What type of information is excluded from HIPAA protection?

The exclusion of employment records held by a covered entity in its role as an employer from HIPAA protection is grounded in the scope of the legislation itself. HIPAA, the Health Insurance Portability and Accountability Act, is primarily designed to protect the privacy and security of health information. However, it applies specifically to protected health information (PHI) that is created, received, maintained, or transmitted by healthcare providers, health plans, and healthcare clearinghouses in relation to the provision of healthcare services.

While employers may hold health-related data about employees, these records are typically classified as employment records and not as PHI when they are maintained in relation to employment, such as information about job-related injuries, health assessments required for employment, or wellness programs. Therefore, these types of records do not fall under the protections afforded by HIPAA.

In contrast, patient medical records maintained by healthcare providers, insurance information related to healthcare, and telehealth communication records all contain health information that pertains directly to the delivery of healthcare services, making them subject to HIPAA regulations and protections. Thus, this distinction clearly underpins why employment records are excluded.