What Is Healthcare-Adjacent Data?

Posted by Steve Alder

Healthcare-adjacent data is any health‑related or health‑influenced information that falls outside HIPAA’s definition of Protected Health Information because it is not created, received, maintained, or transmitted by a covered entity or business associate, or because it is not processed for a HIPAA‑regulated activity.

As digital health tools, wearables, and AI‑driven services become more common, a growing amount of information sits near the edges of traditional healthcare. This information often looks like health data and can influence health decisions, yet it does not always qualify as Protected Health Information (PHI) under HIPAA.

Understanding the distinction between PHI and healthcare‑adjacent data has become essential for healthcare organizations, business associates, and third‑party service providers. They now operate in a regulatory environment shaped by overlapping federal and state privacy laws and by a digital ecosystem where data flows freely across clinical, consumer, and commercial systems.

How HIPAA Defines PHI — and What Falls Outside the Definition

HIPAA protects a specific category of individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate for a HIPAA‑regulated activity and that relates to an individual’s health, the provision of healthcare, or payment for healthcare. If any of these elements is missing, the information does not qualify as PHI and is not subject to the HIPAA Rules.

Healthcare‑adjacent data refers to health‑related or health‑influenced information that falls outside this definition. This includes employee health information maintained by a covered entity in its role as an employer, interactions with a hospital’s public social‑media pages, and identifiable information that has no healthcare component, such as data from cafeteria loyalty programs.

It also includes information collected by fitness trackers, consumer health apps, wellness programs, and other health‑related IoT devices. These data streams remain healthcare‑adjacent unless a third‑party service provider collects the information while acting as a business associate and transmits it to a covered entity for inclusion in the patient’s HIPAA‑protected medical record.

When Healthcare-Adjacent Data Becomes PHI

In many situations, healthcare‑adjacent data becomes PHI the moment a covered entity receives it. If a hospital imports information from a wearable or consumer health app, that data becomes PHI because it is now individually identifiable health information in the hands of a HIPAA‑regulated entity. Even non‑health information can take on PHI status if a covered entity stores it in the same designated record set as clinical or billing records.

For business associates, the analysis is more nuanced. When a business associate collects or receives healthcare‑adjacent data while performing services for a covered entity, the information becomes PHI. If the same type of data is collected for the business associate’s own purposes, outside the scope of services provided to a covered entity, it does not qualify as PHI and must be maintained separately.

The reverse scenario also matters. When an individual transfers PHI from a covered entity to a personal device or app, the copy retained by the covered entity remains PHI, but the version stored on the personal device is no longer protected by HIPAA. If the device or app vendor receives health data from the individual’s device, the vendor is not a business associate unless it has a formal business associate agreement with the covered entity that originally held the PHI.

How State Privacy Laws Treat Healthcare‑Adjacent Data

HIPAA is only one layer of the U.S. privacy landscape. Many state privacy laws exclude PHI from their scope but still regulate other types of health‑related data collected by the same organizations. This creates a situation in which a covered entity or business associate may be exempt from a state law for PHI yet fully subject to it for healthcare‑adjacent data.

California illustrates this clearly. The Confidentiality of Medical Information Act (CMIA) protects “medical information” held by providers and plans, while the California Consumer Privacy Act (CCPA/CPRA) exempts PHI but not other health‑related data such as website analytics, app telemetry, wellness‑program information, or health inferences used for marketing. A hospital’s EHR is exempt; its patient‑portal cookies and mobile‑app tracking data are not.

Washington’s My Health My Data Act goes even further. It exempts HIPAA PHI but regulates virtually any health‑related data collected by any entity, including hospitals, when the information is consumer‑generated, inferred, or collected outside treatment, payment, or healthcare operations. Other state privacy laws, including those in Colorado, Connecticut, and Virginia, follow a similar pattern: PHI is exempt, but non‑PHI health data is regulated as “sensitive data.”

This patchwork means that healthcare‑adjacent data often carries privacy obligations even when HIPAA does not apply.

Federal Rules That Affect Healthcare‑Adjacent Data and PHI

When healthcare-adjacent data is breached, the primary federal rule that may apply is the Health Breach Notification Rule. This Rule requires vendors of personal health records and similar services to notify the Federal Trade Commission and affected individuals if unencrypted, individually identifiable health information is exposed. The rule fills part of the regulatory gap for consumer‑generated health data that falls outside the scope of HIPAA.

HIPAA itself also contains provisions that affect how PHI may be shared in contexts that overlap with consumer‑facing technologies. Two important exceptions in the Privacy Rule allow covered entities to disclose PHI without patient authorization.

The first, found in 45 CFR §164.512(b)(1), permits disclosures to FDA‑regulated device vendors for activities related to the quality, safety, or effectiveness of an FDA‑regulated product. This includes personal health devices that transmit data to AI‑driven healthcare solutions.

