Strike Graph security compliance blog

What are the rule exceptions to HIPAA?

Written by Kenneth Webb, CISSP, GWAPT, CSSLP, CISA, CIS LA | Oct 7, 2022 7:00:00 AM

The Health Insurance Portability and Accountability Act (HIPAA) is a collection of medical privacy regulations for healthcare organizations handling protected health information (PHI). HIPAA sets the standard for security, privacy, and integrity of patient data handling, but there are some exceptions to HIPAA.

Knowing these exemptions can make certain medical situations and instances of patient information sharing easier to deal with. Let’s take a look at them now.

When there is a contradiction between HIPAA and state law, HIPAA takes precedence, except for in a few specific circumstances. State law preempts HIPAA in these situations:

  • State law has more stringent patients’ rights or privacy provisions than HIPAA.
  • State law provides for reporting information to public health agencies.
  • State law requires a health plan to report information for the purpose of audits, etc.

State and federal exceptions

Public schools, colleges, and other educational institutions that provide medical services for students and staff as a work benefit aren’t considered covered entities under HIPAA. However, if an educational institution provides medical services for members of the public, the educational institution becomes a hybrid entity. This means they have to implement safeguards in order to isolate FERPA-covered treatment records from HIPAA-covered PHI and apply two sets of rules for staff.

What’s not to love? Set up a demo to learn how Strike Graph can simplify the HIPAA compliance process for your company today.

Operational and occupational exceptions

There are a few HIPAA rule exceptions based on operations and occupation. Organizations that fall under the following guidelines qualify for some HIPAA exceptions:

  • Ambulance services in counties without electronic billing.
  • Healthcare facilities when disclosing directory “health condition” information to callers or visitors who ask about the patient by name.
  • Military treatment facilities when disclosing protected health information to command authorities without the patient’s authorization in order to report on the patient’s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.

Exceptions for emergency situations were outlined in a bulletin released in 2014 by the US Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) in response to public health crises around the world.

This bulletin clarified how a patient's PHI can be used in emergency situations without violating rules. While it states explicitly that the Privacy Rule is "not set aside during an emergency," it defines additional ways that PHI can be used for "critical purposes." When it comes to sharing patient information, these exceptions are allowed in emergency situations:

    • Treatment: Covered entities may disclose protected health information about the patient as necessary to treat the patient or to treat a different patient without the patient’s authorization.
  • Public health: In order to ensure public health, public health authorities and others have access to protected health information that is necessary to carry out their public health mission without individual authorization.
  • Next of kin: A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.
  • Imminent danger: Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
  • Media: A hospital or health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms.

It’s important to note that covered entities must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the above purposes.

Privacy Rule exceptions

In addition to the Privacy Rule exceptions listed above when it comes to emergency situations, covered entities may also use and disclose protected health information without individual authorization for the following purposes:

  • Research
  • Oversight of the healthcare system (e.g. licensing and regulation)
  • Law enforcement
  • Judicial and administrative proceedings
  • Medical examinations
  • Body identification of a deceased person or investigation of the cause of death
  • Directories
  • Workers compensation
  • Other situations where the use or disclosure is mandated by other laws (e.g. state and local)

While protecting patient privacy was HIPAA’s main objective, it wasn’t the only one. HIPAA intended to streamline healthcare functions and improve efficiency in the healthcare industry overall.

It’s understandable that the fear of violating HIPAA has led many entities to apply HIPAA overzealously, and this is especially common when covered entities aren’t aware of the HIPAA exceptions. But applying regulations more rigorously than necessary can potentially stifle healthcare functions and harm efficiency — having the opposite effect of what HIPAA was trying to accomplish in the first place.

Strike Graph can help you understand HIPAA compliance

The HIPAA Administrative Simplification document uses the word “exception” 50 times and “except” more than an additional 100. Exceptions also exist that aren’t in this document. In other words, there are a lot of exceptions your business needs to be aware of.

If your organization is unaware of all of these HIPAA exceptions, it’s in your best interest to seek professional compliance advice in order to ensure you’re not going overboard with applying HIPAA rules and regulations. Thankfully, we here at Strike Graph are happy to help. 

We’ll systematically assess your organization’s unique risk of HIPAA violations and make it easy to put controls in place. Once your new controls are up and running, we’ll then conduct an independent HIPAA compliance evaluation so you know with certainty your organization is meeting all HIPAA privacy, integrity, and security standards. It will also ensure you never break trust with your clients.

Our framework can also keep you from doing the same work multiple times by using the same controls you enter into our system across multiple years and multiple security frameworks, including SOC 2, ISO 27001, ISO 27701, PCI DSS, GDPR, and CCPA.