HIPAA Exceptions: What Isn’t Covered by the Data Privacy Law?

Achieving compliance with all of HIPAA’s requirements is a major challenge — understanding fringe cases and exemptions adds another layer of complexity and stress. To help, we’ve summarized the major exemptions to the Health Insurance Portability and Accountability Act and exceptions to its rules.

General HIPAA exceptions

Most HIPAA exceptions are extremely specific cases, such as when HIPAA might contradict state law or other regulations. One example is for teaching universities where an educational institution might provide healthcare services to the public. Another exception is for military doctors who may be required to disclose PHI when reporting on a patient’s fitness for duty. Other exceptions apply to psychotherapy sessions when state laws require therapists to warn of imminent harm or report cases of abuse. 

In addition, financial institutions including banks and payment processors are currently exempt from HIPAA. Covered entities should be mindful of how a patient’s direct payments are processed to ensure compliance with the Minimum Necessary Rule. 

In most cases, when HIPAA contradicts state law, HIPAA supersedes — unless the state law provides stronger data privacy provisions or patient rights. If you are ever unsure whether HIPAA rules apply, it’s best to consult with a healthcare attorney or HIPAA compliance professional.

Exceptions to the definition of protected health information (PHI)

HIPAA legislation applies to covered entities and business associates. Any PHI that is created, stored, accessed, or transmitted by these healthcare organizations is protected under HIPAA. But in the hands of another company, that same information may not be considered PHI and would not be protected under HIPAA. 

For example, a fitness app that tracks a user’s heart rate, sleep patterns, activity levels, or calorie consumption does not constitute PHI. 

Here are a few other examples where health data is not classified as PHI: 

• Appointment inquiries: Names and phone numbers of potential patients who call to make an appointment are not considered PHI, because no health information is associated with it. Once that person formally becomes a patient, however, that data becomes PHI and is protected. 
• Employee and education records: Any records regarding employee or student health, including known allergies, blood type, or disabilities, are not considered PHI. 
• Wearable devices: Data collected by wearable devices including heart rate monitors or smartwatches is not PHI. 
• Health and fitness apps: Data collected by or entered into a mobile fitness or health app is not PHI. 
• De-identified PHI: Health data that has had all personal identifiers removed and cannot be linked to a specific individual is no longer considered PHI. Organizations sometimes use de-identified PHI for statistics or research purposes. 

HIPAA Privacy Rule exceptions

Under very specific circumstances, the HIPAA Privacy Rule permits covered entities to use and/or disclose personal health information without patient authorization. Typically these cases involve a healthcare provider’s treatment, payment, and healthcare operations (TPO). Other exceptions include cases of public interest. 

For example:

• Healthcare regulations and licensing 
• Public health (such as reporting to a state health department or the CDC) 
• Medical research
• Workers compensation 
• Legal proceedings and law enforcement purposes
• To inform next of kin, identify a body, determine cause of death, or for a medical examiner/coroner

Even in these situations, disclosures must be documented in an Accounting of Disclosures log. 

HIPAA Breach Notification Rule exceptions

There are a few scenarios that technically fall under the definition of a breach, yet the U.S. Department of Health and Human Services (HHS) extends exceptions for them. They include:

• Unintentional access or use of PHI by an employee, made in good faith and within the scope of their authority
• Accidental disclosure of PHI between authorized persons
• The organization confidently believes that the person who obtained or accessed the PHI will not retain or compromise the data

If any of the three exceptions are true, then PHI is not considered “breached” and the covered entity isn’t required to notify affected parties or HHS under the Breach Notification Rule.

HIPAA Minimum Necessary Rule exceptions

The HHS outlines six exceptions to the Minimum Necessary Rule: 

• Healthcare providers making requests for PHI to provide treatment to a patient
• Patients making requests for copies of their own medical records
• Requests for PHI when there is a valid authorization
• Requests for PHI that are required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules
• Requests for disclosure of PHI to HHS for complaint investigation, compliance review, or enforcement
• Requests for PHI that are otherwise required by law