The second exception, in 45 CFR §164.512(i)(1), allows PHI to be disclosed for preparatory research without de‑identification if the disclosure is approved by an Institutional Review Board or Privacy Board. In these cases, the PHI must remain with the covered entity and may only be used for preparatory activities such as training a supervised learning algorithm.

Together, these federal and state frameworks create a complex environment in which PHI, healthcare‑adjacent data, and consumer‑generated health information may each be subject to different obligations depending on who holds the data, why it was collected, and how it is used.

Must Covered Entities Combine All Health Information Into HIPAA‑Protected Record Sets?

Some organizations believe that covered entities are required to combine all health‑related data into HIPAA‑protected designated record sets to simplify HIPAA compliance. In practice, the picture is mixed.

HIPAA does not require covered entities to consolidate all health‑related data into a designated record set (DRS). A DRS is defined narrowly. It includes medical records, billing records, and other records used to make decisions about individuals. Website analytics, marketing data, app telemetry, and consumer‑generated data do not belong in a DRS unless the covered entity intentionally places them there.

Some organizations do consolidate data to reduce ambiguity and apply HIPAA‑level safeguards universally. This approach simplifies HIPAA training and reduces the risk of misclassification. However, many organizations intentionally keep systems separate because adding data to a DRS increases HIPAA obligations, complicates vendor relationships, and may conflict with state privacy requirements. Marketing platforms, mobile apps, and analytics tools often operate outside HIPAA, and vendors may not sign Business Associate Agreements for non‑clinical data.

The trend is toward hybrid models in which organizations apply HIPAA‑like protections to all health‑related data while still maintaining clear boundaries between PHI and non‑PHI systems for regulatory and operational reasons.

Why Understanding What Healthcare-Adjacent Data is Matters

As healthcare delivery expands beyond traditional clinical settings, more data flows through consumer devices, apps, and AI‑enabled tools that sit outside HIPAA’s boundaries. This creates regulatory gaps, new obligations for vendors, and new risks for covered entities receiving external data.

Understanding what qualifies as PHI, and what qualifies as healthcare-adjacent data, is essential for designing compliant workflows, evaluating vendor relationships, and protecting individuals whose health information now moves across environments both regulated and unregulated by HIPAA.

The post What Is Healthcare-Adjacent Data? appeared first on The HIPAA Journal.

DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches

Posted by Steve Alder

Central States Dermatology Services (DOCS Dermatology Group) in Ohio and The Center for Neuropsychology and Learning in Michigan have identified unauthorized access to patient data.

Central States Dermatology Services, Ohio

Central States Dermatology Services, LLC, doing business as DOCS Dermatology Group (DOCS), has disclosed a security incident that was identified on November 27, 2025. Suspicious activity was identified within its network, and, assisted by third-party cybersecurity experts, DOCS determined that an unauthorized third party had access to its network from November 19, 2025, to November 27, 2025.

The data review is ongoing, so the number of affected individuals had yet to be confirmed; however, DOCS has determined that the data compromised in the incident includes names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, treatment/diagnosis information, prescription/medication information, dates of service, provider name, medical record number, patient account number, Medicare/Medicaid ID number, health insurance information, and/or medical billing/claims information. DOCS is reviewing its policies and procedures related to data security and has engaged cybersecurity experts to review its security measures and make enhancements to strengthen security. At the time of the announcement, DOCS had not identified any misuse of the affected information.

The Center for Neuropsychology and Learning, Michigan

The Center for Neuropsychology and Learning in Ann Arbor, Michigan, has discovered that a malicious cyber actor accessed a server containing the sensitive data of 3,722 of its clients. The unauthorized access was detected on November 10, 2025, and the forensic investigation confirmed that the server was accessed at some point between October 14 and October 31, 2025.

The server was analyzed and found to contain protected health information such as names, dates of birth, contact information, service type(s), and or test reports. Highly sensitive information, such as Social Security numbers, financial information, and therapy notes, was not stored on the server. The Center for Neuropsychology and Learning has confirmed that the threat has been fully mitigated, and notifications have been mailed to the affected individuals, who have been offered 12 months of complimentary credit monitoring and identity theft protection services as a precaution.

The post DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches appeared first on The HIPAA Journal.

What is Medical Practice Management Software?

Posted by Steve Alder

Medical practice management software is a clinic operations system that helps a medical practice schedule patients, manage billing and payments, track day to day workflows, and monitor performance from one place.

Practice management software sits at the center of administrative work. It supports front desk scheduling, patient registration, insurance workflows, checkout, and financial reporting, while also helping clinical and administrative teams stay organized as a practice grows. Many platforms also connect to or include EHR tools, patient messaging, and claims workflows, so teams do not have to juggle multiple disconnected systems.

