Guide to What Does HIPAA Protect?

July 25, 2025

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is a cornerstone of the U.S. healthcare industry, primarily designed to protect patient privacy and secure health information. But do you know what does HIPAA protect? Initially, the law addressed the issue of health insurance coverage for people. Without HIPAA, individuals in such circumstances would be left without health insurance and unable to pay for effective healthcare.

However, these days, HIPAA also covers the improvement of patient data privacy and security in the healthcare industry. Read on to know more!

PHI and HIPAA

PHI refers to the HIPAA Protected Health Information (PHI) or HIPAA data. It includes any information within an individual’s medical record that can personally identify them. It should be securely generated, utilized, or shared during the diagnosis or treatment. It extends to various identifiers and diverse information documented throughout the patient care and billing processes. Therefore, you must implement proper safeguard measures in place while collecting the PHI.

Read More: What Does PHI Stand for?

Components of PHI

According to the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR), 18 identifiers of HIPAA-protected health information qualify.

1. Name
2. Address (including subdivisions such as street addresses, city, country, or zip code)
3. Any specific dates (years are an exception) that are directly related to the patient’s personal information, including their birthday, date of admission, date of discharge, date of death, or exact age
4. Contact number
5. Fax number
6. Email address
7. Social Security number
8. Medical record number
9. Health plan beneficiary number
10. Account number
11. Certificate/license number
12. Device identifiers or serial numbers
13. Vehicle identifiers, serial numbers  license plate numbers
14. Web URLs
15. IP Address
16. Biometric identifiers, including fingerprints or voiceprints
17. Full-face photos
18. Any other possible unique identifying numbers, codes, or characteristics

What Does HIPAA Protect?

Are you wondering what HIPAA protects? HIPAA protects a broad category of Personal Health Information (PHI), which includes various types of data. Regardless of its format, HIPAA ensures that this information remains secure. Here are some additional forms where HIPAA protection applies.

Electronic Protected Health Information (ePHI) 

Electronic Protected Health Information (ePHI) is any form of PHI that is created, stored, transmitted, or received in electronic form. The HIPAA security rule has specific guidelines in place that dictate the ways involved in assessing the ePHI. HIPAA applies to the media outlet used to store patient data, including

• Personal computers with internal hard drives
• External portable hard drives 
• Magnetic tape
• Renovate storage devices, including USB drives, CDs, DVDs, and SD cards
• Smartphones and PDAs

It also includes transmitting patient data via WiFi, Ethernet, Modem, DSL, or cable network connection, such as email or file transfers. These electronic health records make it easier to video, edit, and track patient care. 

To ensure they are HIPAA-compliant, you have to use technological tools to protect the information. For instance, you can implement usernames and passwords to grant limited user access to the patient files.

Paper Records

If you possess any records of your patients in print form, they will also be covered by HIPAA law. However, paper records (e.g., a copy of a patient’s ID or health insurance card) can be difficult to protect without the proper filing system in place. Therefore, these records should be limited to healthcare professionals to keep them confidential.

Spoken Information

As a healthcare professional, you are also liable to protect what you speak about relating to the PHI as per the HIPAA law. While discussing patient care with colleagues is necessary, HIPAA protection extends to all spoken PHI. Discussions should be held privately and only with individuals authorized to receive that information.. You have to speak about the patient’s condition in a private room with only limited people with access to the formation. It includes other healthcare providers, patients, and their parents/guardians if the patient is below 18 years of age. If an adult patient has a visitor/ caretaker, ensure to follow the HIPAA before discussing the matter.

Security Rule Requirements

The security rule requirements ensure the confidentiality of the patient’s ePHI. As it’s a part of HIPAA protection, you should analyze your security risk and develop appropriate policies to ensure your workforce is HIPAA-compliant. The security rule covers the three areas of security as follows:

• Administrative safeguards, including any administrative actions, policies, or procedures that protect ePHI.
• Physical safeguards to protect physical access to ePHI, including access controls, device controls, and workstation security.
• Technical safeguards to protect ePHI access control, audit control, and authentication procedures.

What HIPAA Does Not Protect?

While HIPAA protection covers a lot of parameters for patient confidentiality, it doesn’t cover every aspect of healthcare. Knowing what HIPAA does not protect will help you ensure you are complying with the law in the right way. Let us explore some elements that are not protected by HIPAA.

