The Health Insurance Portability and Accountability Act of 1996 may be the most well-known privacy law in the United States, but it is also one of the most misunderstood.

Many people don’t even get the acronym correct. It is HIPAA, with one P and two A’s.

“More often than not when someone mentions a situation where they think the law protects their privacy, they’re wrong,” reads a new Consumer Reports article, which lays out situations where HIPAA doesn’t apply,

That said, it is important to note that health information is sensitive information. And that is now regulated (or could be soon) under several other U.S. privacy laws, including the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Virginia Consumer Data Protection Act (VCDPA) and the proposed American Data Privacy and Protection Act (ADPPA). The Federal Trade Commission (FTC) also recently issued guidance on compromised health information.

HIPAA only lays out privacy rules for most health care providers and insurance companies to follow when they handle personally identifiable medical data. The same piece of information that is protected by HIPAA at a doctor’s office is not protected by it in other settings.

Specifically, HIPAA generally doesn’t protect you when:

  • Browsing the internet for health info
  • Wearing a smartwatch
  • Shopping at a drugstore for OTC meds (HIPAA does governs your data at registers where you can pay for prescriptions).
  • Fielding questions about vaccination status
  • Using a period tracker or other app. (HIPAA does apply if the app in question works for your insurance company or your healthcare provider, handling personally identifiable health information. The app developer is therefore a “business associate” under the law.)
  • Bringing your phone to a medical clinic