6.4 When HIPAA Doesn't Apply

Perhaps the most important thing to understand about HIPAA is that it dös not protect health privacy broadly. It protects health information held by a specific, defined set of entities. For everyone else — and there are many 'everyone elses' — HIPAA offers no protection at all. This gap is one of the most consequential and contested features of US privacy law.

Employers

Your employer is not a HIPAA covered entity. If your employer learns about your health condition — from your gym's wellness programme, from a disability accommodation request, from gossip — HIPAA dös not restrict what they can do with that information. The Americans with Disabilities Act (ADA) provides some protection against discrimination based on disability, and some states have additional protections. But there is no comprehensive federal law preventing employers from using health information they obtain outside of a covered entity relationship (EEOC, 2008).

Health apps and wearables

This is the gap that surprises most people. Fitbit, Apple Health, Google Fit, most mental health apps, and the vast majority of direct-to-consumer health technology are NOT HIPAA covered entities. They are consumer technology companies. The data they collect — your heart rate, sleep patterns, step count, menstrual cycle, mental health symptom logs — is governed by their own privacy policies and general consumer protection law, not HIPAA. That data can be sold to data brokers, used for advertising, or handed to employers if they run a wellness programme through the app (Federal Trade Commission, 2021).

The FTC has used its Section 5 authority to act against health apps for deceptive privacy practices, and the FTC's Health Breach Notification Rule requires certain health apps to notify users and the FTC of data breaches. But these are weaker protections than HIPAA.

Life insurers

Life insurance companies are not HIPAA covered entities. They can request medical records with your authorisation as a condition of underwriting — and you may face difficulty purchasing coverage if you decline. The Genetic Information Nondiscrimination Act (GINA) prohibits health insurers from using genetic data in underwriting, but it specifically dös not apply to life, disability, or long-term care insurance.

School records

Student health records maintained by a school are generally governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA. FERPA gives parents (and eligible students) rights over educational records, including health records maintained by the school. If a student receives care from a campus health clinic that is also a HIPAA covered entity, the overlap creates complexity.

Workers' compensation

Workers' compensation programmes operate under state law and typically sit outside HIPAA's direct scope. State law may require disclosure of relevant medical information as part of a claim, overriding HIPAA's default protections in the context of a workplace injury claim.

The policy gap

The practical consequence is stark: the health data generated by the most widely used health technologies in everyday life — your phone, your smartwatch, your fitness app — sits outside the flagship US health privacy law. This gap is an active area of US privacy policy debate. California's CMIA (Confidentiality of Medical Information Act) and, more recently, the My Health My Data Act in Washington State (2023) extend some protections to consumer health data outside HIPAA. But no federal solution exists yet.

Your takeaway

HIPAA is a floor, not a ceiling — and it covers less floor than many assume. Before sharing health data with any digital product, ask: is this a HIPAA covered entity? If not, your data is governed by a privacy policy and general consumer protection law, not a federal health privacy statute.