Overview —

What HIPAA Doesn’t Cover: Understanding HIPAA Exceptions

HIPAA doesn’t cover employment, education, or de-identified data—know the exceptions to protect all info.

Share this article

Contents

No headings found on page

What HIPAA Doesn't Cover: Understanding HIPAA Exceptions

HIPAA's protections are broad, but they're not universal — and assuming HIPAA covers everything health-related is a common, costly misread. The law's actual boundary is defined narrowly: it applies to PHI handled by covered entities and business associates, not to health information generally. Knowing exactly where that boundary sits matters for two reasons: avoiding compliance gaps where HIPAA actually does apply, and not wasting effort treating data as regulated when it legally isn't.

Employment Records

When a covered entity acts as an employer rather than a healthcare provider, records it holds about its own employees — sick leave requests, workers' compensation claims, drug testing results obtained for employment purposes — are not PHI under HIPAA. The same hospital that's bound by HIPAA when treating a patient has no HIPAA obligation toward its own HR files on staff. This distinction trips people up specifically because the same organization can be a covered entity in one context and an ordinary employer in another, with different rules applying simultaneously.

Education Records

Student health records maintained by schools are typically governed by FERPA (Family Educational Rights and Privacy Act), not HIPAA — even when the records in question are clearly health-related, like immunization records or counseling notes kept by a school nurse. Organizations operating in both education and healthcare contexts (school-based health clinics, university health centers) need to know which framework applies to which records, since the two have meaningfully different disclosure rules.

De-Identified Data

This is the exception most often invoked loosely and least often understood precisely. HIPAA doesn't have one generic "de-identification" standard — it specifies two distinct, legally defined methods, and data only loses PHI status if it actually meets one of them:

  • Safe Harbor method — removing all 18 specific identifier categories the Privacy Rule names (names, geographic subdivisions smaller than a state, all dates more specific than year, phone numbers, email addresses, biometric identifiers, and others), with no actual knowledge that the remaining information could re-identify the individual.

  • Expert Determination method — a qualified statistician or expert applies accepted methods to determine the re-identification risk is very small, and documents that determination.

Stripping out a name and calling data "de-identified" without satisfying either method doesn't actually remove HIPAA's protections — it just creates the appearance of compliance without the legal substance behind it. This is a common, costly mistake.

Health Information Shared Outside the U.S.

HIPAA's jurisdiction is tied to covered entities and business associates as defined under U.S. law — health information that never passes through a HIPAA-regulated entity isn't automatically protected by HIPAA, even if it concerns a U.S. person. This is a real gap for global health-tech companies: data shared with international partners outside the covered-entity/business-associate relationship may fall under a different jurisdiction's privacy law (or none at all), which is exactly why organizations operating across borders typically need to layer GDPR or other regional frameworks on top of HIPAA rather than assuming HIPAA alone covers international data flows. Aligning SOC 2 and HIPAA Compliance covers a related cross-framework alignment question.

Law Enforcement Disclosures

HIPAA permits — and in some cases requires — disclosure of PHI to law enforcement under specific, narrowly defined circumstances: court orders, certain types of subpoenas, reporting of certain wounds or injuries, and a handful of other named exceptions in the Privacy Rule. This isn't a blanket exception that lets PHI flow freely to law enforcement on request — each permitted disclosure has its own conditions, and getting this wrong in either direction (refusing a legally compelled disclosure, or disclosing without meeting the actual legal basis) creates real liability.

Why Knowing the Boundary Matters

Misjudging HIPAA's scope causes problems in both directions. Treating exempt data (de-identified data that hasn't actually met Safe Harbor or Expert Determination, or employment records mistaken for PHI) as if it's still regulated wastes compliance effort on data that doesn't need it. Treating in-scope data as exempt — assuming a "mostly anonymized" dataset is safe, or assuming international data sharing falls outside HIPAA's reach when a business associate relationship still applies — is the more dangerous direction, since it's the kind of gap that surfaces during a breach investigation rather than a routine audit.

For what HIPAA does require once data is confirmed in scope, see Understanding HIPAA Rules & Requirements and Conducting a HIPAA Risk Assessment


In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.

HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.

Read more about HIPAA compliance with DSALTA.

Stop losing deals to compliance.

Get compliant. Keep building.

Join 100s of startups who got audit-ready in days, not months.