HIPAA does not apply to individuals and organizations that are not HIPAA Covered Entities or Business Associates, even when they handle health-related information, unless they perform functions or services for a covered entity that involve creating, receiving, maintaining, or transmitting protected health information on the covered entity’s behalf. HIPAA Covered Entities are health plans, healthcare clearinghouses, and healthcare providers that transmit health information in electronic form in connection with standard transactions, and Business Associates are vendors and subcontractors that handle protected health information for a covered entity under a business associate relationship. Entities outside those categories are outside HIPAA scope, although other federal and state privacy or consumer protection laws can still apply to their conduct.
HIPAA does not apply to most employers and employment records, including workplace medical files held in an employer capacity rather than a healthcare provider capacity. HIPAA does not apply to most schools and student health records maintained under education record frameworks. HIPAA does not apply to life insurers, many disability insurers, many auto insurers, workers’ compensation carriers, and workers’ compensation administrators when they are not functioning as HIPAA Covered Entities or Business Associates for a covered entity. HIPAA does not apply to many government agencies that do not operate as covered entities, even if they collect health-related information for non-healthcare program purposes.
HIPAA does not apply to most consumer technology companies and direct-to-consumer services that collect health data from users outside a covered entity relationship, including many mobile health applications, fitness trackers, wearable vendors, social media platforms, search engines, and online advertising networks. HIPAA also does not apply to patient-generated disclosures on social media or to journalists and media outlets that obtain information through means unrelated to a covered entity workforce function. A consumer email account or consumer cloud storage used by an individual is outside HIPAA unless the service is used by a covered entity or business associate under a business associate agreement for protected health information workflows.
HIPAA scope can change based on role and relationship rather than industry label. A technology vendor, billing service, data analytics firm, call center, transcription service, cloud hosting provider, or document storage company becomes subject to HIPAA obligations when it acts as a business associate for a covered entity and handles protected health information for contracted services. A healthcare provider’s dual roles also matter, because the same organization may hold records that are protected health information in one context and employment records in another. Determining whether HIPAA applies requires confirming the entity type, whether protected health information is involved, and whether the activity is performed on behalf of a covered entity under a business associate relationship.