HIPAA exceptions include general rulings, emergency scenarios, state and federal exclusions, operational and occupational variations, and exceptions to privacy rules. These determine how certain medical situations and instances of sharing protected health information (PHI) are handled.
HIPAA focuses on safeguarding patient privacy and seeks to make healthcare more efficient. Healthcare organizations should know the exceptions in the rules and consider professional advice to find the right balance between privacy and efficiency.
Related: HIPAA Compliant Email: The Definitive Guide
Under HIPAA, state law takes precedence over federal law in specific situations. The following circumstances allow state law to preempt HIPAA:
Certain educational institutions that offer medical services as a work benefit to students and staff are not considered covered entities under HIPAA. However, if an educational institution provides medical services to the public, it becomes a hybrid entity.
In such cases, safeguards must be implemented to isolate treatment records protected by the Family Educational Rights and Privacy Act (FERPA) from HIPAA-covered Protected Health Information (PHI), requiring the application of two sets of rules for staff.
HIPAA includes exceptions based on operations and occupation. The following guidelines qualify organizations for certain HIPAA exceptions:
Patient PHI can be used during emergencies without violating HIPAA rules. While the Privacy Rule is not set aside during emergencies, the following exceptions can apply:
Covered entities must make reasonable efforts to limit the disclosed information to the minimum necessary for the specified purposes.
Read more: Understanding permissible disclosures in an emergency
In addition to the Privacy Rule exceptions outlined for emergency situations, covered entities can use and disclose PHI without individual authorization for the following purposes:
Read more: Does HIPAA apply in emergencies?
Consult with a compliance professional or healthcare attorney in your state. For initial guidance, you can refer to the “Report on State Law Requirements for Patient Permission to Disclose Health Information” on the healthit.gov website. Although some information may be outdated, Appendix A provides state-by-state details on exemptions from authorizations.
HIPAA applies to student health records when services are provided by an entity not associated with the school, even if the services occur on school grounds. For example, immunization services offered by a public health agency on a school campus fall under HIPAA.
The duty to warn exception permits healthcare professionals to disclose psychotherapy notes if they believe a patient poses a threat to others. This exception allows disclosure without the patient’s written authorization and protects healthcare professionals from legal consequences related to confidentiality breaches.
Yes, HIPAA information can be shared with law enforcement, but only under specific circumstances, such as complying with a court order or when required by law. However, the scope of information that can be shared is limited, particularly for identification purposes.
HIPAA does not apply to all entities involved in healthcare. For instance, banks and payment processors are exempt, even when handling PHI. Additionally, certain healthcare providers, like those that only bill clients directly, and auto insurance companies covering medical care, are also exempt from HIPAA.
See also: HIPAA Compliant Email: The Definitive Guide