Who Is Not a HIPAA Covered Entity? Definitions, Exceptions, and Risks

Not everyone who handles health information is regulated by HIPAA. Understanding who is not a HIPAA covered entity helps you assess obligations, close gaps, and manage risk when dealing with Protected Health Information (PHI) or look‑alike data.

This guide explains what HIPAA does and doesn’t cover, key exceptions like the Employment Records Exception and De‑Identified Data, and practical steps non‑covered entities can take to reduce exposure under federal and State Health Privacy Laws.

Definition of HIPAA Covered Entities

HIPAA directly regulates three types of covered entities: health plans, health care clearinghouses, and certain health care providers. If you are outside these categories—and are not acting as a business associate to one—you are generally not a HIPAA covered entity.

Health plans

Health plans include insurers, HMOs, government programs (such as Medicare and Medicaid), and Group Health Plans. Importantly, the plan itself is the covered entity, not the employer that sponsors it.

Health care providers

Providers are covered only if they transmit health information in connection with HIPAA standard Electronic Transactions (for example, electronic claims or eligibility checks). A provider who never conducts those transactions electronically may fall outside HIPAA coverage.

Health care clearinghouse

A Health Care Clearinghouse is an entity that translates health information from nonstandard to standard formats (or vice versa) for other organizations. Clearinghouses are covered entities even if they do not provide direct patient care.

Protected Health Information

PHI is individually identifiable health information created or received by a covered entity or its business associate. Data held solely by a non‑covered entity is not PHI under HIPAA, though it may be “health data” subject to other laws.

Criteria for Covered Entities

Use these tests to determine coverage:

• Health plan test: Do you operate a plan that pays for medical care (including a Group Health Plan)? If yes, the plan is a covered entity.
• Provider test: Do you furnish health care and conduct HIPAA standard Electronic Transactions (claims, remittances, eligibility, referrals) electronically? If yes, you are a covered entity.
• Clearinghouse test: Do you convert health data between standard and nonstandard formats for other organizations? If yes, you are a clearinghouse and covered.

Special carve‑outs and nuances

• Small self‑administered Group Health Plans: A group health plan with fewer than 50 participants that is administered solely by the employer is generally excluded from the “health plan” definition.
• Employers vs. plans: An employer is not a covered entity simply because it sponsors a plan; the plan is the covered entity.
• Business associates: A business associate is not a “covered entity,” but it is directly subject to HIPAA when handling PHI for a covered entity under a business associate agreement.

Common Non-Covered Entities

These organizations often handle health-related information but are typically not HIPAA covered entities unless they also operate a covered function or serve as a business associate:

• Employers in their role as employer (e.g., HR files, leave requests)
• Schools and school districts (education records are usually governed by FERPA)
• Life insurers, disability insurers, auto and liability insurers
• Workers’ compensation carriers and programs
• Personal health apps, fitness trackers, and wellness platforms not acting for a covered entity
• Consumer technology companies, marketers, and data brokers handling health-related data outside HIPAA relationships
• Community groups, gyms, camps, and social services not providing covered health care transactions
• Law enforcement agencies and many government offices that do not operate as health plans, providers, or clearinghouses

If any of these entities perform services involving PHI for a covered entity, they become business associates for that work and must meet HIPAA’s requirements for that scope.

Exceptions to HIPAA Coverage

Employment Records Exception

HIPAA excludes employment records held by a covered entity in its role as employer. For example, a hospital’s HR files about its employees are not PHI, even though the hospital is a covered entity. However, information in the hospital’s Group Health Plan remains subject to HIPAA.

De-Identified Data

De-Identified Data that meets HIPAA’s de‑identification standards is not PHI. De‑identification typically requires removing specified identifiers or using expert determination so individuals cannot reasonably be reidentified.

Education and student records

Education records and certain treatment records maintained by schools or institutions subject to FERPA are excluded from HIPAA. School clinics may be covered only if they bill electronically as providers.

Non-health plans and similar programs

Programs such as workers’ compensation, many life or disability policies, and insurers paying for non‑medical benefits are not “health plans” under HIPAA. They may acquire health information, but HIPAA does not make them covered entities.

Risks for Non-Covered Entities

Being outside HIPAA does not mean “no rules.” If you handle health-related data, you face other legal, contractual, and reputational risks:

• Federal consumer protection: The FTC can pursue unfair or deceptive practices, including inaccurate privacy notices or misuse of health data. The Health Breach Notification Rule may apply to certain personal health record services and apps.
• State Health Privacy Laws: States increasingly regulate health data beyond HIPAA. You may face consent, notice, and security obligations, and breach notification duties at the state level.
• Contractual liability: Data processing agreements, terms with vendors, and promises to users create enforceable obligations—even without HIPAA.
• Civil litigation and reputational harm: Privacy tort claims, class actions, and loss of user trust can follow incidents involving sensitive health information.
• Security expectations: Regulators expect reasonable safeguards for sensitive data, including access controls, encryption, and incident response—regardless of HIPAA status.

Compliance Considerations for Non-Covered Entities

If you are not a HIPAA covered entity but handle health-related data, adopt practical safeguards tailored to your role:

• Data mapping: Identify what you collect, where it flows, and whether any data qualifies as PHI versus non‑PHI health data.
• Minimization: Collect only what you need; avoid storing precise location or persistent identifiers unless essential.
• Notices and consent: Keep privacy disclosures accurate and specific about health data uses, analytics, and advertising.
• Security by design: Implement encryption, role‑based access, logging, and vendor due diligence; maintain an incident response plan.
• BAA readiness: If you support covered entities, prepare to sign business associate agreements and segregate PHI from other datasets.
• De-Identification programs: Use formal de‑identification or aggregation to reduce risk when sharing or analyzing data.
• State law alignment: Track State Health Privacy Laws that may impose stricter consent, deletion, or portability requirements.
• Workforce training: Teach teams the difference between PHI, non‑PHI health data, and the Employment Records Exception.

Conclusion

In short, “Who is not a HIPAA covered entity?” includes many employers, schools, consumer apps, and insurers outside the “health plan” category. Even so, handling health data triggers other duties—especially under state laws and federal consumer protection rules—so you should design privacy and security controls that meet or exceed HIPAA‑level expectations.

FAQs.

What entities are excluded from HIPAA coverage?

Entities that are not health plans, health care clearinghouses, or providers conducting HIPAA Electronic Transactions are generally excluded. Common examples include employers (in their employer role), schools, life and disability insurers, workers’ compensation programs, many wellness apps, gyms, and data brokers—unless they act as business associates for a covered entity.

How do employment records affect HIPAA applicability?

Under the Employment Records Exception, an employer’s HR files are not PHI, even if the employer sponsors a Group Health Plan. However, the plan’s records are PHI. Keep strict boundaries so employment files do not commingle with plan data.

Are all insurance policies covered under HIPAA?

No. Only insurance that qualifies as a “health plan” is a HIPAA covered entity. Life, disability, auto, liability, and workers’ compensation policies are typically not health plans. A Group Health Plan is covered, but the employer that sponsors it is not.

What risks do non-covered entities face regarding PHI?

Non‑covered entities do not create PHI under HIPAA when acting outside HIPAA relationships, but they still face FTC enforcement, State Health Privacy Laws, contractual duties, breach notification obligations, litigation exposure, and reputational harm if health data is mishandled.