What Is Healthcare-Adjacent Data?

Posted by Steve Alder

Healthcare-adjacent data is any health‑related or health‑influenced information that falls outside HIPAA’s definition of Protected Health Information because it is not created, received, maintained, or transmitted by a covered entity or business associate, or because it is not processed for a HIPAA‑regulated activity.

As digital health tools, wearables, and AI‑driven services become more common, a growing amount of information sits near the edges of traditional healthcare. This information often looks like health data and can influence health decisions, yet it does not always qualify as Protected Health Information (PHI) under HIPAA.

Understanding the distinction between PHI and healthcare‑adjacent data has become essential for healthcare organizations, business associates, and third‑party service providers. They now operate in a regulatory environment shaped by overlapping federal and state privacy laws and by a digital ecosystem where data flows freely across clinical, consumer, and commercial systems.

How HIPAA Defines PHI — and What Falls Outside the Definition

HIPAA protects a specific category of individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate for a HIPAA‑regulated activity and that relates to an individual’s health, the provision of healthcare, or payment for healthcare. If any of these elements is missing, the information does not qualify as PHI and is not subject to the HIPAA Rules.

Healthcare‑adjacent data refers to health‑related or health‑influenced information that falls outside this definition. This includes employee health information maintained by a covered entity in its role as an employer, interactions with a hospital’s public social‑media pages, and identifiable information that has no healthcare component, such as data from cafeteria loyalty programs.

It also includes information collected by fitness trackers, consumer health apps, wellness programs, and other health‑related IoT devices. These data streams remain healthcare‑adjacent unless a third‑party service provider collects the information while acting as a business associate and transmits it to a covered entity for inclusion in the patient’s HIPAA‑protected medical record.

When Healthcare-Adjacent Data Becomes PHI

In many situations, healthcare‑adjacent data becomes PHI the moment a covered entity receives it. If a hospital imports information from a wearable or consumer health app, that data becomes PHI because it is now individually identifiable health information in the hands of a HIPAA‑regulated entity. Even non‑health information can take on PHI status if a covered entity stores it in the same designated record set as clinical or billing records.

For business associates, the analysis is more nuanced. When a business associate collects or receives healthcare‑adjacent data while performing services for a covered entity, the information becomes PHI. If the same type of data is collected for the business associate’s own purposes, outside the scope of services provided to a covered entity, it does not qualify as PHI and must be maintained separately.

The reverse scenario also matters. When an individual transfers PHI from a covered entity to a personal device or app, the copy retained by the covered entity remains PHI, but the version stored on the personal device is no longer protected by HIPAA. If the device or app vendor receives health data from the individual’s device, the vendor is not a business associate unless it has a formal business associate agreement with the covered entity that originally held the PHI.

How State Privacy Laws Treat Healthcare‑Adjacent Data

HIPAA is only one layer of the U.S. privacy landscape. Many state privacy laws exclude PHI from their scope but still regulate other types of health‑related data collected by the same organizations. This creates a situation in which a covered entity or business associate may be exempt from a state law for PHI yet fully subject to it for healthcare‑adjacent data.

California illustrates this clearly. The Confidentiality of Medical Information Act (CMIA) protects “medical information” held by providers and plans, while the California Consumer Privacy Act (CCPA/CPRA) exempts PHI but not other health‑related data such as website analytics, app telemetry, wellness‑program information, or health inferences used for marketing. A hospital’s EHR is exempt; its patient‑portal cookies and mobile‑app tracking data are not.

Washington’s My Health My Data Act goes even further. It exempts HIPAA PHI but regulates virtually any health‑related data collected by any entity, including hospitals, when the information is consumer‑generated, inferred, or collected outside treatment, payment, or healthcare operations. Other state privacy laws, including those in Colorado, Connecticut, and Virginia, follow a similar pattern: PHI is exempt, but non‑PHI health data is regulated as “sensitive data.”

This patchwork means that healthcare‑adjacent data often carries privacy obligations even when HIPAA does not apply.

Federal Rules That Affect Healthcare‑Adjacent Data and PHI

When healthcare-adjacent data is breached, the primary federal rule that may apply is the Health Breach Notification Rule. This Rule requires vendors of personal health records and similar services to notify the Federal Trade Commission and affected individuals if unencrypted, individually identifiable health information is exposed. The rule fills part of the regulatory gap for consumer‑generated health data that falls outside the scope of HIPAA.

HIPAA itself also contains provisions that affect how PHI may be shared in contexts that overlap with consumer‑facing technologies. Two important exceptions in the Privacy Rule allow covered entities to disclose PHI without patient authorization.

