Protected health information (PHI) under HIPAA is narrower than most people assume. Several common categories of health-related data fall completely outside HIPAA’s protections, either because of who holds the information, how it’s been processed, or whose information it is. Understanding these exclusions matters whether you’re a healthcare worker handling records, a business managing employee data, or simply someone trying to figure out what privacy protections actually apply to your health information.
De-Identified Health Data
The single biggest category of health information that is not PHI is data that has been stripped of identifying details. Once health data is properly de-identified, HIPAA no longer applies to it at all. It can be shared, sold, or used for research without restriction.
HHS recognizes two methods for de-identification. The first, called the Safe Harbor method, requires removing 18 specific identifiers belonging to the individual, their relatives, employers, or household members:
- Names
- Geographic data smaller than a state (street address, city, county, ZIP code), though the first three digits of a ZIP code can remain if that three-digit zone contains more than 20,000 people
- All date elements except year that relate to an individual (birth date, admission date, discharge date, date of death), plus all ages over 89
- Phone numbers, fax numbers, and email addresses
- Social Security numbers
- Medical record numbers and health plan beneficiary numbers
- Account numbers and certificate or license numbers
- Vehicle identifiers, including license plate numbers
- Device identifiers and serial numbers
- Web URLs and IP addresses
- Biometric identifiers like fingerprints and voiceprints
- Full-face photos or comparable images
- Any other unique identifying number, characteristic, or code
The organization must also have no actual knowledge that the remaining information could identify someone. The second method, called Expert Determination, allows a qualified statistician to certify that the risk of identifying any individual from the data is very small. Either path produces data that is no longer PHI.
Employment Records
Health information in your employment records is explicitly excluded from PHI, even when your employer is a hospital, health plan, or other HIPAA-covered entity. HHS states this directly: “The Privacy Rule does not protect your employment records, even if the information in those records is health-related.”
This means drug test results in your personnel file, notes from a fitness-for-duty exam, workers’ compensation injury reports, and medical leave documentation are all outside HIPAA’s reach when your employer holds them in its capacity as an employer. The distinction matters most at healthcare organizations. If you work for a hospital, your employment records are not PHI. But if you are also a patient at that same hospital, your medical records from treatment are fully protected. The dividing line is the role the organization plays: employer versus healthcare provider.
Education and Student Health Records
Health records maintained by schools and educational institutions are generally governed by FERPA (the Family Educational Rights and Privacy Act), not HIPAA. This includes student health records, immunization records, and files kept by a school nurse. Because HIPAA’s Privacy Rule explicitly excludes information that qualifies as “education records” under FERPA, these documents fall outside the definition of PHI entirely.
This also extends to health records for students receiving services under the Individuals with Disabilities Education Act (IDEA). Those records are subject to IDEA’s own confidentiality rules and to FERPA, not HIPAA. The practical result is that a school nurse’s notes about your child’s asthma or allergy management plan are protected by different privacy laws than the records at your child’s pediatrician’s office.
Health Information Held by Non-Covered Entities
HIPAA only applies to covered entities (health plans, healthcare providers who transmit information electronically, and healthcare clearinghouses) and their business associates. Health-related information held by anyone else is simply not PHI, regardless of how sensitive it is.
Common examples include:
- Health and fitness apps that you use on your own (not provided by your doctor or health plan) collect health data that falls outside HIPAA
- Life insurance and disability insurance companies are specifically excluded from the definition of a “health plan” under HIPAA. The same applies to workers’ compensation insurers, automobile liability coverage that includes medical payments, and credit-only insurance
- Employers that are not healthcare providers or health plans and collect health information directly (like through a wellness survey) hold data that is not PHI
- Consumer genetic testing companies like direct-to-consumer DNA services that operate independently of healthcare providers
HHS has confirmed that policies covering accident-only benefits, disability income, liability insurance, workers’ compensation, and automobile medical payments are all classified as “excepted benefits” and fall outside HIPAA’s health plan definition. So your health information shared with these insurers does not carry PHI protections, even though it’s clearly medical in nature.
Health Information of People Deceased Over 50 Years
HIPAA protections do not last forever. The Privacy Rule explicitly excludes individually identifiable health information about a person who has been dead for more than 50 years. Before that 50-year mark, a deceased person’s health information is still PHI and covered entities must protect it accordingly.
After 50 years, however, the information can be used or disclosed without any HIPAA restrictions. HHS notes this applies to medical records, correspondence files, physician diaries, casebooks, and photograph collections containing identifiable health information. This exclusion is particularly relevant for historical research and genealogy.
Aggregate and Population-Level Data
Summary statistics and population-level health data that cannot be traced back to any individual are not PHI. A hospital reporting that 30% of its patients last year had hypertension is sharing aggregate data. No individual is identifiable, so HIPAA does not apply. Similarly, public health statistics published by government agencies, disease prevalence rates, and outcome data summarized across large groups all fall outside PHI protections.
There is a middle ground worth knowing about: the “limited data set.” This is health information with most direct identifiers removed (names, Social Security numbers, phone numbers, and others) but that still includes dates, city, state, and ZIP code. A limited data set is still considered PHI, but it can be shared for research, public health, and healthcare operations purposes under a data use agreement. It occupies a space between fully identified PHI and fully de-identified data.
Information You Share Yourself
When you voluntarily disclose your own health information, that act is not regulated by HIPAA. Posting about a diagnosis on social media, telling your employer about a medical condition, or sharing health details with a friend are all outside HIPAA’s scope. HIPAA restricts what covered entities and their business associates do with your information. It does not restrict what you do with your own information, and it does not prevent others who are not covered entities from repeating what you told them.
This distinction catches many people off guard. If you tell a coworker about your surgery and that coworker tells others, no HIPAA violation has occurred. HIPAA would only be triggered if, say, your health plan or doctor’s office disclosed that information without authorization.