Mis/De-identified Information

When you cannot attach the PHI to one person, the data will be labeled as De-identified information. It will refer to medical diagnosis records and treatment, but you cannot make a specific decision with it. When such health records lack names, addresses, or any other specific identifiers, these types of data are not covered under HIPAA protection, as they cannot be traced back to an individual. These generic records are useful for public health data collection and surveys. 

Employee Records

When you are a part of a medical facility, they will have records of your date on their file. Such employee records are not for HIPAA protection. Since you are not a patient, you are not subjected to HIPAA standards and rules.

Who Does HIPAA Cover?

HIPAA compliance is required for organizations or third parties that handle or manage Protected Health Information (PHI). They are collectively known as covered entities. The covered entities include,

Healthcare Providers

Healthcare providers such as doctors, hospitals, clinics, psychologists, and pharmacies should comply with HIPAA. They hold a crucial role in the delivery of healthcare services. They are responsible for maintaining the privacy of patients’ data. If you are a healthcare professional, you must follow the HIPAA protocols when electronically transmitting and overseeing PHI. You should implement proper safeguards to protect patient data and ensure appropriate access and disclosures.

Health Plans

Health plans, including those offered by insurance companies, employer-sponsored plans, Medicare, Medicaid, and government programs, are covered under covered entities. These entities manage health insurance coverage and should, therefore, comply with HIPAA to protect the privacy of individual health information. 

Health plans have certain obligations to implement privacy policies and provide notice of their privacy practices. You should also develop safeguards to secure patients’ PHI against unauthorized access or disclosures.

Healthcare Clearinghouses

Healthcare clearinghouses process nonstandard health information into standardized formats. They operate as intermediaries between healthcare providers and health plans, ensuring seamless electronic exchange of health information. 

Covered healthcare clearinghouses must adhere to HIPAA rules. You should implement security measures and safeguards to protect the integrity, availability, and confidentiality of PHI. This will ensure the secure transmission and conversion of health data for interoperability and efficiency of electronic healthcare transactions.

Business Associates

Business associates are external entities or individuals providing services or performing PHI functions. They include third-party administrators, billing companies, IT providers, and certain consultants. These entities should have written agreements with business associates outlining their roles and responsibilities in protecting the PHI.

These agreements should address issues such as permissible users and disclosures of PHI, security safeguards, breach notification requirements, and compliance with HIPAA Privacy rules.

Read More: Who Must Comply with HIPAA Rules and Regulations?

Who Does Not Comply with HIPAA?

While HIPAA applies to most of the professionals in the healthcare sector, it doesn’t cover everyone. Here are some entities that are not required to comply with HIPAA regulations.

• Life Insurers: Life insurers primarily deal with life insurance policies and do not manage or manage protected health information (PHI) by HIPAA.
• Employers: Employers are not covered by HIPAA regulations because they manage information for employment-related purposes only, not for healthcare operations.
• Worker’s Compensation Carriers: Workers’ compensation carriers are exempt from HIPAA protection as they handle information related to work-related injuries or illnesses.
• Schools and School Districts: Schools and school districts, except those that run healthcare facilities or have specific health programs, are not subject to HIPAA because they mostly handle educational records and student information.
• State Agencies: State agencies, such as child protective service agencies, deal with sensitive information related to child welfare or social services. They are typically regulated under state-specific privacy laws rather than HIPAA.
• Law Enforcement Agencies: Law enforcement agencies involved in protecting public safety are exempt from HIPAA because they focus on law enforcement activities rather than the provision of healthcare services.
• Municipal Offices: Municipal offices that do not operate as healthcare providers or clearinghouses are not subject to HIPAA regulations. They mostly manage administrative and government-related functions. 

Stay Compliant with HIPAA

HIPAA has transformed how healthcare professionals operate. Learning what HIPAA protects will help you establish robust privacy protections for your patients and also set standards to ensure the secure handling of their health data. However, HIPAA protection allows flexibility for healthcare entities to choose appropriate technological safeguards while meeting compliance requirements.

As cyber threats continue to rise, organizations need to enroll in proper HIPAA training that improves their compliance with regulations and keeps them up to date with the best practices.