As you may know, Miletti Law@ is very active in lawsuits with healthcare facilities and hospitals, nurses, and a myriad of matters, such as privacy and disability. While it comes up often in diverse settings, many people tend to allege HIPAA violations when filing lawsuits concerning the disclosure of personal information. However, while there are many avenues or forums where you can file a lawsuit related to privacy violations by an employer, HIPAA is not one of them. Ideally, this blog aims to shed light on what HIPAA is as a matter of law, to whom HIPAA applies, what HIPAA does, the Privacy Rule, safeguards, whether given disclosure is incidental to an already permitted exception, employment record, the Family Educational Rights and Privacy Act (FERPA), and how HIPAA is enforced.

What does HIPAA stand for?

For starters, the correct initials for this Act are “HIPAA,” not “HIPPA,” which stands for the Health Insurance Portability and Accountability Act, a federal statutory scheme found under the Code of Federal Regulations, specifically 45 CFR § 160. HIPAA focuses on three major areas, including privacy, security, and what to do in an instance of breach. Note that in this blog and the video it has been adapted from, we have not focused on security because it falls outside the purview of what may be asserted by most employees or patrons.

Who does HIPAA apply to?

HIPAA applies to only three fields, including health plans, healthcare clearing houses, and certain healthcare providers who electronically engage in certain financial and administrative transactions, those electronic transactions where statements have been adopted by the secretary of the HHS and HIPAA, and billing and fund transfers (just fancy language implying to your doctor and how they bill you).

What does HIPAA do?

Essentially, the HIPAA creates national standards aimed at protecting the disclosure of sensitive and personal patient health information without the knowledge or consent of the patient. However, it is critical to remember that this is only applicable to the three covered entities: health plans, healthcare clearing houses, and healthcare providers and how they bill patients.

The HIPAA Privacy Rule

As a key pillar of the role of HIPAA, the intention of the privacy rule was to establish national standards concerning how to protect an individual’s identifiable health information, also known as PII (personally identifiable information) or PHI (protected health information), from being disclosed without the consent or knowledge of the individual in question. Such information may include, but is not limited to, a person’s medical history, whether they are sick and what ailment they have, the conditions or health issues they have, and medications they are on, among others.


While it is a very broad and complex Act, the HIPAA’s privacy rule provides safeguards and sets limits on what could be set conditions. Ideally, for the three covered entities, HIPAA provides safeguards to protect personal health information, provides rights over who holds and controls such information, offers security standards, and what happens or what to do in the case of a breach or violation. However, HIPAA is not applicable if the disclosure of personal health information does not involve or relate to the three covered entities mentioned above.

It is also crucial to note that HIPAA also provides for exclusions or exceptions, implying that even if one is a covered entity, there is a litany of exclusions they can choose from, decide what to do, or even avoid the requirements. For instance, exclusions are allowed if the disclosure is necessary to carry out treatment, if the disclosure is permitted by the individual directly, or if the disclosure is important for the purposes of national security, such as requests for dental records, among other reasons.

In some instances, the disclosure is said to be incidental to an already permitted exception, such as in the case of disclosure to the individual themselves. For instance, assume that you go to a doctor and have your son or daughter with you, then the doctor tells you something and your son or daughter hears it because he or she is in the room, then that is incidental to an already permitted exception and, therefore, that is an exception.

Who does HIPAA not Apply to?

As probably the most important takeaway for the reader, HIPAA expressly does not cover or apply to :

  • Restaurants, retail, and entertainment and theme parks – if you go to a restaurant and you are probably asked to produce a vax card (assuming there have been mandatory vaccinations going on), then do not assume that you are being asked for PII or PHI because the entity is not covered and, therefore, that would not amount to HIPAA violation.
  • Employers – if you are an employer and not one of the covered entities or your employer is not among the three covered entities, then HIPAA is not the way to go in the case of a violation. Notably, HIPAA’s privacy rule does not protect employee records and, thus, is not subject to the Act’s protection.
  • Elementary and Secondary schools – unless a school is linked to a healthcare provider and has a doctor for staff and/or students on hand, such as those being known to be aggressive in sports, then HIPAA might apply to such a specific instance, but the school itself, as an entity, is not covered under HIPAA 99.99% of the time.

The Family Educational Rights and Privacy Act (FERPA)

However, a school might be subject to an exclusion, not under the HIPAA, but under other statutes, such as the Family Educational Rights and Privacy Act (FERPA), that would further permit the disclosure of certain records because they are education-related records.

How is HIPAA Enforced?

Essentially, there is no private cause of action under HIPAA. Usually, HIPAA is only enforced through the Department of Health & Human Services (HHS) or by a state comparative agency. New York has its own HHS, which acts as the enforcement agency. Thus, there is no private cause of action, and not that you should anyway, because HIPAA violations are not money pits or goldmines for complainants.

With that, feel free to view our video accessible at, and get it yourself directly from the horse’s mouth. Otherwise, in case you need further clarification regarding the information shared in the video and this blog post or require our services, we are just a call or email away!

As we continue dropping knowledge bombs every day, stay tuned for more educative videos, inspiring training, & legal advice. In the interim, if there are any questions or comments, please let us know at the Contact Us page!

Always rising above the bar,

Isaac T.,

Legal Writer, Author, & Publisher.