What does HIPAA not cover?

HIPAA doesn’t govern when individuals access their own medical records for personal use. In other words, if you’re checking your own health information, HIPAA doesn’t come into play.

1. Personal use

HIPAA does not regulate an individual’s use or access to their own medical records for personal purposes.

2. De-identified information

Information that cannot be linked to a specific person, like anonymous medical data used for public health studies, falls outside HIPAA’s scope. When data is made sufficiently generic, HIPAA doesn’t apply.

3. Employee records

If you work for a medical office but are not a patient, HIPAA does not protect your employee records. Those handling these records, like HR personnel or accountants, don’t have to follow HIPAA standards.

4. Law enforcement

HIPAA-covered entities can share PHI with health oversight agencies, law enforcement, or for judicial proceedings. These exceptions aren’t a carte blanche for releasing information but come into play in specific situations, like aiding police investigations.

5. Research

HIPAA has distinct rules for using PHI in research. Researchers typically need an individual’s written consent unless certain conditions are met, like de-identifying the healthcare information or using a limited data set without specific identifiers.

6. Colleges and universities

HIPAA doesn’t cover most school-based health programs at colleges and universities. However, those specific processes must adhere to HIPAA if they employ healthcare providers who use electronic transactions. Offering medical services to the public makes the institution a hybrid entity, subject to certain HIPAA regulations.

7. Emergencies

HIPAA’s Privacy Rule permits disclosures during emergencies to treat patients or individuals in immediate danger. It also allows for using and disclosing PHI in public health activities, such as disease control and reporting.

8. State law differences

When state laws contradict HIPAA, the rule of thumb is that the stricter law prevails. If state laws offer more patient protection, they take precedence over HIPAA; if they are less stringent, HIPAA applies. Federal or state laws can still govern PHI use and disclosure, even when HIPAA doesn’t.

9. Worker’s compensation

HIPAA typically doesn’t cover using or disclosing PHI for workers’ compensation purposes, such as verifying claims. Hence, entities like workers’ compensation insurers, administrative agencies, or employers are not subject to HIPAA in these situations.