While HIPAA covers a wide range of entities involved in healthcare and health information, there are certain types of organizations or individuals that are generally not considered covered entities under HIPAA. These organizations that would not be considered a covered entity under HIPAA include:
- Employers: Generally, employers are not considered covered entities under HIPAA, unless they are also engaged in activities that qualify them as a healthcare provider, health plan, or healthcare clearinghouse. Employers have separate regulations and requirements under other laws, such as the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Americans with Disabilities Act (ADA).
- Life insurers: Life insurance companies that do not provide or administer healthcare services or plans are generally not considered covered entities under HIPAA. However, if a life insurer provides health insurance policies or engages in other healthcare-related activities, they may fall under HIPAA’s jurisdiction.
- Property and casualty insurers: Property and casualty insurance providers, such as those offering automobile or homeowner’s insurance, are generally not considered covered entities under HIPAA. These insurers typically do not handle health information in the same manner as health plans.
- Schools and universities: Educational institutions, such as schools and universities, are generally not considered covered entities under HIPAA. However, they may have other requirements to protect student health information under the Family Educational Rights and Privacy Act (FERPA) and other applicable laws.
- Personal health record vendors: Vendors that provide personal health record (PHR) services directly to individuals are generally not considered covered entities under HIPAA. However, they are subject to the Federal Trade Commission (FTC) regulations and must comply with privacy and security requirements outlined in the FTC Act.
While entities that fall outside the definition of covered entities under HIPAA may not be directly subject to its regulations, it is crucial to recognize that they still carry responsibilities to safeguard personal information. Even though employers, life insurers, schools and universities, and personal health record vendors may not have HIPAA obligations, they are bound by other laws and regulations pertaining to privacy and security in their specific industries. These entities are required to adhere to relevant legal frameworks and implement measures to protect sensitive data. For example, employers must comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Americans with Disabilities Act (ADA) when handling employee health information. Similarly, life insurers must follow privacy and security regulations outlined by the Federal Trade Commission (FTC) under the FTC Act. Schools and universities are governed by the Family Educational Rights and Privacy Act (FERPA) in safeguarding student health information. Additionally, personal health record vendors must meet the privacy and security requirements specified by the FTC to ensure the confidentiality of personal health records. Thus, even though these entities may not be covered under HIPAA, they still bear the responsibility to protect personal information and comply with the laws and regulations relevant to their respective industries.