In addition to the many petabytes of Protected Health Information (PHI) floating around electronically, there’s also a vast amount of Individually Identifiable Health Information (IIHI) not covered by HIPAA. If this scares you, it should.

This includes information that people maintain themselves on Personal Health Record (PHR) sites like Google Health and Microsoft HealthVault, plus data from wearable fitness trackers from Fitbit, Garmin, Apple and others.

It may surprise you that dental labs are also excluded from HIPAA rules. Dental labs have been deemed “health care providers,” but they are not considered covered entities or business associates subject to HIPAA regulations.

Don’t assume, however, that non-covered entities have no security worries. The Federal Trade Commission (FTC) requires PHR vendors to report any breaches of unsecured IIHI – and penalties can run as high as $16,000 per violation. The rule also applies to any PHR-related entities or PHR service providers.

So the FTC and a messy mélange of state regulations are what govern non-HIPAA health breaches – a murky situation that drives most businesses crazy. A much better solution would be Federal legislation emanating from the Senate Health, Education, Labor and Pensions (HELP) committee chaired by Sen. Lamar Alexander (R-TN).

Why should we push for Federal legislation? Here are some examples of what could go wrong if IIHI gets compromised:

  • A celebrity’s dental records reveal that the star wears dentures – and that information gets shared worldwide by a gossip site like TMZ.
  • Joe Biden’s Fitbit data shows that he has an irregular heartbeat, which calls into question his fitness to serve as President if the need arises.
  • A breach at Google Health gives hackers access to thousands of users’ sensitive health data.

IIHI that slips through the cracks can be just as damaging as PHI that gets compromised. Clearly, we need federal legislation that eliminates the current confusion. The Senate HELP committee has members from 22 states, and you can contact them about this issue by visiting




Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.