In addition to the many petabytes of Protected Health Information (PHI) floating around electronically, there’s also a vast amount of Individually Identifiable Health Information (IIHI) not covered by HIPAA. If this scares you, it should.

This includes information that people maintain themselves on Personal Health Record (PHR) sites like Google Health and Microsoft HealthVault, plus data from wearable fitness trackers from Fitbit, Garmin, Apple and others.

It may surprise you that dental labs are also excluded from HIPAA rules. Dental labs have been deemed “health care providers,” but they are not considered covered entities or business associates subject to HIPAA regulations.

Don’t assume, however, that non-covered entities have no security worries. The Federal Trade Commission (FTC) requires PHR vendors to report any breaches of unsecured IIHI – and penalties can run as high as $16,000 per violation. The rule also applies to any PHR-related entities or PHR service providers.

So the FTC and a messy mélange of state regulations are what govern non-HIPAA health breaches – a murky situation that drives most businesses crazy. A much better solution would be Federal legislation emanating from the Senate Health, Education, Labor and Pensions (HELP) committee chaired by Sen. Lamar Alexander (R-TN).

Why should we push for Federal legislation? Here are some examples of what could go wrong if IIHI gets compromised:

  • A celebrity’s dental records reveal that the star wears dentures – and that information gets shared worldwide by a gossip site like TMZ.
  • Joe Biden’s Fitbit data shows that he has an irregular heartbeat, which calls into question his fitness to serve as President if the need arises.
  • A breach at Google Health gives hackers access to thousands of users’ sensitive health data.

IIHI that slips through the cracks can be just as damaging as PHI that gets compromised. Clearly, we need federal legislation that eliminates the current confusion. The Senate HELP committee has members from 22 states, and you can contact them about this issue by visiting




Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.