What is the Origin of Non-HIPAA Covered Entities?

This term is a legal and regulatory construct defined by exclusion from the HIPAA statute, which specifically names Covered Entities as health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. The rapid expansion of consumer health technology outside of this traditional clinical triad necessitated this distinction. The resulting regulatory gap has led to increased scrutiny by the Federal Trade Commission (FTC).

What is the Mechanism of Non-HIPAA Covered Entities?

The mechanism by which these entities operate regarding data is governed by their own privacy policies, state laws, and the oversight of consumer protection agencies like the FTC, rather than the rigorous security standards of HIPAA. They typically obtain consent through terms of service agreements, which may permit broader use or sharing of aggregated or de-identified data. Understanding this mechanism empowers consumers to make informed choices about their personal health data.

Non-HIPAA Covered Entities

Meaning

Non-HIPAA Covered Entities are individuals or organizations that collect, process, or store personal health-related information but do not fall under the jurisdiction of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules. This category primarily includes direct-to-consumer wellness apps, fitness trackers, many pharmaceutical manufacturers, and certain non-clinical technology companies. The distinction is crucial because the health data they handle is often not afforded the same federal privacy protections as data held by hospitals or insurance plans.