Who does HIPAA not apply to?

by

HIPAA does not apply to life insurers, most employers, workers’ compensation programs, FERPA-covered educational institutions, law enforcement agencies, and individuals managing personal health data.

Examples of entities not covered by HIPAA:

  1. Life Insurance Companies: Since life insurers are not healthcare providers, HIPAA does not regulate how they manage personal health data collected during policy applications.
  2. Employers (in Most Situations): Employers are typically not covered by HIPAA unless they administer self-funded health plans, in which case HIPAA applies only to plan-related information.
  3. Workers’ Compensation Programs: These programs are governed by state laws, not HIPAA, and can access health records relevant to processing claims.
  4. Educational Institutions Under FERPA: Schools and universities that fall under the Family Educational Rights and Privacy Act (FERPA) are exempt from HIPAA. Student health records they maintain are protected by FERPA instead.
  5. Law Enforcement Agencies: While they may legally access health data during investigations, law enforcement agencies are not subject to HIPAA regulations.
  6. Mobile Health Apps for Personal Use: Consumer-grade health and fitness apps, unless connected to healthcare providers or insurers, are not governed by HIPAA.

HIPAA’s regulations do not apply to individuals managing their own health information or assisting family members. For example:

  • Personal Health Records: Individuals storing their medical data are not subject to HIPAA rules.
  • Family Caregiving: Family members handling a relative’s healthcare are not bound by HIPAA.
  • Health Discussions: Informal conversations about health conditions are beyond HIPAA’s scope.

HIPAA targets organizations directly involved in providing, processing, or reimbursing healthcare services. Entities outside this framework often fall under other federal or state privacy laws or are not legally obligated to safeguard health information. Many people mistakenly believe that all health-related data is protected by HIPAA, regardless of who handles it. For instance, employers running wellness programs, fitness trackers, and online health forums are frequently assumed to be HIPAA-covered when they are not. HIPAA compliance applies only to healthcare providers, health plans, healthcare clearinghouses, and their business associates. Entities like life insurers, most employers, workers’ compensation programs, FERPA-covered educational institutions, law enforcement agencies, and individuals managing personal health data are exempt from HIPAA’s rules. Recognizing these distinctions helps clarify who must adhere to HIPAA’s privacy and security requirements.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA