected health information (PHI), it does not extend its rules to everyone who might possess or share health-related data.

Non-covered entities under HIPAA include organizations and individuals that fall outside the law’s official definition of healthcare providers, health plans, or healthcare clearinghouses. For example, life insurance companies, employers, schools, fitness trackers, mobile app developers, and certain research organizations are usually not bound by HIPAA’s requirements. If you share health details with these groups, your information might not be protected in the same way as it is with your doctor or hospital.

Here are some common scenarios outside HIPAA scope where disclosures by non-covered entities are not governed by HIPAA:

  • Employment records: Health information in your workplace HR files, such as doctor’s notes for sick leave, is not protected by HIPAA.
  • Wellness and fitness apps: Data you enter into calorie counters, step trackers, or symptom checkers may not have HIPAA protections because these companies are typically non-covered entities.
  • Educational institutions: Student health records maintained by schools fall under other privacy laws, not HIPAA.
  • Life and disability insurers: These insurers can receive and disclose health information outside HIPAA’s reach, as they’re not considered covered entities.
  • De-identified PHI: When health data is stripped of all identifiers that could link it to an individual, it becomes de-identified PHI and is no longer subject to HIPAA protections, regardless of who discloses it.

It’s important to know that just because a company deals with health-related information doesn’t mean it must follow HIPAA. This is one of the HIPAA applicability limits that often surprises people. In these HIPAA exemptions, the standards for privacy and security can be very different—or even nonexistent.

Whenever you’re asked to share health information with organizations outside the traditional healthcare system, take a moment to ask how your data will be used and protected. HIPAA does not cover every disclosure, so understanding these boundaries empowers us to make more informed choices about our privacy.

Specific Law Enforcement Cases

Specific Law Enforcement Cases

One of the most misunderstood scenarios outside HIPAA scope involves law enforcement activities. While HIPAA does place significant restrictions on how protected health information (PHI) is handled, there are notable HIPAA exemptions when it comes to certain requests and investigations by law enforcement agencies.

Here's what’s crucial to understand: HIPAA does not cover all interactions between healthcare organizations and law enforcement. In specific cases, the law allows or even requires covered entities to provide information without patient authorization. These situations reflect important HIPAA applicability limits and include:

  • Responding to Court Orders or Warrants: If a court order, warrant, or subpoena is issued, healthcare providers can disclose relevant PHI as required by law. The scope is typically limited to what the order specifically requests.
  • Identifying or Locating a Suspect, Fugitive, or Missing Person: Information such as name, address, date of birth, physical characteristics, and Social Security number can be shared with law enforcement to help with identification or location efforts. This does not extend to full medical records unless specifically authorized.
  • Reporting Crime on Premises: If a crime occurs on the property of a hospital or clinic, staff may disclose relevant PHI to law enforcement, such as details about the nature of the crime, the victim, or the perpetrator.
  • Reporting Deaths: When a death is suspected to be the result of criminal conduct, healthcare providers are allowed to share information with law enforcement officials investigating the case.
  • Emergency Circumstances: In urgent situations—such as when a crime has occurred and immediate action is needed to prevent serious harm—certain PHI may be disclosed to law enforcement, without violating HIPAA.

It’s important to note that in many of these cases, the information shared is limited in scope. Additionally, when possible, providers often de-identify PHI or only release the minimum necessary information to comply with law enforcement requests. This helps maintain a balance between public safety and individual privacy rights.

For readers, the takeaway is clear: HIPAA does not create an absolute barrier between your health information and law enforcement needs. Understanding these HIPAA exemptions can help you know what HIPAA does not cover and why certain information may be shared in the context of legal investigations.

Understanding where HIPAA rules do not apply is just as important as knowing when they do. While HIPAA sets strict standards for protecting health information, there are clear limits to its reach. Many people assume every piece of health-related data is protected, but in reality, HIPAA exemptions and scenarios outside HIPAA scope are more common than you might think.

HIPAA’s protections are designed for specific types of organizations and information. Non-covered entities under HIPAA—like many fitness apps, employers, and life insurers—often handle health-related data without being bound by HIPAA’s rules. This means your information in these settings may not have the same privacy safeguards you’d expect from a doctor’s office or hospital.

Additionally, de-identified PHI is not covered by HIPAA, since it cannot be traced back to an individual. Recognizing these HIPAA applicability limits helps us make smarter decisions about where and how we share our health information.

To protect your privacy, it pays to know what HIPAA does not cover and ask questions any time you’re asked for health-related details. By staying informed about these boundaries, we can all take a more active role in safeguarding our own information, even in scenarios where HIPAA doesn’t apply.