The first, found in 45 CFR §164.512(b)(1), permits disclosures to FDA‑regulated device vendors for activities related to the quality, safety, or effectiveness of an FDA‑regulated product. This includes personal health devices that transmit data to AI‑driven healthcare solutions.

The second exception, in 45 CFR §164.512(i)(1), allows PHI to be disclosed for preparatory research without de‑identification if the disclosure is approved by an Institutional Review Board or Privacy Board. In these cases, the PHI must remain with the covered entity and may only be used for preparatory activities such as training a supervised learning algorithm.

Together, these federal and state frameworks create a complex environment in which PHI, healthcare‑adjacent data, and consumer‑generated health information may each be subject to different obligations depending on who holds the data, why it was collected, and how it is used.

Must Covered Entities Combine All Health Information Into HIPAA‑Protected Record Sets?

Some organizations believe that covered entities are required to combine all health‑related data into HIPAA‑protected designated record sets to simplify HIPAA compliance. In practice, the picture is mixed.

HIPAA does not require covered entities to consolidate all health‑related data into a designated record set (DRS). A DRS is defined narrowly. It includes medical records, billing records, and other records used to make decisions about individuals. Website analytics, marketing data, app telemetry, and consumer‑generated data do not belong in a DRS unless the covered entity intentionally places them there.

Some organizations do consolidate data to reduce ambiguity and apply HIPAA‑level safeguards universally. This approach simplifies HIPAA training and reduces the risk of misclassification. However, many organizations intentionally keep systems separate because adding data to a DRS increases HIPAA obligations, complicates vendor relationships, and may conflict with state privacy requirements. Marketing platforms, mobile apps, and analytics tools often operate outside HIPAA, and vendors may not sign Business Associate Agreements for non‑clinical data.

The trend is toward hybrid models in which organizations apply HIPAA‑like protections to all health‑related data while still maintaining clear boundaries between PHI and non‑PHI systems for regulatory and operational reasons.

Why Understanding What Healthcare-Adjacent Data is Matters

As healthcare delivery expands beyond traditional clinical settings, more data flows through consumer devices, apps, and AI‑enabled tools that sit outside HIPAA’s boundaries. This creates regulatory gaps, new obligations for vendors, and new risks for covered entities receiving external data.

Understanding what qualifies as PHI, and what qualifies as healthcare-adjacent data, is essential for designing compliant workflows, evaluating vendor relationships, and protecting individuals whose health information now moves across environments both regulated and unregulated by HIPAA.

The post What Is Healthcare-Adjacent Data? appeared first on The HIPAA Journal.

DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches

Posted by Steve Alder

Central States Dermatology Services (DOCS Dermatology Group) in Ohio and The Center for Neuropsychology and Learning in Michigan have identified unauthorized access to patient data.

Central States Dermatology Services, Ohio

Central States Dermatology Services, LLC, doing business as DOCS Dermatology Group (DOCS), has disclosed a security incident that was identified on November 27, 2025. Suspicious activity was identified within its network, and, assisted by third-party cybersecurity experts, DOCS determined that an unauthorized third party had access to its network from November 19, 2025, to November 27, 2025.

The data review is ongoing, so the number of affected individuals had yet to be confirmed; however, DOCS has determined that the data compromised in the incident includes names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, treatment/diagnosis information, prescription/medication information, dates of service, provider name, medical record number, patient account number, Medicare/Medicaid ID number, health insurance information, and/or medical billing/claims information. DOCS is reviewing its policies and procedures related to data security and has engaged cybersecurity experts to review its security measures and make enhancements to strengthen security. At the time of the announcement, DOCS had not identified any misuse of the affected information.

The Center for Neuropsychology and Learning, Michigan

The Center for Neuropsychology and Learning in Ann Arbor, Michigan, has discovered that a malicious cyber actor accessed a server containing the sensitive data of 3,722 of its clients. The unauthorized access was detected on November 10, 2025, and the forensic investigation confirmed that the server was accessed at some point between October 14 and October 31, 2025.

The server was analyzed and found to contain protected health information such as names, dates of birth, contact information, service type(s), and or test reports. Highly sensitive information, such as Social Security numbers, financial information, and therapy notes, was not stored on the server. The Center for Neuropsychology and Learning has confirmed that the threat has been fully mitigated, and notifications have been mailed to the affected individuals, who have been offered 12 months of complimentary credit monitoring and identity theft protection services as a precaution.

The post DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches appeared first on The HIPAA Journal.