Who Is Not a Covered Entity Under HIPAA? Examples Explained

The Health Insurance Portability and Accountability Act (HIPAA) applies primarily to “covered entities” and, through contracts, to their “business associates.” Covered entities are health plans, health care clearinghouses, and health care providers that transmit Protected Health Information (PHI) in electronic transactions. The HIPAA Privacy Rule and Security Rule govern how these groups use, disclose, and protect PHI. Below are common examples of organizations that are not covered entities—and where HIPAA might still touch them through a Business Associate Agreement or other laws.

Employers Managing Health Data

As employers, companies are not HIPAA covered entities. Employment records—such as FMLA notes, ADA accommodations, drug tests, and workers’ compensation files—are not PHI under the Privacy Rule, even if they include health details. HIPAA’s Security Rule likewise does not apply to those employment records.

However, if an employer sponsors a self-funded group health plan, that plan is a covered entity. PHI can flow to the employer only for specific plan administration purposes and must be walled off from general HR use. Third-party administrators, wellness vendors, or benefits platforms that create, receive, maintain, or transmit PHI for the plan must sign a Business Associate Agreement.

Standalone wellness programs offered by an employer outside a health plan usually are not subject to HIPAA, but other laws can apply (for example, the Federal Trade Commission Health Breach Notification Rule for certain consumer health data, and various state privacy laws).

Life Insurance and Disability Insurers

Life insurers and disability insurers are not HIPAA covered entities when performing underwriting or administering life and disability products. Their files are not PHI subject to the Privacy Rule or Security Rule.

Some insurers operate separate health insurance lines; those health plans are covered entities, but the life or disability lines are not. When these companies request medical records for underwriting, they typically rely on an individual authorization rather than HIPAA’s routine treatment, payment, and health care operations permissions.

Schools and Educational Institutions

Most student health and education records maintained by schools are governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA. Because FERPA-covered records are explicitly excluded from HIPAA’s definition of PHI, K–12 schools and many campus health services are not covered entities for those records.

University medical centers or clinics that bill electronically and operate outside FERPA may be HIPAA covered entities for those clinical operations. In mixed environments, it is common for the same campus to maintain FERPA records for students and HIPAA records for patients, depending on which unit creates and maintains the record.

Fitness and Wellness App Providers

Consumer fitness, nutrition, and wellness apps that collect data directly from users—steps, sleep, heart rate, mood—are generally not HIPAA covered entities. If they do not create or receive PHI on behalf of a provider or health plan, the HIPAA Privacy Rule and Security Rule do not apply.

These companies may still be regulated. The Federal Trade Commission Health Breach Notification Rule can apply to vendors of personal health records and similar services when there is a breach of individually identifiable health information. If a wellness app is offered under a provider’s or plan’s program and handles PHI for that program, it becomes a business associate and must sign a Business Associate Agreement.

Non-Healthcare Technology Companies

General technology companies—cloud hosts, email platforms, CRM tools, or analytics providers—are not covered entities simply because they process data that happens to be health-related. HIPAA applies only if they create, receive, maintain, or transmit PHI on behalf of a covered entity.

When a tech vendor does handle PHI for a covered entity (for example, hosting an EHR database or managing a patient portal), it becomes a business associate and must execute a Business Associate Agreement and comply with applicable HIPAA safeguards, especially under the Security Rule. Vendors that store only de-identified data are outside HIPAA’s scope.

Retail Stores Without Pharmacy Services

Retailers that sell health-related products but do not operate a pharmacy or clinic are not HIPAA covered entities. Purchases of bandages, supplements, or fitness gear, and participation in loyalty programs, do not create PHI under HIPAA.

If a retailer adds a pharmacy, vaccination clinic, or similar service that bills health plans electronically, that specific line of business becomes a covered entity. In that case, HIPAA applies to the pharmacy records, not to the rest of the store’s retail operations.

Medical Device Manufacturers

Medical device makers are not covered entities under HIPAA. When a manufacturer collects data directly from consumers for device support or mobile apps, HIPAA typically does not apply. Other frameworks—product safety rules, state privacy laws, or the Federal Trade Commission’s authorities—may govern.

If a manufacturer provides remote monitoring or device services to a provider or health plan and receives PHI for that purpose, it acts as a business associate and must sign a Business Associate Agreement and implement Security Rule controls. Properly de-identified data are outside HIPAA.

Third-Party Service Providers Without PHI Handling

Vendors that do not create, receive, maintain, or transmit PHI are not subject to HIPAA. Examples include office supply companies, facility maintenance, building security, and certain couriers acting as mere “conduits.” Because they do not handle PHI for a covered entity, they are neither covered entities nor business associates.

By contrast, billing services, transcriptionists, IT managed service providers, and cloud hosts that store PHI for a covered entity are business associates and must execute a Business Associate Agreement. The moment a vendor takes possession of PHI for a covered entity, HIPAA’s Privacy Rule and Security Rule obligations attach through that relationship.

In short, if an organization is not a health plan, clearinghouse, or qualifying provider—and it does not handle PHI for one under contract—it is generally not a covered entity under HIPAA.

FAQs.

What entities are excluded from HIPAA coverage?

Commonly excluded entities include employers acting in their capacity as employers, life and disability insurers, schools with records governed by the Family Educational Rights and Privacy Act, consumer fitness and wellness apps, general technology companies not handling PHI for covered entities, retail stores without pharmacy services, medical device manufacturers, and service providers that do not create, receive, maintain, or transmit PHI. Other laws—such as the Federal Trade Commission Health Breach Notification Rule and state privacy statutes—may still apply.

How does HIPAA define covered entities?

Covered entities are (1) health plans, (2) health care clearinghouses, and (3) health care providers that transmit health information electronically in connection with standard transactions. Business associates are not covered entities, but when they handle PHI for a covered entity, they must sign a Business Associate Agreement and comply with relevant Privacy Rule and Security Rule requirements.

Are employers always exempt from HIPAA?

Employers are generally exempt regarding employment records. However, an employer’s group health plan is a covered entity, and PHI used for plan administration must be segregated from general HR functions. Wellness programs integrated with a health plan can trigger HIPAA, while standalone programs typically do not.

When are technology companies considered covered entities under HIPAA?

Rarely. A tech company becomes directly subject to HIPAA only if it operates as a health plan, a health care clearinghouse, or a health care provider conducting standard electronic transactions. More commonly, tech vendors become business associates when they create, receive, maintain, or transmit PHI for a covered entity and, in that case, must enter a Business Associate Agreement and follow the Security Rule.