FAQs

Are there situations where HIPAA doesn't apply to health information?

Yes, there are situations where HIPAA doesn’t apply to health information. HIPAA only governs how covered entities—such as healthcare providers, health plans, and healthcare clearinghouses—and their business associates handle protected health information (PHI). If a person or organization doesn’t fall into these categories, they are considered non-covered entities and are not required to comply with HIPAA rules.

Another important HIPAA exemption involves de-identified PHI. Once health information is stripped of all personal identifiers that could link it to an individual, it is no longer considered PHI and HIPAA does not apply. This allows for the use of health data in research, analytics, or public health without violating privacy regulations.

There are also many scenarios outside HIPAA’s scope. For example, health information shared with employers, schools, or life insurers is typically not protected by HIPAA. HIPAA applicability limits mean that privacy protections do not extend to every instance where health information is collected or shared.

In summary, what HIPAA does not cover includes health data handled by non-covered entities, de-identified information, and certain contexts outside healthcare operations. It’s always wise to check who is handling your information and what protections apply.

Does HIPAA apply to schools?

No, HIPAA does not generally apply to schools. Most schools are considered non-covered entities under HIPAA because they do not provide healthcare services as part of their primary function, and they typically do not engage in electronic transactions covered by HIPAA. Instead, student health records maintained by schools are usually protected under the Family Educational Rights and Privacy Act (FERPA), not HIPAA.

HIPAA exemptions specifically exclude educational institutions when it comes to student records. This means that scenarios outside HIPAA scope include most situations involving school health records, school nurses, and counselors. These records are not considered protected health information (PHI) under HIPAA unless the school is also operating as a healthcare provider and transmitting health information electronically for certain transactions.

Additionally, de-identified PHI (information that cannot identify a student) is not protected by HIPAA either. In short, knowing the HIPAA applicability limits helps us understand what HIPAA does not cover—and school records are a prime example.

What about health information handled by employers?

Health information handled by employers often falls outside the direct scope of HIPAA. This is because most employers are considered non-covered entities under HIPAA, unless they operate a self-insured health plan or are otherwise acting as a healthcare provider, health plan, or healthcare clearinghouse.

HIPAA exemptions mean that employee health records kept by an employer for work-related reasons, such as sick notes, disability accommodations, or results from workplace drug testing, are not protected by HIPAA. Instead, these records may be subject to other laws, like the Americans with Disabilities Act (ADA) or state privacy regulations, but not HIPAA’s privacy and security rules.

It's also important to remember that de-identified PHI—health information stripped of identifying details—can be used by employers outside HIPAA’s reach. So, HIPAA applicability limits leave many workplace health documents in scenarios outside HIPAA scope. What HIPAA does not cover includes most employer-maintained health information unrelated to group health plans.

When is information considered "de-identified"?

Information is considered "de-identified" under HIPAA when it has been stripped of all details that could reasonably identify an individual. This means names, addresses, Social Security numbers, and other personal identifiers are removed, making it nearly impossible to trace the information back to a specific person.

De-identified PHI (Protected Health Information) falls outside the scope of HIPAA protections because it no longer poses a risk to patient privacy. As a result, organizations—whether or not they are covered entities—can use and share this data without the same restrictions.

This is one of the key HIPAA exemptions and highlights a scenario where HIPAA does not cover the use or disclosure of information. It's important for anyone handling health data to understand these HIPAA applicability limits and ensure the de-identification process meets strict standards to truly protect patient identities.

More from the Blog

HIPAA Encryption Requirements Explained
HIPAA

HIPAA Encryption Requirements Explained

HIPAA & Medical Debt on Credit Reports
HIPAA

HIPAA & Medical Debt on Credit Reports

Is Google Drive HIPAA Compliant?
HIPAA

Is Google Drive HIPAA Compliant?

Consequences of Not Following HIPAA Laws
HIPAA

Consequences of Not Following HIPAA Laws

HIPAA Compliant CRMs for Healthcare
HIPAA

HIPAA Compliant CRMs for Healthcare

Is Microsoft Teams HIPAA Compliant?
HIPAA

Is Microsoft Teams HIPAA Compliant?

HIPAA Compliance Consent Form
HIPAA

HIPAA Compliance Consent Form

Is WhatsApp HIPAA Compliant?
HIPAA

Is WhatsApp HIPAA Compliant?

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals
Get Started Free
Talk To An Expert
schedule accountable demo
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of Compliance
Solutions
HIPAA Compliance SolutionGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password
star iconstar iconstar iconstar iconstar icon

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
Terms of ServicePrivacy Policy