HIPAA Exceptions: What You Need to Know

On the average search engine result page, you can find countless articles dedicated to one complex topic: exceptions to the HIPAA Privacy Rule. 

With headlines such as “Exceptions to the HIPAA Privacy Policy” becoming fairly prevalent, it’s easy for covered entities to mistakenly believe that they can be more lax when it comes to meeting HIPAA requirements. 

In truth, most allowable HIPAA exceptions occur only in very particular situations, and even the exceptions have their exceptions. While covered entities should be aware of exceptions so they don’t withhold information in unique cases, their primary focus should always be on conducting risk assessments and remediation to remain compliant throughout the year.

Read on for a recap of what HIPAA covers and a list of some unlikely but important exceptions to better understand the requirements of the Privacy Rule.

A Brief Recap: What Does HIPAA Cover?

HIPAA was designed to protect identifying patient information, including medical records, health insurance information, etc. The rule applies to all healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically. It also covers electronic financial transactions and applies even when entities contract to Business Associates (BAs).  

You can find various resources on our website that list the entities covered and information protected by HIPAA. Visit the What Entities and Information Does HIPAA Protect? blog for more details.

7 Exceptions to HIPAA

Although situations in which HIPAA does not apply are fairly uncommon, it is still worthwhile for covered entities to understand where they should and should not focus their compliance efforts. The full list of HIPAA exceptions is quite lengthy and difficult to parse, so we’ve highlighted a few instances in which HIPAA does not apply: 

1. Personal Use

HIPAA does not apply to the use or disclosure of PHI by an individual for personal use. For example, if an individual accesses their own medical records, HIPAA does not regulate that action.  

2. Law Enforcement

A HIPAA-covered entity can disclose PHI to a health oversight agency, law enforcement, or for judicial proceedings. These exceptions don’t grant blanket permission to release information. Still, in certain situations, such as police using sensitive data to locate a suspect or to aid in an investigation, entities can and must release a minimum amount of PHI.  

3. Research 

HIPAA has separate rules that apply to PHI used for research purposes. Researchers may use PHI only if they have obtained an individual’s written consent or if certain conditions are met. Conditions include when the healthcare information is “de-identified” or when researchers utilize a limited data set, which excludes specific identifiers. For entities to permissibly release information for research, the data must be scrubbed of anything that can identify an individual. 

 4. Colleges and Universities 

In most cases, HIPAA compliance does not apply to school-based health programs. In other words, colleges and universities are not considered covered entities, but they may employ a healthcare provider that conducts transactions electronically, a HIPAA-covered process. Additionally, if a school offers medical services to the public (for example, if an optometry college holds free clinics for locals), the school may become a hybrid entity and must abide by specific HIPAA regulations. 

 5. Emergency Situations 

In emergencies, the HIPAA Privacy Rule allows disclosures as needed to treat patients or individuals in immediate danger. HIPAA also provides for the use and disclosure of PHI for public health activities, such as disease control and prevention, public health investigations, and the reporting of certain diseases.  

6. State Law Contradictions 

HIPAA and state laws sometimes contradict. The general rule of thumb is that “…if a state law is more protective of the patient, then it takes precedence over HIPAA,” says Doug Walter, legislative and regulatory counsel in APA’s Practice Directorate. Conversely, if a state law is less stringent than HIPAA, then HIPAA takes over. 

 In general, it’s always important to remember even when HIPAA does not apply, other federal or state laws may still regulate the use and disclosure of PHI. Additionally, covered entities must always follow the minimum necessary rule, which requires them to only use or disclose the minimum amount of PHI necessary to accomplish the intended purpose.  

7. Worker’s Compensation 

HIPAA usually does not apply to using or disclosing PHI for workers’ compensation purposes, such as verifying a claim or coordinating benefits. Entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers (not considered covered entities based on other criteria) are not covered by HIPAA. 


Just as remaining HIPAA compliant is a year-round necessity for covered entities and business associates, understanding these uncommon HIPAA exceptions is another piece of the puzzle. Covered entities should be aware of exceptions to avoid withholding information in obligatory settings. If you’re ever unsure of whether you’re being compliant, consult an expert to solidify where you stand and what next steps should be taken. 

Due to the rarity of HIPAA exception occurrences, the primary focus of covered entities should be on conducting risk assessments, remediation, and other HIPAA processes to ensure full compliance and avoid fines and legal penalties. Implementing an automated HIPAA compliance solution and enlisting the help of Certified Assessors can help you achieve that. 

We provide consulting without cost and streamlined compliance automation to SMBs, enterprises, and business associates. With the HIPAA One solution, you can finally take the guesswork out of HIPAA and remain compliant the right way.

If you want to learn more about ensuring HIPAA compliance and remediation the right way all year round, contact the HIPAA experts at Intraprise Health.