Who Is HIPAA‑Exempt? Entities and Information Not Covered by HIPAA

HIPAA protects Protected Health Information (PHI) only when it is handled by Covered Entities and their Business Associates. Not every organization that touches health-related facts is regulated. This guide explains who and what is HIPAA‑exempt under the HIPAA Privacy Rule and HIPAA Security Rule, so you can tell when HIPAA truly applies.

Employers With Less Than 50 Employees

The phrase “less than 50 employees” is common shorthand, but it is not how HIPAA actually works. HIPAA regulates certain group health plans, not employers based on headcount. The critical threshold is participants in the plan, not employees in the company.

What this really means under HIPAA

• Not a HIPAA health plan: A self‑administered employer group health plan with fewer than 50 participants (participants are typically employees and COBRA enrollees) is not a HIPAA “health plan.”
• Covered by HIPAA: Any size group health plan that is administered by an insurance carrier or third‑party administrator, or a self‑administered plan with 50+ participants, is a Covered Entity. The insurer/TPA is also subject to HIPAA.
• The employer itself: An employer, acting as an employer, is not a Covered Entity unless it separately operates as a healthcare provider or clearinghouse. When an employer receives PHI from its plan, it does so as a plan sponsor and must follow the plan‑sponsor rules for minimum necessary access and safeguards.

Remember that employment records (for example, FMLA or ADA documentation) are not PHI when held by the employer. HIPAA’s Privacy Rule and Security Rule apply to the plan’s PHI/ePHI, not to the employer’s general HR files.

Life Insurance Carriers

Life insurance companies generally are not Covered Entities because they do not provide or pay for medical care; they underwrite life risk. Their own files are usually outside HIPAA.

They can, however, request medical information through your signed authorization. Covered Entities (like your doctor or health plan) may disclose PHI to a life insurer only with a valid authorization. Once disclosed, the life insurer’s use is governed by state insurance privacy laws and financial privacy rules—not the HIPAA Privacy Rule or Security Rule.

When a life insurer performs services for a Covered Entity (for example, administering a wellness initiative for a health plan), it becomes a Business Associate for that limited function and must safeguard any PHI it receives for that work.

Law Enforcement Agencies

Police departments, sheriffs’ offices, prosecutors, and correctional agencies are not Covered Entities. HIPAA primarily regulates healthcare providers, health plans, and healthcare clearinghouses.

Under the HIPAA Privacy Rule, Covered Entities may disclose PHI to law enforcement in defined situations—for example, with a court order, warrant, or subpoena; to report certain injuries or crimes; to locate a suspect, fugitive, witness, or missing person; or to report a crime on the premises. These are targeted permissions, not blanket access.

If a law enforcement agency operates a clinic or jail infirmary that transmits standard electronic transactions, that healthcare component can be a Covered Entity (often within a hybrid entity). Outside that role, investigative case files and evidence are not PHI, and the HIPAA Security Rule does not apply to those records.

Schools and School Districts

Most student health and immunization records maintained by a school or district are “education records” governed by FERPA, not HIPAA. That includes records kept by a school nurse who works for the school.

When a student receives care from an outside Covered Entity (such as a hospital or community clinic), those provider records are PHI under HIPAA. If copies are provided to the school and maintained there, they become FERPA records at the school.

At the postsecondary level, treatment records maintained by campus health services are generally excluded from FERPA’s disclosure rules but still are not subject to HIPAA if they are kept only for treatment and not shared beyond treatment except as permitted by FERPA.

De-Identified Health Information

Properly de‑identified data is not PHI and is outside the HIPAA Privacy Rule and HIPAA Security Rule. HIPAA recognizes two De‑Identification Standards:

Two accepted methods

• Safe Harbor: Remove all specified direct identifiers (for example, names, full addresses, most dates, and other listed elements), and have no actual knowledge that remaining data could identify an individual.
• Expert Determination: A qualified expert uses accepted statistical methods to determine that the risk of re‑identification is very small and documents the process.

Covered Entities may assign a unique code to re‑link records internally, provided the code is not derived from identifiers and is kept confidential. If data can reasonably be linked back to a person, it is not truly de‑identified.

Employment Health Records

HIPAA excludes employment records held by an employer. Files kept for hiring, fitness‑for‑duty, drug testing, workers’ compensation, or accommodation requests are not PHI when maintained in HR systems.

Important distinction: If a clinic performs a pre‑employment exam, the clinic’s copy is PHI under HIPAA. Once results are sent to the employer and stored in the personnel file, the employer’s copy is an employment record outside HIPAA. Other laws may still apply, but the HIPAA Privacy Rule and Security Rule do not govern the employer’s copy.

Wellness programs can straddle both worlds. If the program operates through a group health plan, its data is PHI. If the employer runs the program solely as an employer (without a Covered Entity or Business Associate handling the data), HIPAA does not apply to that data.

Publicly Available Health Information

Health information that is truly public—such as details you post on social media, a news article, court filings, or obituaries—is not PHI when it is not created or received by a Covered Entity or its Business Associates.

However, the same facts held by a Covered Entity remain PHI even if identical information appears in public sources. HIPAA obligations attach to the Covered Entity’s copy; public availability does not remove those duties.

Conclusion

HIPAA protects PHI in the hands of Covered Entities and Business Associates. Employers acting as employers, life insurers, law enforcement agencies, and schools generally fall outside HIPAA, and so do de‑identified datasets, employment records, and truly public information. To determine whether HIPAA applies, ask who holds the data, in what role, and whether the information is PHI under the HIPAA Privacy Rule (or ePHI under the Security Rule).

FAQs.

Which employers are exempt from HIPAA?

Employers themselves are not Covered Entities. HIPAA can apply to an employer’s group health plan if it is a HIPAA “health plan” (for example, any size plan administered by an insurer/TPA, or a self‑administered plan with 50+ participants). A self‑administered plan with fewer than 50 participants is not a HIPAA health plan. Employment records kept by the employer are not PHI.

Are life insurance companies subject to HIPAA?

Generally no. Life insurers are not Covered Entities and their files are usually outside HIPAA. They may receive PHI from your providers only with your signed authorization. If a life insurer performs services for a Covered Entity, it becomes a Business Associate for that limited function and must protect any PHI it receives.

How does HIPAA apply to law enforcement agencies?

Law enforcement agencies are not Covered Entities. The HIPAA Privacy Rule permits Covered Entities to disclose PHI to law enforcement in specific circumstances (such as with a court order or to report certain crimes). If an agency operates a clinic or jail infirmary, that healthcare component may be a Covered Entity; typical investigative files are not PHI and are outside the HIPAA Security Rule.

Is student health information covered by HIPAA?

Usually no. Student health records maintained by a school or district are governed by FERPA, not HIPAA. Records from outside healthcare providers are HIPAA‑protected at the provider, but if copies are kept by the school, they become FERPA records there.