2 min read

What are the exceptions to HIPAA?

Farah Amod November 02, 2023

HIPAA Compliance

HIPAA exceptions include general rulings, emergency scenarios, state and federal exclusions, operational and occupational variations, and exceptions to privacy rules. These determine how certain medical situations and instances of sharing protected health information (PHI) are handled.

Understanding the implications of HIPAA exceptions

HIPAA focuses on safeguarding patient privacy and seeks to make healthcare more efficient. Healthcare organizations should know the exceptions in the rules and consider professional advice to find the right balance between privacy and efficiency.

General rule exceptions

Under HIPAA, state law takes precedence over federal law in specific situations. The following circumstances allow state law to preempt HIPAA:

Patients' rights: When state law provides more stringent patients' rights or privacy provisions than HIPAA
Reporting to public health agencies: If state law requires reporting of information to public health agencies
Information reporting: When state law mandates health plans to report information for audit purposes

State and federal exceptions

Certain educational institutions that offer medical services as a work benefit to students and staff are not considered covered entities under HIPAA. However, if an educational institution provides medical services to the public, it becomes a hybrid entity.

In such cases, safeguards must be implemented to isolate treatment records protected by the Family Educational Rights and Privacy Act (FERPA) from HIPAA-covered Protected Health Information (PHI), requiring the application of two sets of rules for staff.

Operational and occupational exceptions

HIPAA includes exceptions based on operations and occupation. The following guidelines qualify organizations for certain HIPAA exceptions:

Ambulance services: Ambulance services operating in counties without electronic billing systems are eligible for HIPAA exceptions
Healthcare facilities: Healthcare facilities can disclose "health condition" information from directories to callers or visitors who inquire about a patient by name
Military treatment facilities: Military facilities can disclose protected health information to command authorities without patient authorization for reporting purposes related to fitness for duty or military mission requirements

Emergency situation exceptions

Patient PHI can be used during emergencies without violating HIPAA rules. While the Privacy Rule is not set aside during emergencies, the following exceptions can apply:

Treatment: Covered entities can disclose PHI necessary for treating the patient without authorization
Public health: Public health authorities and relevant parties can access necessary PHI to carry out public health missions without individual authorization
Next of kin: Covered entities may share PHI with family members, relatives, friends, or individuals involved in the patient's care as identified by the patient
Imminent danger: Healthcare providers can share patient information with anyone necessary to prevent or lessen a serious and imminent threat to an individual's health or public safety
Media: Hospitals or healthcare facilities can release limited facility directory information to confirm a patient's presence and provide general information about the patient's condition

Covered entities must make reasonable efforts to limit the disclosed information to the minimum necessary for the specified purposes.

Privacy rule exceptions

In addition to the Privacy Rule exceptions outlined for emergency situations, covered entities can use and disclose PHI without individual authorization for the following purposes:

Oversight of the healthcare system
Law enforcement
Judicial and administrative proceedings
Medical examinations
Body identification and cause of death investigation
Facility directories
Workers Compensation
Other situations where the use or disclosure is mandated by other laws (e.g., state and local)

Read more: Does HIPAA apply in emergencies?