Who does HIPAA not apply to?

February 11, 2024 Christine Garcia HIPAA Advice

HIPAA does not apply to entities that do not handle protected health information (PHI), such as life insurers, employers (in most contexts), workers’ compensation programs, and educational institutions covered by FERPA.

While many organizations in the healthcare industry must comply with HIPAA’s privacy and security rules, certain groups and individuals are exempt from these regulations.

Entities Not Covered by HIPAA

  1. Life Insurance Companies: Since life insurers do not provide healthcare services, they are not considered covered entities under HIPAA. While they may collect health-related information during policy underwriting, HIPAA does not regulate their data practices.
  2. Employers (in Most Cases): Employers are generally not subject to HIPAA, even when they manage employee health records for workplace benefits. However, if an employer operates a self-insured health plan, it must comply with HIPAA regarding plan-related PHI.
  3. Workers’ Compensation Programs: These programs are regulated by state law rather than HIPAA. They may access health information necessary to process claims, but HIPAA does not govern how this data is managed.
  4. Educational Institutions Covered by FERPA: Schools and universities that fall under the Family Educational Rights and Privacy Act (FERPA) are not subject to HIPAA. Student health records maintained by these institutions are governed by FERPA regulations instead.
  5. Non-Healthcare Mobile App Developers: Many health-related mobile apps designed for personal use are not covered by HIPAA unless they partner with healthcare providers or handle PHI on their behalf.
  6. Law Enforcement Agencies: While law enforcement may access health information through legal processes, they are not considered covered entities under HIPAA.

Individuals as Non-Covered Entities

HIPAA does not apply to individuals using health-related information for personal reasons. For example:

  • Personal Record-Keeping: Individuals maintaining personal health records are not bound by HIPAA.
  • Caregiving by Family Members: Family members managing a relative’s healthcare do not fall under HIPAA’s jurisdiction.
  • Health Discussions: Conversations about health concerns in non-professional settings are outside HIPAA’s scope.

Why These Entities Are Excluded

HIPAA’s primary goal is to protect PHI handled by organizations directly involved in healthcare services, payment processing, and healthcare operations. Entities outside this scope are typically regulated by other laws or have no legal responsibility for safeguarding PHI.

Common Misconceptions

Many people mistakenly assume that HIPAA covers all entities handling health-related information. For example, fitness apps, online forums discussing health issues, and employers conducting wellness programs are often thought to be HIPAA-covered when they are not.

HIPAA applies only to specific covered entities, including healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. Entities such as life insurers, employers (in most contexts), workers’ compensation programs, educational institutions under FERPA, law enforcement agencies, and individuals managing personal health information are exempt from HIPAA regulations. Understanding these distinctions helps clarify who must comply with HIPAA’s privacy and security rules.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA
Twitter