HIPAA’s surprise exemptions: What you need to know

Most providers are familiar with the basic principles of the Health Insurance Portability and Accountability Act (HIPAA). Unfortunately, common misconceptions about its scope can lead to unexpected issues and non-compliance. Many people assume that HIPAA applies to all data that a healthcare entity handles, but there are exceptions. These HIPAA exceptions are intended to support public health, safety, and healthcare operations.

However, if a practice assumes an occurrence is exempt, and that exemption is called into question, the practice could face an investigation, fines, or legal issues. Understanding which types of scenarios classify as a HIPAA exception helps practices navigate complex healthcare situations without ethical or legal complications. 

This explainer covers the HIPAA exceptions list and outlines various HIPAA-exempt scenarios that independent practices may encounter.

HIPAA exceptions are defined circumstances in which the standard privacy, security, and breach rules aren’t enforced.

For example, exceptions to the HIPAA privacy rule allow covered healthcare organizations to disclose protected health information (PHI) without authorization in situations such as complying with a court order or notifying next of kin of a death. HIPAA breach exceptions describe events, such as unintentional data access, in which breach reporting isn’t required.

The HIPAA breach rule contains exceptions for circumstances where PHI is accessed without authorization but isn’t considered a threat to data security or patient privacy.

The 3 exceptions to HIPAA are:

Understanding these exceptions is critical for practices, as human error sometimes occurs when handling PHI.

Following are some of the most common HIPAA privacy rule exceptions.

When data has been stripped of identifying information, it doesn’t qualify as protected health information (PHI). De-identified data can be legally shared without obtaining patient consent. It’s often used in research, but some practices use de-identified data when participating in public health initiatives or healthcare analytics.

Records related to workplace injuries, well-being programs, and other employee health information aren’t regulated by HIPAA. Instead, the employer must follow Occupational Safety and Health Administration (OSHA) standards and state regulations regarding employee health data.

HIPAA permits healthcare providers to share PHI with public health authorities who are legally authorized to receive such reports for specific public health purposes. Examples include infectious disease reporting, safety issues related to Food and Drug Administration (FDA)-regulated products, and instances of child abuse or neglect.

Under specific circumstances, HIPAA permits disclosure of PHI to law enforcement. Patient consent isn’t required when disclosing health information in compliance with a court order. It's also not required to identify or locate a suspect, material witness, or missing person, and in other conditions. In some cases, HIPAA limits the scope of PHI that can be shared with law enforcement.

HIPAA defines a breach as unauthorized use or access to PHI that compromises the privacy or security of the data. These circumstances can occur during regular data handling, even when staff strives to uphold security. You and your team should identify how these events might occur because, in most cases, it’s up to the practice to determine whether the situation requires reporting and notifications under the HIPAA breach rule.

If a staff member accesses PHI accidentally while acting in good faith, it’s not considered a reportable breach. A technician mistakenly opening the wrong patient record, for example, wouldn’t require breach notification procedures.

Accidental sharing of PHI between 2 authorized members of the same healthcare organization isn’t considered a breach under HIPAA. For instance, a physician might email the wrong information to another clinician at the practice, but HIPAA doesn't consider this a violation.

If an authorized person accidentally shares PHI with an unauthorized person but believes in good faith that the recipient would not be able to retain the information, HIPAA notifications aren’t required. Showing the wrong X-ray films to a patient, then realizing the mistake and removing them, wouldn’t qualify as a breach because it’s unlikely the patient had time to read and retain any personal identifying information.

To protect your practice, clinicians, staff, and patients, develop exception management protocols. These should focus on:

A proactive management approach can minimize the ethical and legal risks in exempt scenarios.

Understanding exceptions to HIPAA allows you to maintain compliance, meet legal requirements, contribute to public health initiatives, and handle PHI with confidence. A clear protocol for managing exemptions guards against their consequences, from lawsuits and federal fines to losing customers and reputational damage. Staying informed and up to date on HIPAA exceptions means your team can confidently navigate the intricacies of healthcare delivery while safeguarding patients’ information.