Achieving compliance with all of HIPAA’s requirements is a major challenge — understanding fringe cases and exemptions adds another layer of complexity and stress. To help, we’ve summarized the major exemptions to the Health Insurance Portability and Accountability Act and exceptions to its rules.
General HIPAA exceptions
Most HIPAA exceptions are extremely specific cases, such as when HIPAA might contradict state law or other regulations. One example is for teaching universities where an educational institution might provide healthcare services to the public. Another exception is for military doctors who may be required to disclose PHI when reporting on a patient’s fitness for duty. Other exceptions apply to psychotherapy sessions when state laws require therapists to warn of imminent harm or report cases of abuse.
In addition, financial institutions including banks and payment processors are currently exempt from HIPAA. Covered entities should be mindful of how a patient’s direct payments are processed to ensure compliance with the Minimum Necessary Rule.
In most cases, when HIPAA contradicts state law, HIPAA supersedes — unless the state law provides stronger data privacy provisions or patient rights. If you are ever unsure whether HIPAA rules apply, it’s best to consult with a healthcare attorney or HIPAA compliance professional.
Recommended Reading
Who Enforces HIPAA + How To Make Sure Your Business Is Compliant
Read More
Exceptions to the definition of protected health information (PHI)
HIPAA legislation applies to covered entities and business associates. Any PHI that is created, stored, accessed, or transmitted by these healthcare organizations is protected under HIPAA. But in the hands of another company, that same information may not be considered PHI and would not be protected under HIPAA.
For example, a fitness app that tracks a user’s heart rate, sleep patterns, activity levels, or calorie consumption does not constitute PHI.
Here are a few other examples where health data is not classified as PHI:
- Appointment inquiries: Names and phone numbers of potential patients who call to make an appointment are not considered PHI, because no health information is associated with it. Once that person formally becomes a patient, however, that data becomes PHI and is protected.
- Employee and education records: Any records regarding employee or student health, including known allergies, blood type, or disabilities, are not considered PHI.
- Wearable devices: Data collected by wearable devices including heart rate monitors or smartwatches is not PHI.
- Health and fitness apps: Data collected by or entered into a mobile fitness or health app is not PHI.
- De-identified PHI: Health data that has had all personal identifiers removed and cannot be linked to a specific individual is no longer considered PHI. Organizations sometimes use de-identified PHI for statistics or research purposes.
HIPAA Privacy Rule exceptions
Under very specific circumstances, the HIPAA Privacy Rule permits covered entities to use and/or disclose personal health information without patient authorization. Typically these cases involve a healthcare provider’s treatment, payment, and healthcare operations (TPO). Other exceptions include cases of public interest.
For example:
- Healthcare regulations and licensing
- Public health (such as reporting to a state health department or the CDC)
- Medical research
- Workers compensation
- Legal proceedings and law enforcement purposes
- To inform next of kin, identify a body, determine cause of death, or for a medical examiner/coroner
Even in these situations, disclosures must be documented in an Accounting of Disclosures log.
HIPAA Breach Notification Rule exceptions
There are a few scenarios that technically fall under the definition of a breach, yet the U.S. Department of Health and Human Services (HHS) extends exceptions for them. They include:
- Unintentional access or use of PHI by an employee, made in good faith and within the scope of their authority
- Accidental disclosure of PHI between authorized persons
- The organization confidently believes that the person who obtained or accessed the PHI will not retain or compromise the data
If any of the three exceptions are true, then PHI is not considered “breached” and the covered entity isn’t required to notify affected parties or HHS under the Breach Notification Rule.
HIPAA Minimum Necessary Rule exceptions
The HHS outlines six exceptions to the Minimum Necessary Rule:
- Healthcare providers making requests for PHI to provide treatment to a patient
- Patients making requests for copies of their own medical records
- Requests for PHI when there is a valid authorization
- Requests for PHI that are required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules
- Requests for disclosure of PHI to HHS for complaint investigation, compliance review, or enforcement
- Requests for PHI that are otherwise required by law
Get industry insights, news & more in your inbox
Secureframe Insights is our monthly newsletter covering the latest cybersecurity and compliance news, insights, and events — from changing regulations to compliance checklists and more.
Join thousands of subscribers in getting these expert insights delivered straight to your inbox.
FAQs
What is exempt from HIPAA?
HIPAA does not cover all health information or all entities that handle health-related information. Some exemptions include:
- Non-Covered Entities: Entities that are not healthcare providers, health plans, or healthcare clearinghouses, and do not otherwise meet the definition of a business associate, are not covered by HIPAA. This includes employers, life insurance companies (when not acting as health plans), workers' compensation carriers, many schools and school districts, many state agencies like child protective services, and many law enforcement agencies.
- De-identified Health Information: Information that has had all personally identifiable information removed, meeting the HIPAA Privacy Rule's standards for de-identification, is not covered by HIPAA. There are two methods to achieve de-identification: the Expert Determination Method and the Safe Harbor Method.
- Employment Records: Employment records held by a covered entity in its role as an employer are exempt from HIPAA. This includes employment-related information that the covered entity maintains in its human resources department.
- Educational Records: Records covered by the Family Educational Rights and Privacy Act (FERPA) are exempt from HIPAA. This includes educational records like grades and transcripts that are directly related to a student and maintained by an educational institution or party acting on its behalf.
What are the three exceptions to the breach definition?
Under the HIPAA Breach Notification Rule, there are specific situations where an unauthorized use or disclosure of protected health information (PHI) is not considered a breach. These exceptions are:
- Unintentional Acquisition, Access, or Use by Workforce Members: If a workforce member of a covered entity or business associate unintentionally acquires, accesses, or uses PHI in good faith and within the scope of their authority, and the information is not further used or disclosed in a manner not permitted by the Privacy Rule, it is not considered a breach.
- Inadvertent Disclosure Between Persons Authorized to Access PHI: If the unauthorized disclosure of PHI occurs inadvertently between two individuals who are both authorized to access PHI at the same covered entity or business associate (or organized healthcare arrangement), and the information is not further used or disclosed in a manner not permitted by the Privacy Rule, it is not considered a breach.
- Disclosure to Unauthorized Person Where PHI is Not Further Disclosed: If a covered entity or business associate discloses PHI to an unauthorized person, but the entity or associate has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information, it is not considered a breach.
