Who Is Protected Under HIPAA? Whose Health Information Is Covered

Definition of Protected Health Information

Under HIPAA, Protected Health Information (PHI) is individually identifiable health information that relates to your past, present, or future physical or mental health, the care you receive, or payment for that care. It is protected when created, received, maintained, or transmitted by a covered entity or its business associate, in any form—electronic, paper, or oral.

PHI includes common identifiers when linked to health details, such as your name, full-face photos, addresses smaller than a state, dates (other than year), phone numbers, email addresses, Social Security numbers, medical record numbers, account and certificate/license numbers, vehicle and device identifiers, URLs, IP addresses, biometric identifiers, and unique codes. De-identified data—stripped of these identifiers—or information aggregated so individuals cannot be identified is not PHI.

• PHI stays protected for decedents for 50 years after death.
• Employment records kept by an employer (even a hospital acting as an employer) are not PHI.
• A “limited data set” with certain identifiers removed can be used for research, public health, or operations under a data use agreement.

In short, who is protected under HIPAA depends on whether your health information is handled by regulated organizations and whether it meets the definition of PHI.

Covered Entities Under HIPAA

Covered Entities are the organizations directly regulated by HIPAA. Your health information is covered when it is handled by:

• Health plans: Insurers, HMOs, employer group health plans, government programs like Medicare and Medicaid, and certain long-term care insurers.
• Health care providers: Doctors, clinics, hospitals, pharmacies, labs, dentists, and others who transmit health information electronically in standard transactions (for example, claims or eligibility checks).
• Health care clearinghouses: Organizations that standardize nonstandard health information they receive from another entity.
• Hybrid entities: Organizations (such as universities or municipalities) that perform both covered and non-covered functions and designate their “health care components” as covered.

If a provider never conducts HIPAA-standard electronic transactions, it may not be a covered entity—though in practice, most providers do.

Roles of Business Associates

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI for a Covered Entity. Examples include billing services, EHR and cloud service providers, data analytics firms, claims processors, consultants, and certain health app developers working on behalf of a provider or plan.

• Business Associate Agreement (BAA): Covered Entities must sign BAAs that limit uses/disclosures, require safeguards, mandate breach reporting, and bind subcontractors to the same obligations.
• Direct liability: Business Associates—and their subcontractors—are directly responsible for complying with key HIPAA provisions.
• Conduit exception is narrow: Mere transmission services with no routine access to PHI (for example, postal services) are not Business Associates, but most cloud and hosting services are.

Exclusions from HIPAA

HIPAA does not cover every organization that touches health-related data, nor every kind of health information. Your data may fall outside HIPAA when it is handled by entities or in contexts not regulated by the law.

• Not Covered Entities: Most employers, life insurers, many schools (records governed by FERPA), law enforcement agencies, and workers’ compensation insurers.
• Consumer apps and devices: Fitness trackers, wellness apps, or wearable manufacturers are generally outside HIPAA unless they act for a Covered Entity under a BAA.
• Employment records: Health information an employer keeps in its role as employer is not PHI.
• De-identified or aggregated data: Information that cannot identify an individual is not PHI.

State laws and other federal laws may still protect some of these data, but those protections are separate from HIPAA.

Privacy and Security Requirements

HIPAA’s Privacy Rule and Security Rule set the baseline for Health Information Privacy. Covered Entities and Business Associates must limit uses and disclosures of PHI, safeguard it, and give you meaningful control.

• Privacy Rule: Permits PHI use/disclosure without authorization for treatment, payment, and health care operations; requires the “minimum necessary” standard; and allows certain public interest disclosures (for example, public health, health oversight, judicial proceedings) as permitted by law.
• Notice of Privacy Practices: Providers and plans must tell you how they use/disclose PHI and your rights.
• Authorizations: Most uses beyond what the Privacy Rule permits require your written authorization.
• Security Rule (for ePHI): Requires risk analysis and administrative, physical, and technical safeguards such as access controls, audit logs, device and facility protections, workforce training, and transmission security.
• Breach Notification Rule: If unsecured PHI is breached, affected individuals must be notified without unreasonable delay and no later than 60 days; large breaches trigger notice to HHS and, in some cases, the media.

Rights of Individuals

HIPAA grants you concrete rights over your PHI when it is held by Covered Entities or their Business Associates.

• Right of access: Get copies of your PHI (including electronic copies of ePHI) within 30 days, with one 30-day extension if needed.
• Right to direct disclosures: Have your PHI sent to a third party you choose in the requested format if readily producible.
• Right to amend: Ask for corrections to inaccurate or incomplete information.
• Right to an accounting of disclosures: Receive a record of certain disclosures made without your authorization.
• Right to request restrictions and confidential communications: Limit certain disclosures and request communications at alternative locations; you can require providers to withhold PHI from a health plan for a service paid in full out of pocket.
• Right to be informed: Receive a Notice of Privacy Practices and breach notifications when applicable.

Enforcement and Penalties

HIPAA enforcement is led by the HHS Office for Civil Rights (OCR), with support from state attorneys general and, in criminal cases, the Department of Justice. OCR investigates complaints, conducts compliance reviews, negotiates resolution agreements and corrective action plans, and can assess civil monetary penalties.

• Civil penalties: Tiered by culpability (from lack of knowledge to willful neglect), assessed per violation, with annual caps per violation type. Amounts are adjusted periodically for inflation.
• Criminal penalties: Knowing misuse of PHI can lead to fines and imprisonment, with higher penalties for offenses under false pretenses or for personal gain or malicious harm.
• Business Associate liability: Vendors can face HIPAA Enforcement directly for safeguard failures or impermissible uses/disclosures.
• Mitigation matters: Prompt breach response, robust safeguards, and workforce training can reduce risk and potential penalties.

Bottom line: your Health Information Privacy is protected when PHI is handled by Covered Entities and their Business Associates under the Privacy Rule and Security Rule, backed by real enforcement. Knowing who holds your data—and your rights—helps you use the system confidently and securely.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities include health plans (insurers, HMOs, employer group health plans, Medicare and Medicaid), health care providers who transmit health information electronically in standard transactions (such as claims), and health care clearinghouses. Hybrid organizations can designate their health care components as covered.

What types of health information are protected under HIPAA?

HIPAA protects PHI—any individually identifiable health information about your health, care, or payment for care that a covered entity or its business associate creates, receives, maintains, or transmits. PHI includes identifiers like names, addresses, dates, contact information, account and ID numbers, device and vehicle identifiers, IP addresses, biometric data, and full-face photos whenever linked to health details. De-identified or aggregated data is not PHI.

How does HIPAA apply to business associates?

Business associates are vendors that handle PHI for covered entities. They must sign Business Associate Agreements, implement safeguards, limit uses and disclosures, report breaches, and bind subcontractors to the same requirements. They are directly liable for compliance and may face enforcement actions for violations.