Who does HIPAA not apply to?

by

HIPAA does not apply to entities or individuals that do not meet the definition of a covered entity (such as healthcare providers, health plans, and healthcare clearinghouses) or a business associate handling protected health information (PHI) on behalf of a covered entity, which includes employers, life insurers, schools, and certain technology platforms when they do not engage in activities involving PHI in a healthcare context.

Common misconceptions about where HIPAA applies include:

  1. Employers Handling Medical Information: Many people believe that employers are bound by HIPAA when they handle employee medical information, but HIPAA only applies to healthcare data managed by covered entities or their business associates. For example, if an employee provides a doctor’s note or health-related information to their employer, that information is not protected by HIPAA, although other privacy laws, such as the Americans with Disabilities Act (ADA), may apply.
  2. Life Insurance Companies: Life insurers often collect detailed health information for underwriting purposes, but they are not considered covered entities under HIPAA. The privacy of this information is generally governed by state insurance laws, not HIPAA.
  3. Schools and Educational Institutions: While schools may maintain health records, such as vaccination records or information on student health conditions, they are typically governed by the Family Educational Rights and Privacy Act (FERPA) rather than HIPAA, unless the school operates a healthcare clinic billing health plans electronically.
  4. Health and Fitness Apps: Popular fitness trackers and health apps that collect personal data, like step counts, sleep patterns, or calorie intake, are often assumed to be subject to HIPAA. However, unless these apps are provided or used by a covered entity or business associate in connection with healthcare services, they are not regulated under HIPAA.
  5. Social Media and Public Conversations: Some people mistakenly believe that HIPAA applies to personal or public discussions about someone’s health information. For instance, if an individual shares details about someone else’s medical condition on social media, this is not a HIPAA violation because the person sharing is not a covered entity or business associate.
  6. Landlords and Housing Agencies: While landlords or housing agencies might ask for health-related documentation, such as proof of disability for reasonable accommodations, they are not covered by HIPAA, though other privacy protections under fair housing laws may apply.

Understanding where HIPAA does and does not apply is essential for avoiding confusion and ensuring compliance with relevant privacy laws, as many situations often involve other legal frameworks rather than HIPAA.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]