The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy and safeguards health data. HIPAA makes strict demands on healthcare providers and insurers. But there are some HIPAA exceptions. For example, HIPAA allows:
- The disclosure of Protected Health Information (PHI) to contribute to a patient’s treatment
- Sharing information with another covered entity to organize payments
- Sharing with another covered entity to help with healthcare operations
Compliant organizations need to know what HIPAA regulations do and do not allow. A covered entity that lacks this knowledge will struggle to avoid penalties. They might also miss opportunities to use PHI productively.
This article will explain exceptions to HIPAA rules. We will learn when organizations can disclose Protected Health Information. Our HIPAA exceptions list will help you understand what you can share and what remains protected.
The impact of HIPAA exceptions
HIPAA is not supposed to be completely inflexible. The regulations aim to prevent unauthorized and harmful disclosure. The Department of Health and Human Services wants organizations to use Protected Health Information. But regulators want this use to be legitimate. The distinction between illegal and legitimate disclosure is not always well understood.
Organizations often apply excessive security and privacy controls. Even non-covered entities adopt stringent measures to avoid regulatory penalties.
Healthcare bodies overreact with the reasonable intention of meeting HIPAA requirements. But extra measures may be unnecessary. And applying excessive compliance measures has many damaging consequences for healthcare operations.
One significant consequence involves supplying information to news media. Healthcare organizations sometimes fear interacting with reporters. They are afraid of disclosing too much information about patients. And in the process, they provide an incomplete picture to the public.
For example, prisons may prescribe narcotics to inmates for medical reasons. Reporters can request a log of the number and cost of narcotics prescriptions. Prisons can supply individual medical records with PHI stripped out. But in past cases, they have refused to do so due to fears of HIPAA violations.
Cases like this led the Reporters Committee for the Freedom of the Press to publish a “Reporter’s Guide to Medical Privacy Law” in 2007. This book includes many examples of organizations failing to supply data to the media. It shows that misunderstandings about HIPAA exceptions are surprisingly common.
Common HIPAA exceptions and seeking professional advice
HIPAA allows many forms of legal PHI disclosure. Common examples include:
- Public health information. Covered entities can share PHI with public health agencies. The disclosure must assist with protecting public health.
- Health oversight. Organizations can share PHI with a health oversight agency. This applies during audit processes and investigations.
- TPO. Organizations can disclose PHI to another covered entity. This applies when disclosure involves treatment, payment, or health care operations (TPO). In these cases, parties need a healthcare operations arrangement. This agreement shields both parties and defines the scope of PHI sharing.
- Judicial purposes. Courts can request health records for use in judicial proceedings.
- Emergency donations. Organizations can share PHI to enable emergency organ donations.
- National security. Organizations can share health data with federal agencies to assist national security.
A covered entity may have doubts about whether disclosure is HIPAA-compliant. In that case, compliance managers should take legal advice. They should document the reason for disclosure. And they should record the legal advice provided. Logging this information shields the organization if regulators investigate the HIPAA disclosure.
HIPAA Privacy Rule exceptions
The best way to understand HIPAA exceptions is by discussing some concrete examples. Exceptions from the HIPAA Privacy Rule include:
- Information provision to public agencies. A covered entity may share individually identifiable health information when there is a public interest. Public interest disclosure includes pooling data to fight epidemics or natural disasters. Hospitals may share health data with courts during negligence or homicide cases. And health data may contribute to national security operations.
- Public health emergencies. Exemptions apply when authorities declare a public health emergency. During emergencies, a covered entity can inform parents of patients without consent. They do not need to issue confidentiality notices to patients. Protecting patient privacy is less critical than dealing with short-term situations.
- Workers compensation. Workers' compensation systems generally allow exceptions from the Privacy Rule. Providers and health plans can share PHI to assist with injury claims.
- When patients are at risk. Medical services can share PHI with relatives or friends. This applies if there is a substantial risk of harm to the individual concerned. A healthcare provider can also inform individuals in danger of suffering harm.
- Informing next of kin. The HIPAA Privacy Rule allows disclosing information to a medical examiner to identify bodies. Organizations can also disclose protected data to the next of kin when patients die.
PHI disclosure must meet the “minimum necessary” standard in the HIPAA Privacy Rule. Organizations must limit the amount of information they share. They should share enough information to meet their goals and nothing more.
Organizations should also maintain an Accounting of Disclosures. This document lists disclosures according to non-routine HIPAA exceptions. Disclosures to support TPO are routine. Organizations do not need to log these cases.
Exceptions to the HIPAA Breach Notification rule
Exemptions also apply to breach notifications. Not all breaches are notifiable. Organizations must assess whether incidents meet the notification threshold. In these situations, three core HIPAA exceptions apply:
Accidental use, access, or acquisition of PHI
Employees of covered entities can easily access private health records unintentionally. Any accidental access could count as a breach. Breaches like this are not reportable if the individual:
- Acted in good faith
- Did not use the PHI after obtaining access.
Incidental disclosures like this are frequent in the healthcare system. Clinicians might mistake two patient records with the same surname. They could access medical charts or prescription data before realizing their mistake. If they immediately leave the record and do not store the data, this is not reportable.
Disclosure of PHI without retention by the recipient
This exception applies if unauthorized actors receive PHI but do not retain that data. The sender must have reasonable cause to believe that the recipient cannot keep PHI.
For example, organizations may make a mistake when mailing letters containing PHI. The courier returns these letters unopened and undelivered. Senders can argue that, while data exposure occurred, no outside actor retained PHI. There is no need for a breach notification.
Unintentional PHI sharing with authorized persons
Information sharing between authorized individuals in the same organization is generally not reportable. This applies if the receiver of PHI does not share that information in a way that breaches HIPAA rules. If the data remains with the recipient and goes no further, there is no need to report the breach.
Legal and law enforcement exceptions to HIPAA
Sharing PHI with law enforcement agencies and courts is also allowable. Exceptions in this category include:
- Providing information to law enforcement agencies. Police may request PHI during investigations. For example, police may be investigating allegations of domestic violence. Health information about the victim could help build a case. In abuse or DV cases, covered entities must get individual authorization from victims. This does not apply to other investigations.
- Complying with subpoenas. Healthcare organizations may receive a subpoena to provide PHI in court cases.
- Informing police about potential crimes. Covered entities can disclose health information when they suspect someone has committed a crime. This applies to offenses occurring at or away from their premises. It only applies to disclosures to state or federal agencies.
- Identifying missing people. Medical services may help identify fugitives or other missing people.
Agencies can submit written requests for PHI. They could attend healthcare facilities in uniform with appropriate identification. If officers or lawyers request data via telephone, covered entities should ask for the statutory basis of the request. They should obtain a written application for relevant PHI.
Understand HIPAA exceptions to avoid compliance violations
HIPAA allows organizations to share Protected Health Information. As we’ve seen, there are Privacy Rule and Breach Notification exemptions. And organizations can disclose patient data for legal reasons as well.
Don’t assume HIPAA is inflexible. Information sharing is often legitimate. However, whenever you share PHI, risk assessment is essential.
Document the PHI you disclose. And record a reason for the disclosure. Effective documentation explains your actions if the Office for Civil Rights investigates. And the risk assessment process improves your understanding of allowable PHI sharing.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.