A hospital's HR department shared an employee's sick leave records with a manager, and the employee filed a complaint with the Office for Civil Rights (OCR), claiming a HIPAA violation. OCR dismissed the complaint — not because the disclosure was appropriate, but because employment records held by an employer are not protected health information under HIPAA. Understanding what information is not protected by HIPAA is just as critical to compliance as understanding what is protected. Misapplying the Privacy Rule wastes resources, creates false confidence, and distracts your workforce from the real risks.
Why Knowing What Information Is Not Protected by HIPAA Prevents Costly Mistakes
Healthcare organizations consistently struggle with over-applying and under-applying HIPAA. Both errors carry consequences. When your workforce assumes HIPAA covers everything health-related, they may ignore state privacy laws that actually do apply. When they assume HIPAA covers nothing outside clinical records, they risk exposing genuinely protected health information (PHI).
The Privacy Rule at 45 CFR §164.500-534 applies specifically to PHI held or transmitted by covered entities and their business associates. Anything outside that scope falls outside HIPAA's protections — though other federal and state laws may still apply.
The Definition of PHI: Drawing the Line
Before identifying what HIPAA does not protect, your organization needs a precise understanding of what it does. PHI is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. It must relate to a past, present, or future health condition, the provision of healthcare, or payment for healthcare — and it must identify the individual or provide a reasonable basis for identification.
If information fails any part of that definition, HIPAA's Privacy Rule does not apply to it. Here are the major categories that fall outside protection.
Employment Records Held by a Covered Entity Acting as Employer
This is the scenario OCR encounters repeatedly. Under 45 CFR §160.103, HIPAA explicitly excludes employment records held by a covered entity in its role as an employer. If your hospital collects a doctor's note for an employee's leave request, that record is an employment record — not PHI under HIPAA.
This does not mean the information is unprotected. The Americans with Disabilities Act (ADA), the Family and Medical Leave Act (FMLA), and various state privacy statutes impose their own obligations. Your workforce needs training that covers these distinctions clearly.
De-Identified Health Information
Under 45 CFR §164.514, health information that has been de-identified is no longer PHI and is not subject to HIPAA restrictions. The Privacy Rule provides two methods for de-identification:
- Expert Determination (§164.514(b)(1)): A qualified statistical expert certifies that the risk of identifying an individual is very small.
- Safe Harbor (§164.514(b)(2)): All 18 specified identifiers are removed, and the covered entity has no actual knowledge that the remaining information could identify an individual.
Organizations involved in research, analytics, and public health reporting use de-identified data extensively. Once properly de-identified, the data can be shared without restriction under HIPAA — though institutional review boards and data use agreements may impose separate requirements.
Health Information Held by Entities That Are Not Covered Entities or Business Associates
HIPAA applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with covered transactions) and their business associates. It does not apply to:
- Employers that are not otherwise covered entities, even when they collect health information for wellness programs or insurance enrollment.
- Life insurers, workers' compensation carriers, and most schools and school districts.
- Consumer health apps and wearable device manufacturers that do not act as business associates to a covered entity. Your Fitbit data, Apple Health data, and most direct-to-consumer genetic testing results are not protected by HIPAA.
- Law enforcement agencies holding health-related records obtained outside a covered entity relationship.
The FTC's Health Breach Notification Rule and state consumer privacy laws (such as the California Consumer Privacy Act) may cover some of these gaps, but HIPAA itself does not.
Education Records Protected by FERPA
Health records maintained by a school or university that are part of a student's education record fall under the Family Educational Rights and Privacy Act (FERPA), not HIPAA. The HIPAA Privacy Rule at 45 CFR §160.103 explicitly excludes education records covered by FERPA from the definition of PHI. A university health center treating a student creates records that may be FERPA-protected rather than HIPAA-protected, depending on the institution's structure.
Information That Has Been Publicly Available
If an individual voluntarily makes their health information public — sharing a diagnosis on social media, speaking at a public hearing, or authorizing a press release — that now-public information is not subject to HIPAA restrictions on use and disclosure. However, the underlying records in your covered entity's systems remain fully protected. The public nature of certain information does not relieve your organization of its obligations regarding its own records.
Aggregate and Summary Health Data
Summary health information, as defined under 45 CFR §164.514(a), may be disclosed to a group health plan sponsor for limited purposes (obtaining premium bids or modifying the plan) without full HIPAA authorization, provided individual identifiers have been stripped. This is a narrower concept than full de-identification but represents another category where normal PHI protections are relaxed.
The Compliance Gap Your Workforce Training Must Address
In my work with covered entities, I see a pattern: training programs focus almost exclusively on what to protect, and barely mention what falls outside HIPAA's scope. This creates confusion at the operational level. Staff members delay legitimate data sharing because they incorrectly assume HIPAA applies. Compliance officers field unnecessary breach reports. Meanwhile, actual risks — like an unsecured business associate handling real PHI — go unaddressed because attention is elsewhere.
Effective HIPAA training and certification should dedicate meaningful time to the boundaries of HIPAA, not just its requirements. Your workforce should be able to distinguish employment records from treatment records, recognize when de-identification has been properly applied, and understand that many health apps operate entirely outside HIPAA's reach.
Action Steps for Your Organization
- Audit your data inventory. Classify which records are PHI under HIPAA and which fall outside its scope. Pay close attention to employment records and student health records.
- Update your Notice of Privacy Practices to accurately reflect what your organization protects under HIPAA — and educate patients about what HIPAA does not cover.
- Review business associate agreements to ensure they do not create obligations around data categories HIPAA does not reach.
- Conduct a risk analysis that accounts for the actual scope of PHI in your environment, applying the minimum necessary standard where required.
- Invest in ongoing workforce training through a program like HIPAA Certify's workforce compliance platform that covers both the protections and the boundaries of the Privacy Rule.
Knowing what information is not protected by HIPAA is not an academic exercise. It determines how your covered entity allocates compliance resources, responds to data requests, and trains every member of its workforce. Get the boundaries wrong, and you either over-restrict legitimate activity or — worse — leave genuinely protected health information exposed while guarding data that was never yours to worry about.