What Individually Identifiable Health Information is Not Protected by HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a comprehensive federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. However, certain types of health information are not protected by HIPAA. This article explores those exceptions, their implications, and the criteria that differentiate them.

Employment Records

Information held by an employer that is not related to healthcare is not protected by HIPAA, even if it includes health-related information. For example, an employer's health screening program results or an employee's medical records may be covered by state or local employment laws rather than HIPAA. Employers must ensure compliance with these specific regulations to protect employee health information.

Education Records

Information related to a student’s education, including health records maintained by educational institutions, is typically protected by the Family Educational Rights and Privacy Act (FERPA) rather than HIPAA. FERPA focuses on the privacy of educational records and the rights of students to access them. Employers and health providers should familiarize themselves with FERPA's requirements to avoid mishandling such information.

De-identified Information

Health information that has been de-identified, meaning all information that could reasonably be used to identify the individual has been removed, is not considered Protected Health Information (PHI) and is not protected by HIPAA. HIPAA provides specific criteria for de-identification, including the removal of 18 specific types of identifiers from the data. Organizations must comply with these criteria to ensure that the information no longer falls under HIPAA protection.

Personal Health Information Shared in Public

Information that individuals choose to share on social media platforms or other public forums is not protected by HIPAA. HIPAA only applies to covered entities that handle personal health information and their business associates. Information voluntarily disclosed in public domains can be accessed and used freely, though individuals may still have rights under other state or federal laws.

Certain Types of Information

Specific types of health information, such as that related to certain types of research or information that is subject to other laws like the Genetic Information Nondiscrimination Act (GINA), may not be covered by HIPAA regulations. GINA prohibits employers from discriminating against employees based on genetic information and restricts the use and disclosure of such information. Researchers and institutions involved in genetic studies should ensure compliance with both HIPAA and GINA requirements to protect patients' rights and privacy.

Health Information of Individuals Not Receiving Care

Information about individuals who are not currently patients, such as information about a person who has not been treated by a covered entity, is not protected by HIPAA. This includes volunteer organizations, health fairs, and other community-based services that do not involve covered healthcare providers. While such information may still be subject to other data protection laws, it is not under HIPAA's purview.

Criminal History and Law Enforcement Records

Records specifically related to criminal investigations and law enforcement activities are not protected by HIPAA. While these records may contain health-related information, they are subject to different legal frameworks, such as the Health Information Technology for Economic and Clinical Health (HITECH) Act, which deals with breaches and disclosures.

HIPAA's protections are robust, but they have notable exceptions. Understanding these differences is crucial for organizations and individuals who handle sensitive health information to ensure compliance and protect patient privacy.

Keywords: HIPAA, Protected Health Information (PHI), Health Insurance Portability and Accountability Act