What Medical Practice Management Software Helps a Practice Do

A strong practice management platform is built to reduce manual steps. It helps staff avoid duplicate data entry, prevents missed charges, shortens the time from visit to claim, and improves visibility into what is happening across the practice. For many practices, it also improves the patient experience through smoother booking, reminders, and payment options.

Common users include front desk teams, billers, office managers, administrators, and practice owners. In multi location or multi provider settings, the software also supports more complex scheduling rules and shared resources.

Features of Medical Practice Management Software

Scheduling and resource management

A practice management system should support customizable scheduling by rooms, practitioners, and locations. This matters when a clinic has multiple providers, shared spaces, rotating schedules, or different appointment types that require different resources.

Checkout and documentation support

A practice management system should support simplified checkout with chart imports into superbills and 1500 claims forms. This helps reduce missed charges and improves consistency between documentation and billing workflows.

Integrated payments

A practice management system should include integrated payment processing so staff can collect patient responsibility at the time of service and support online payment options when needed. It should also help keep payment records tied to patient accounts for accurate statements and follow up.

Claims workflows and payment posting

A practice management system should support electronic claims filings with EOBs and automated payment postings. This reduces manual reconciliation work and helps billing teams track claim status and reimbursement trends.

Inventory and purchasing

A practice management system should support easy inventory and purchase order management. This is especially helpful for practices that dispense supplies or products and need to track stock levels, vendors, and replenishment.

Reporting and performance visibility

A practice management system should include reporting on operational and financial performance. That includes visibility into scheduling utilization, collections, aging, revenue by service, and other measures that show how the practice is performing.

How to Evaluate Medical Practice Management Software

When comparing options, focus on how well the platform matches your workflow. Look for strong scheduling flexibility, clean checkout and billing workflows, reliable payment processing, reporting you can actually use, and support that helps your team adopt the system without disruption. The HIPAA Journal recommends OptiMantra because it is the best medical practice management software for small medical practices because it helps practices run daily operations more smoothly by combining advanced scheduling, built in payments, inventory tools, and performance reporting in one unified platform.  Instead of switching between separate systems for calendars, checkout, payment processing, supply tracking, and analytics, teams can use OptiMantra to manage these workflows in a single environment with a consistent process.

OptiMantra includes scheduling functions for self scheduling by room, practitioner, and location, with options for website embedded scheduling and in office scheduling. Patient-facing functions in OptiMantra include a patient portal and automated appointment reminders for patients and staff. Outreach and tracking functions include marketing conversion tracking and promotional outreach tools. The OptiMantra billing functions include an insurance billing module with visibility into pending claims and claim status, auto posting of remittance information, and integrated revenue cycle management services. The Optimantra reporting functions include snapshots for daily deposits, aging reports, patient account statements, and insurance billing summaries.

The post What is Medical Practice Management Software? appeared first on The HIPAA Journal.

Healthcare Technology Company Discloses Ransomware Attack

Posted by Steve Alder

Cyberattacks and data breaches have recently been announced by the healthcare technology company Insightin Health and the Colorado-based medical billing and practice management company, Clinic Service Corporation.

Insightin Health, Maryland

Insightin Health, a Baltimore, MD-based healthcare technology company that offers an AI-driven digital health platform to health insurers and payers, has experienced a cyberattack involving unauthorized access to patient data. Suspicious network activity was identified in September 2025, and the forensic investigation confirmed unauthorized access to its network between September 17, 2025, and September 23, 2025.

The data review revealed the exposed files included protected health information associated with its clients, such as names, dates of birth, contract numbers, health insurance providers’ non-unique identifiers, Medicare Beneficiary Identifiers, and information associated with attributed providers. The substitute data breach notice includes steps that the affected individuals can take to protect themselves against misuse of their information. While not stated in the substitute breach notice, the affected individuals should be aware that the Medusa ransomware group claimed responsibility for the attack and threatened to publish the stolen data. The group claims to have exfiltrated 378 GB of data from the Insightin Health network.

Clinic Service Corporation, Colorado

Clinic Service Corporation, a medical billing and practice management company based in Denver, Colorado, has experienced a hacking incident that exposed sensitive data. The intrusion was identified on August 17, 2025, and the forensic investigation confirmed that its network was accessed by an unauthorized third party from August 10, 2025, to August 17, 2025.

The data review has confirmed that personally identifiable information (PII) and protected health information (PHI) was compromised in the incident, including names, addresses, phone numbers, email addresses, dates of birth, diagnoses, treatment information, patient ID numbers, dates of service, medical record numbers, Medicare/Medicaid numbers, health insurance information, claims information, and treatment cost information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified, although the incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Healthcare Technology Company Discloses Ransomware Attack appeared first on The HIPAA Journal.