
Who Enforces HIPAA + How To Make Sure Your Business Is Compliant
Read articleAchieving compliance with all of HIPAA’s requirements is a major challenge — understanding fringe cases and exemptions adds another layer of complexity and stress. To help, we’ve summarized the major exemptions to the Health Insurance Portability and Accountability Act and exceptions to its rules.
Most HIPAA exceptions are extremely specific cases, such as when HIPAA might contradict state law or other regulations. One example is for teaching universities where an educational institution might provide healthcare services to the public. Another exception is for military doctors who may be required to disclose PHI when reporting on a patient’s fitness for duty. Other exceptions apply to psychotherapy sessions when state laws require therapists to warn of imminent harm or report cases of abuse.
In addition, financial institutions including banks and payment processors are currently exempt from HIPAA. Covered entities should be mindful of how a patient’s direct payments are processed to ensure compliance with the Minimum Necessary Rule.
In most cases, when HIPAA contradicts state law, HIPAA supersedes — unless the state law provides stronger data privacy provisions or patient rights. If you are ever unsure whether HIPAA rules apply, it’s best to consult with a healthcare attorney or HIPAA compliance professional.
Who Enforces HIPAA + How To Make Sure Your Business Is Compliant
Read articleHIPAA legislation applies to covered entities and business associates. Any PHI that is created, stored, accessed, or transmitted by these healthcare organizations is protected under HIPAA. But in the hands of another company, that same information may not be considered PHI and would not be protected under HIPAA.
For example, a fitness app that tracks a user’s heart rate, sleep patterns, activity levels, or calorie consumption does not constitute PHI.
Here are a few other examples where health data is not classified as PHI:
Under very specific circumstances, the HIPAA Privacy Rule permits covered entities to use and/or disclose personal health information without patient authorization. Typically these cases involve a healthcare provider’s treatment, payment, and healthcare operations (TPO). Other exceptions include cases of public interest.
For example:
Even in these situations, disclosures must be documented in an Accounting of Disclosures log.
There are a few scenarios that technically fall under the definition of a breach, yet the U.S. Department of Health and Human Services (HHS) extends exceptions for them. They include:
If any of the three exceptions are true, then PHI is not considered “breached” and the covered entity isn’t required to notify affected parties or HHS under the Breach Notification Rule.
The HHS outlines six exceptions to the Minimum Necessary Rule: