What are the exceptions to HIPAA?

HIPAA exceptions include general rulings, emergency scenarios, state and federal exclusions, operational and occupational variations, and exceptions to privacy rules. These determine how certain medical situations and instances of sharing protected health information (PHI) are handled.

Understanding the implications of HIPAA exceptions

HIPAA focuses on safeguarding patient privacy and seeks to make healthcare more efficient. Healthcare organizations should know the exceptions in the rules and consider professional advice to find the right balance between privacy and efficiency.

Related:  HIPAA Compliant Email: The Definitive Guide

General rule exceptions

Under HIPAA, state law takes precedence over federal law in specific situations. The following circumstances allow state law to preempt HIPAA:

• Patients' rights: When state law provides more stringent patients' rights or privacy provisions than HIPAA
• Reporting to public health agencies: If state law requires reporting of information to public health agencies
• Information reporting: When state law mandates health plans to report information for audit purposes

State and federal exceptions

Certain educational institutions that offer medical services as a work benefit to students and staff are not considered covered entities under HIPAA. However, if an educational institution provides medical services to the public, it becomes a hybrid entity.

In such cases, safeguards must be implemented to isolate treatment records protected by the Family Educational Rights and Privacy Act (FERPA) from HIPAA-covered Protected Health Information (PHI), requiring the application of two sets of rules for staff.

Operational and occupational exceptions

HIPAA includes exceptions based on operations and occupation. The following guidelines qualify organizations for certain HIPAA exceptions:

• Ambulance services: Ambulance services operating in counties without electronic billing systems are eligible for HIPAA exceptions
• Healthcare facilities: Healthcare facilities can disclose "health condition" information from directories to callers or visitors who inquire about a patient by name
• Military treatment facilities: Military facilities can disclose protected health information to command authorities without patient authorization for reporting purposes related to fitness for duty or military mission requirements

Emergency situation exceptions

Patient PHI can be used during emergencies without violating HIPAA rules. While the Privacy Rule is not set aside during emergencies, the following exceptions can apply:

• Treatment: Covered entities can disclose PHI necessary for treating the patient without authorization
• Public health: Public health authorities and relevant parties can access necessary PHI to carry out public health missions without individual authorization
• Next of kin: Covered entities may share PHI with family members, relatives, friends, or individuals involved in the patient's care as identified by the patient
• Imminent danger: Healthcare providers can share patient information with anyone necessary to prevent or lessen a serious and imminent threat to an individual's health or public safety
• Media: Hospitals or healthcare facilities can release limited facility directory information to confirm a patient's presence and provide general information about the patient's condition

Covered entities must make reasonable efforts to limit the disclosed information to the minimum necessary for the specified purposes.

Read more: Understanding permissible disclosures in an emergency

Privacy rule exceptions 

In addition to the Privacy Rule exceptions outlined for emergency situations, covered entities can use and disclose PHI without individual authorization for the following purposes:

• Oversight of the healthcare system
• Law enforcement
• Judicial and administrative proceedings
• Medical examinations
• Body identification and cause of death investigation
• Facility directories
• Workers Compensation
• Other situations where the use or disclosure is mandated by other laws (e.g., state and local)

Read more: Does HIPAA apply in emergencies?

FAQs

How can I find out which state laws preempt HIPAA in my area?

Consult with a compliance professional or healthcare attorney in your state. For initial guidance, you can refer to the “Report on State Law Requirements for Patient Permission to Disclose Health Information” on the healthit.gov website. Although some information may be outdated, Appendix A provides state-by-state details on exemptions from authorizations.

Does HIPAA or FERPA apply to elementary student health records maintained by a health care provider not employed by the school?

HIPAA applies to student health records when services are provided by an entity not associated with the school, even if the services occur on school grounds. For example, immunization services offered by a public health agency on a school campus fall under HIPAA.

What is the duty to warn exception that applies to psychotherapy notes?

The duty to warn exception permits healthcare professionals to disclose psychotherapy notes if they believe a patient poses a threat to others. This exception allows disclosure without the patient’s written authorization and protects healthcare professionals from legal consequences related to confidentiality breaches.

Can HIPAA information be shared with law enforcement?

Yes, HIPAA information can be shared with law enforcement, but only under specific circumstances, such as complying with a court order or when required by law. However, the scope of information that can be shared is limited, particularly for identification purposes.

Who is exempt from HIPAA regulations?

HIPAA does not apply to all entities involved in healthcare. For instance, banks and payment processors are exempt, even when handling PHI. Additionally, certain healthcare providers, like those that only bill clients directly, and auto insurance companies covering medical care, are also exempt from HIPAA.

See also: HIPAA Compliant Email: The Definitive Guide