Who Does HIPAA Not Cover? Non-Covered Entities and Common Misconceptions

Non-Covered Entities

HIPAA protects health data held by “covered entities” (health plans, most health care providers that transmit standard electronic transactions, and health care clearinghouses) and by their business associates. If an organization is outside those roles, HIPAA generally does not apply to its data practices.

Examples you’ll commonly encounter

• Employers acting as employers (e.g., handling sick notes, ADA accommodations, drug testing records).
• Life, disability, and long‑term care insurers; auto and workers’ compensation carriers.
• Schools and universities when student records are governed by FERPA, not HIPAA.
• Health and wellness apps, wearable device makers, fertility trackers, and consumer genetic or genealogy services that do not act on behalf of a covered entity.
• Personal health record providers, data brokers, search engines, social media, and consumer health websites collecting self‑reported data.
• Gyms, fitness studios, nutrition programs, and retail marketplaces.
• Law enforcement, courts, and many government agencies outside a covered health care role.

Important edge cases

Some organizations have both covered and non‑covered lines of business. For example, an insurer may offer group health plans (covered) and life insurance (not covered). A pharmacy inside a retail store is covered for pharmacy operations but not for general retail data.

When these distinctions matter for you, ask whether the organization is acting as a covered entity or as a business associate for the data at issue. The answer determines whether HIPAA applies.

Business Associates

Vendors that handle Protected Health Information (PHI) for a covered entity are “business associates.” They must sign a Business Associate Agreement and comply with applicable HIPAA Privacy, Security, and breach rules for that data.

Typical business associates

• Cloud hosting and backup providers, email and secure messaging vendors, and IT managed services.
• Billing companies, practice management and EHR platforms, e‑prescribing gateways, and health information exchanges.
• TPAs and certain analytics, transcription, and call‑center providers that access PHI to perform services.

What the Business Associate Agreement should cover

• Permitted uses/disclosures of PHI and the “minimum necessary” standard.
• Administrative, physical, and technical safeguards, including encryption and access controls.
• Subcontractor flow‑down obligations and right to audit or obtain assurances.
• Incident response and timely Data Breach Notification to the covered entity, plus return or destruction of PHI at contract end.

Note that a company can be a business associate for one client’s PHI and a non‑covered entity for other consumer data it collects directly. HIPAA follows the data and role, not the brand.

Health Information Protections

Protected Health Information is individually identifiable health information created or received by a covered entity or business associate. PHI includes common identifiers (like name and address) when linked to health details, and ePHI is PHI in electronic form.

Inside HIPAA

• Use and disclosure limits for treatment, payment, and health care operations, plus patient authorizations where required.
• Access, amendment, and accounting rights for individuals.
• De‑identification options (expert determination or safe harbor) and limited data sets with data use agreements.
• Security Rule safeguards and breach assessment duties, including individual and regulator notice when required.

Outside HIPAA

When data falls outside HIPAA, other laws may still protect it. The Health Breach Notification Rule covers many personal health record providers and health apps that are not business associates. Federal Trade Commission Enforcement also applies under the FTC Act to unfair or deceptive health data practices.

• State consumer privacy laws (such as those covering sensitive health data) and sectoral laws may add consent, transparency, or opt‑out requirements.
• State data breach statutes impose Data Breach Notification obligations for many non‑HIPAA entities.
• Other federal laws can apply in context (e.g., FERPA for student records, GLBA for financial institutions, 42 CFR Part 2 for substance use disorder records handled by certain programs).

Practical takeaways

• If you are a consumer, check who collects your data, whether they are a covered entity or business associate, and how they use, share, and secure it.
• If you are an organization, map your data flows, determine HIPAA scope, and apply “privacy by design” for non‑HIPAA health data aligned with FTC guidance and state law.

Hybrid Entities

Some organizations perform both covered and non‑covered activities. A Hybrid Entity Designation lets them formally identify the health care components that perform Covered Functions and subject those parts—and only those parts—to HIPAA.

How hybrid status works

• Identify Covered Functions (e.g., treatment, payment, and health care operations) and designate the corresponding components.
• Create firewalls so workforce members in non‑covered components do not access PHI unless permitted.
• Assign privacy and security officials, train the workforce, manage business associates, and document the designation.

Common examples include universities with medical centers, municipal agencies that run clinics, and insurers with both health plan and non‑health lines. The designation helps you prevent PHI from flowing into non‑covered business units.

Common Misconceptions

• “HIPAA covers all health information.” False. It protects PHI held by covered entities and business associates, not all consumer health data collected by apps, websites, or devices.
• “HIPAA prevents talking to family or caregivers.” Not necessarily. HIPAA allows disclosures in many care‑related situations and with patient permission.
• “My employer can’t ask for a doctor’s note because of HIPAA.” HIPAA generally does not regulate employers acting as employers, though other laws may apply.
• “Providers can’t report to public health.” HIPAA expressly permits required public health reporting.
• “I can sue under HIPAA.” HIPAA is enforced by HHS and sometimes through Federal Trade Commission Enforcement for non‑covered entities; it does not create a private right of action.
• “Any health app must follow HIPAA.” Only if the app is a business associate or otherwise operates within HIPAA; otherwise, the Health Breach Notification Rule and consumer protection laws may apply.
• “De‑identified data is always risk‑free.” Re‑identification is possible if de‑identification is incomplete or data sets are combined; use recognized methods and contracts.

Conclusion

HIPAA’s scope is narrower than many people assume. It covers specific entities and roles, while large volumes of consumer health data sit outside HIPAA but remain subject to the Health Breach Notification Rule, state privacy laws, and Federal Trade Commission Enforcement. Knowing who holds your data—and in what role—tells you which rules protect it.

FAQs

Who is exempt from HIPAA regulations?

Entities that are not covered entities or business associates are generally outside HIPAA. Examples include employers acting as employers, life and disability insurers, many health apps and wearable makers not working for a covered entity, schools under FERPA, and consumer websites or platforms that collect self‑reported health information.

What protections apply to health data outside HIPAA?

Non‑HIPAA health data may be governed by the Health Breach Notification Rule, the FTC Act (through Federal Trade Commission Enforcement of unfair or deceptive practices), state consumer privacy laws that treat health data as sensitive, and state data breach statutes requiring Data Breach Notification. Sector‑specific laws like FERPA, GLBA, or 42 CFR Part 2 can also apply.

How do hybrid entities manage HIPAA compliance?

They use a Hybrid Entity Designation to identify components that perform Covered Functions, apply HIPAA to those components, and implement firewalls, training, and oversight to prevent PHI from flowing into non‑covered operations. They also manage Business Associate Agreements and document policies across the organization.

What are common misunderstandings about HIPAA coverage?

People often believe HIPAA covers all health data, bars communications with family, prevents employers from asking for medical documentation, or creates a right to sue. In reality, HIPAA applies to covered entities and business associates, allows many care‑related disclosures, does not regulate employers in that role, and is enforced by HHS—with additional oversight for non‑HIPAA entities via the Health Breach Notification Rule and Federal Trade Commission Enforcement.