Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Exceptions to HIPAA breach notifications rules

Exceptions to HIPAA breach notifications rules

HIPAA safeguards protected health information (PHI) and requires covered entities and their business associates to promptly inform individuals and the Department of Health and Human Services (HHS) in the event of a breach. However, there are exceptions to HIPAA breach notifications that healthcare providers and other covered entities should be aware of, such as unintentional access, accidental disclosure, or unauthorized retention. 


What is a HIPAA breach?

HHS defines a breach as "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment." 

Conducting a comprehensive risk assessment assists in determining whether a breach has occurred. Factors include:

  • The nature and extent of the PHI involved
  • The likelihood of re-identification
  • The unauthorized personnel involved
  • The type of information accessed
  • The level of risk mitigation undertaken

Read more: HIPAA Compliant Email: The Definitive Guide


Understanding breach exceptions

The exceptions to HIPAA breach notifications provide guidelines to make accurate decisions, mitigate potential harm, and prevent disruptions to healthcare operations. 

While prompt breach notifications protect patient privacy and security, not all incidents require immediate notifications.

See alsoUnderstanding HIPAA violations and breaches


Exceptions to HIPAA breach notification

While immediate breach notification is typically required under HIPAA, there are three exceptions to HIPAA breach notifications. These exceptions acknowledge situations where the breach may not pose a significant risk to the privacy and security of PHI.


Unintentional access to PHI

If an employee unintentionally comes into contact with or uses PHI while acting in good faith and within their authorized role, the breach exception may apply. Two conditions must be met for this exception: the access or use must be unintentional and in good faith. Furthermore, the employee must refrain from disclosing the PHI in a manner prohibited by the HIPAA Privacy Rule.


Accidental disclosure to authorized personnel

When an individual authorized to access PHI shares it with another authorized person within the same covered entity, business associate, or organized healthcare arrangement, an exception can be invoked. To qualify for this exception, the disclosed information must remain within authorized channels and should not be used or shared improperly.


Unauthorized retention 

In cases where a covered entity genuinely believes that the unauthorized recipient of PHI would not have been able to retain the information, breach notification requirements may be waived.


Permitted uses and disclosures under HIPAA

While breach exceptions provide some leeway, there are also permitted uses and disclosures of PHI under HIPAA. The Department of Health and Human Services (HHS) outlines instances where healthcare providers can share PHI without explicit patient consent.


Treatment purposes

Healthcare providers can share PHI for treatment purposes, even without prior patient authorization. 


Healthcare operations activities

Covered entities can disclose PHI to other covered entities or their business associates for specific healthcare operations activities, even without patient consent. However, both entities should have a relationship with the patient, the requested PHI must pertain to that relationship, and the disclosing entity must only provide the minimum necessary information for the procedure or operation.


HIPAA breach notification requirements

While the exceptions provide some relief from immediate breach notifications, there are HIPAA breach notification requirements for situations that do not fall under these exceptions.


Individual notice

Covered entities must inform affected individuals within 60 days of discovering a breach. They can use letters or emails to notify individuals. If contact details for ten or more individuals are outdated, alternative methods such as posting the notice on the covered entity's website or using local media can be used.


Media notice

If a breach affects over 500 individuals in a state or jurisdiction, covered entities must also notify the media in that area. This can be done through press releases or other appropriate means. 


HHS Secretary's notice

Covered entities must inform the HHS Secretary about breaches through a form on the HHS website


Notification by a business associate

If a business associate is responsible for a breach, they must also inform the covered entity within 60 days of discovering the breach.

Go deeper: 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.