What falls within the HIPAA scope?

HIPAA’s scope is focused on protecting Protected Health Information (PHI) within the US healthcare ecosystem. The law establishes privacy, security, breach notification, and enforcement requirements that apply to specific types of organizations and data. HIPAA primarily governs the handling of electronic Protected Health Information (ePHI) when it is created, stored, transmitted, or maintained. Certain categories of data—such as de-identified information and specific research or employment records—are excluded from the scope. 1. Covered entities Under 45 CFR § 160.103, HIPAA defines three categories of covered entities:

• Health plans: Includes group health plans, health insurance issuers, health maintenance organizations (HMOs), and government programs such as Medicare and Medicaid.
• Healthcare providers: Providers are covered only if they conduct HIPAA-standard electronic transactions (for example, claims submissions or eligibility inquiries). This includes hospitals, physicians, dentists, pharmacies, laboratories, and similar providers.
• Healthcare clearinghouses: Entities that process nonstandard health information and convert it into standard formats for billing or payment purposes.

2. Business associates HIPAA extends its scope beyond covered entities to include business associates, third parties that perform functions or services involving PHI. – Business associates must enter into a Business Associate Agreement (BAA), as required under the HITECH Act. Common examples include:

• Billing and revenue cycle management firms
• Cloud service providers offering HIPAA-compliant services (for example, AWS with a BAA)
• IT service providers and consultants
• Legal, accounting, or compliance firms reviewing PHI
• Data destruction and shredding services
• Software platforms such as electronic health record (EHR) systems

Business associates’ subcontractors are also subject to HIPAA and must sign BAAs, creating a chain of shared responsibility for PHI protection. 3. PHI scope and required safeguards PHI includes individually identifiable health information related to an individual’s past, present, or future physical or mental health, healthcare provision, or payment for healthcare. PHI may exist in electronic, paper, or oral form. HIPAA recognizes 18 identifiers, including:

• Names and geographic information smaller than a state
• Dates related to an individual (except year)
• Telephone and fax numbers
• Email addresses and URLs
• Social Security numbers
• Medical record and health plan beneficiary numbers
• Account numbers, device identifiers, and serial numbers
• License numbers
• Biometric identifiers
• Full-face photographs and comparable images

For electronic PHI (ePHI), the Security Rule requires safeguards across three categories:

• Administrative safeguards: policies, procedures, workforce training, and risk management
• Physical safeguards: facility access controls and device security
• Technical safeguards: access controls, encryption, logging, and transmission security

Data excluded from HIPAA scope Not all health-related data falls under HIPAA. Key exclusions include:

• De-identified data that meets the Safe Harbor or expert determination standards
• Employment records held in an employer role
• Education records covered by the Family Educational Rights and Privacy Act (FERPA)
• Certain research data is subject to specific regulatory exemptions