When PHRs Fall Under HIPAA: Covered Entity and Business Associate Scenarios

PHRs Offered by Covered Entities

When a provider, health plan, or clearinghouse offers a personal health record (PHR) directly to its patients or members—such as a patient portal tied to an electronic health record—the PHR operates within the covered entity’s HIPAA obligations. All content in that PHR is protected health information (PHI), and the Privacy, Security, and Breach Notification Rules apply.

Under this scenario, you must maintain HIPAA compliance end to end: limit uses and disclosures, apply role-based access controls, encrypt data in transit and at rest, and promptly investigate any potential impermissible disclosure. Your Notice of Privacy Practices should accurately reflect the PHR’s features, data flows, and patient rights.

• Indicators you are in this bucket: the PHR is branded by the provider or plan, registration is offered through the clinical relationship, and data feeds originate from the covered entity’s systems.
• Key risks: third-party trackers, weak identity proofing, and inadequate audit logging that obscures access to PHI.

PHR Vendors as Business Associates

A vendor becomes a business associate when it creates, receives, maintains, or transmits PHI for or on behalf of a covered entity. If you host, support, analyze, integrate, or provide a PHR solution used by a provider or plan, you are functioning as a business associate and must follow HIPAA requirements that apply to you.

By contrast, a direct-to-consumer PHR that is not offered on behalf of a covered entity usually is not a business associate. In those cases, HIPAA may not apply, but the FTC’s health breach notification rule can. Always map data sources and contracts to confirm whether you are supporting a covered entity or operating independently.

• Typical business associate activities: cloud hosting of the PHR, identity and access management, analytics, secure messaging, and API connectivity to EHRs.
• Watchouts: assuming the conduit exception applies (see below) or relying solely on encryption to avoid business associate status.

Business Associate Agreements

A business associate agreement (BAA) documents how PHI will be used, disclosed, safeguarded, and returned or destroyed. It operationalizes HIPAA compliance between the covered entity and the PHR vendor and helps prevent impermissible disclosure by defining limits and controls.

Essential BAA provisions

• Permitted uses and disclosures of PHI, including prohibitions on secondary use and sale.
• Administrative, physical, and technical safeguards aligned to the Security Rule.
• Incident and breach reporting obligations, including timelines and investigative cooperation.
• Flow-down requirements so subcontractors sign BAAs and meet equivalent protections.
• Access, amendment, and accounting support to enable the covered entity’s HIPAA duties.
• Termination, data return or destruction, and ongoing confidentiality provisions.

Subcontractors of Business Associates

Any subcontractor that a PHR vendor engages to create, receive, maintain, or transmit PHI becomes a downstream business associate. These subcontractors are directly subject to HIPAA and carry subcontractor liability for compliance failures.

To manage risk, you should vet subcontractors for security maturity, sign BAAs that mirror your obligations, and continuously monitor their controls. Ensure least-privilege access, strong encryption, and clear breach escalation paths across the chain.

• Practical steps: vendor due diligence, security questionnaires, audits, and documented remediation plans.
• Common pitfalls: unmanaged shadow IT services and unclear data deletion procedures.

Conduit Exception

The conduit exception is a narrow carve‑out for entities that merely transmit PHI without accessing it other than on a transient basis, like postal services or basic telecommunications carriers. A conduit does not maintain PHI and does not need a BAA.

Most modern PHR infrastructure providers do not qualify. If a service stores PHI—even if encrypted—or can routinely access it, it is not a conduit and will be treated as a business associate. Do not rely on the conduit exception for cloud storage, content delivery networks that cache PHI, or platforms that provide user access management.

• Good rule of thumb: persistent storage or routine access equals business associate, not conduit exception.

Direct Liability of Business Associates

Business associates are directly liable for complying with the HIPAA Security Rule and key Privacy Rule provisions. If your PHR vendor role results in an impermissible disclosure, failure to implement required safeguards, or a missed breach notification, regulators can pursue you directly—independently of the covered entity.

• Examples of direct liability: unauthorized use or disclosure of PHI, lack of risk analysis and risk management, insufficient encryption or access controls, failure to execute BAAs with subcontractors, and not providing breach notices as required.
• Governance actions: maintain policies, workforce training, sanction processes, and documented risk management.

FTC Health Breach Notification Rule

The FTC’s health breach notification rule applies to vendors of personal health records and PHR‑related entities that are not covered entities or business associates under HIPAA. It covers “PHR identifiable health information” and is triggered by a breach, including certain unauthorized sharing of health data with third parties.

If your PHR operates outside HIPAA, you may need to notify affected individuals and the FTC after a qualifying breach, and in some cases provide additional public notice. Strong consent practices, data minimization, and careful management of analytics or advertising technologies reduce exposure.

• Core practices: document data flows, obtain clear affirmative consent for disclosures, restrict third‑party tracking, and maintain incident response playbooks aligned to the health breach notification rule.
• Coordination tip: if a PHR supports a covered entity, HIPAA breach rules apply; if it does not, evaluate the FTC rule.

Conclusion

When PHRs fall under HIPAA depends on who offers the service and how PHI flows. PHRs run by or for covered entities are governed by HIPAA, requiring BAAs and robust safeguards; independent PHRs generally are not, but the FTC’s health breach notification rule fills the gap. Classify your role, contract appropriately, and build security controls that prevent impermissible disclosure across all parties, including subcontractors.

FAQs.

When is a PHR considered a covered entity under HIPAA?

A PHR itself is not a covered entity. However, when a PHR is offered by a provider, health plan, or clearinghouse—or by a vendor on their behalf—it becomes part of that covered entity’s operations, and all PHI within the PHR is subject to HIPAA compliance.

What defines a business associate in the context of PHRs?

A business associate is any organization that creates, receives, maintains, or transmits PHI for or on behalf of a covered entity. For PHRs, this commonly includes hosting providers, platform developers, analytics or messaging services, and integration partners supporting the covered entity’s PHR.

How do business associate agreements protect PHI?

A business associate agreement sets boundaries on PHI use and disclosure, mandates administrative, physical, and technical safeguards, requires prompt reporting of incidents and breaches, flows obligations to subcontractors, and defines termination and data return or destruction—reducing the risk of impermissible disclosure.

Are subcontractors under HIPAA compliance requirements?

Yes. Subcontractors that handle PHI for a business associate become downstream business associates. They must sign BAAs, implement HIPAA‑aligned safeguards, and are subject to subcontractor liability for failures to protect PHI or report breaches.

What is the conduit exception under HIPAA?

The conduit exception covers entities that only transmit PHI on a transient basis without storing or routinely accessing it (for example, basic telecom carriers). Services that persistently store PHI or can access it—such as most cloud platforms supporting PHRs—do not qualify and are treated as business associates.