Blog

HIPAA Exceptions: What You Need to Know

HIPAA regulations are a major concern for healthcare organizations. But many are so concerned with maintaining compliance that they miss instances when HIPAA rules don’t apply. There is a full page dedicated to HIPAA exceptions in the Administrative Simplification provisions – and understand them is key to an efficient and effective HIPAA compliance program. 

This article offers leaders an authoritative overview of HIPAA’s applicability, before explaining seven important instances when the rules don’t apply.  

What is a HIPAA Exception and How Do They Work? 

HIPAA was designed to ensure protected health information (PHI) – such as medical records or health insurance information – is safe and secure. It is formed of three distinct “HIPAA Rules” – the Privacy, Security, and Brech Notification Rules. These rules combine to cover every aspect of healthcare security and data usage – from the storage and access of patient information to how organizations must inform patients about a data breach.  

All health providers, health plans, and healthcare clearinghouses that transmit health information electronically must follow these rules – and will be heavily penalized for failing to do so. It also covers electronic financial transactions and applies even when entities contract to Business Associates (BAs).  

You can find various resources on our website that list the entities covered and information protected by HIPAA. Visit the What Entities and Information Does HIPAA Protect? blog for more details.

7 Important Exceptions to HIPAA 

Although situations in which HIPAA does not apply are fairly uncommon, it is still worthwhile for covered entities to understand where they should and should not focus their compliance efforts. The full list of HIPAA exceptions is quite lengthy and difficult to parse, so we’ve highlighted a few instances in which HIPAA does not apply: 

1. Personal Use

HIPAA regulations do not govern an individual’s use or disclosure of their own protected health information (PHI). This means that individuals can access, store, and share their medical records as they see fit.  

However, once PHI is shared with a third party, such as an insurance company or a health app, that entity may be subject to HIPAA or other privacy regulations. Additionally, while HIPAA does not apply to personal use, individuals should be aware of security risks when storing or transmitting their medical data digitally. 

2. Law Enforcement

HIPAA-covered entities can disclose PHI to law enforcement, health oversight agencies, or for judicial proceedings, but such disclosures are limited in scope. PHI may be released under specific conditions, such as compliance with a court order, warrant, subpoena, or to locate a suspect, fugitive, material witness, or missing person.  

In cases of abuse, neglect, or domestic violence, covered entities may report PHI to appropriate authorities when required by law. However, disclosures must always be limited to the minimum necessary amount to fulfill the request.

3. Research 

HIPAA establishes stringent guidelines regarding the use of PHI for research purposes. Researchers may access PHI only when they obtain explicit written consent from the individual or if they meet one of the following conditions: the data is de-identified, meaning it no longer contains personally identifiable details, or it is part of a limited data set that excludes direct identifiers.  

Institutional Review Boards (IRBs) or privacy boards often oversee such research activities to ensure compliance and balance the need for data with the protection of patient privacy. 

 4. Colleges and Universities 

In most cases, HIPAA compliance does not apply to school-based health programs.However, colleges and universities may become hybrid entities if they provide healthcare services to the public, such as in teaching hospitals or community clinics.  

In such cases, these institutions must comply with HIPAA regulations for the portion of their operations that handle PHI. Furthermore, student health records maintained by healthcare providers operating independently of the school’s educational system may also be subject to HIPAA. 

 5. Emergency Situations 

In emergencies, the HIPAA Privacy Rule allows disclosures as needed to treat patients or individuals in immediate danger.Healthcare providers can share PHI with emergency responders, family members, or authorized individuals when the patient is incapacitated or unable to provide consent.  

Additionally, PHI may be disclosed to public health authorities for activities such as tracking infectious diseases, investigating outbreaks, or responding to bioterrorism threats. These exceptions help facilitate rapid and effective responses while maintaining appropriate safeguards. 

6. State Law Contradictions 

HIPAA and state laws sometimes contradict. The general rule of thumb is that “…if a state law is more protective of the patient, then it takes precedence over HIPAA,” says Doug Walter, legislative and regulatory counsel in APA’s Practice Directorate. Conversely, if a state law is less stringent than HIPAA, then HIPAA takes over. 

 In general, it’s always important to remember even when HIPAA does not apply, other federal or state laws may still regulate the use and disclosure of PHI. Additionally, covered entities must always follow the minimum necessary rule, which requires them to only use or disclose the minimum amount of PHI necessary to accomplish the intended purpose.  

7. Worker’s Compensation 

HIPAA usually does not apply to using or disclosing PHI for workers’ compensation. Entities such as workers’ compensation insurers, administrative agencies, and employers handling workers’ compensation matters are often exempt from HIPAA’s privacy rules. 

However, healthcare providers treating injured workers must still comply with HIPAA when handling PHI unless they are legally required to disclose it for claim verification or benefit coordination. Even in such cases, the information disclosed must be limited to what is necessary for the workers’ compensation process. 

Conclusion 

Just as remaining HIPAA compliant is a year-round necessity for covered entities and business associates, understanding these uncommon HIPAA exceptions is another piece of the puzzle. Covered entities should be aware of exceptions to avoid withholding information in obligatory settings. If you’re ever unsure of whether you’re being compliant, consult an expert to solidify where you stand and what next steps should be taken. 

Due to the rarity of HIPAA exception occurrences, the primary focus of covered entities should be on conducting risk assessments, remediation, and other HIPAA processes to ensure full compliance and avoid fines and legal penalties. Implementing an automated HIPAA compliance solution and enlisting the help of Certified Assessors can help you achieve that. 

We provide consulting without cost and streamlined compliance automation to SMBs, enterprises, and business associates. With the HIPAA One solution, you can finally take the guesswork out of HIPAA and remain compliant the right way.

If you want to learn more about ensuring HIPAA compliance and remediation the right way all year round, contact the HIPAA experts at Intraprise Health.

About the Author
Avatar photo

Scott Mattila

Linkedin
CSO, Intraprise Health
Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science. See full bio