The Health Insurance Portability and Accountability Act (HIPAA) is a collection of medical privacy regulations for healthcare organizations handling protected health information (PHI). HIPAA sets the standard for security, privacy, and integrity of patient data handling, but there are some exceptions to HIPAA.
Knowing these exemptions can make certain medical situations and instances of patient information sharing easier to deal with. Let’s take a look at them now.
When there is a contradiction between HIPAA and state law, HIPAA takes precedence, except for in a few specific circumstances. State law preempts HIPAA in these situations:
Public schools, colleges, and other educational institutions that provide medical services for students and staff as a work benefit aren’t considered covered entities under HIPAA. However, if an educational institution provides medical services for members of the public, the educational institution becomes a hybrid entity. This means they have to implement safeguards in order to isolate FERPA-covered treatment records from HIPAA-covered PHI and apply two sets of rules for staff.
What’s not to love? Set up a demo to learn how Strike Graph can simplify the HIPAA compliance process for your company today.
There are a few HIPAA rule exceptions based on operations and occupation. Organizations that fall under the following guidelines qualify for some HIPAA exceptions:
Exceptions for emergency situations were outlined in a bulletin released in 2014 by the US Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) in response to public health crises around the world.
This bulletin clarified how a patient's PHI can be used in emergency situations without violating rules. While it states explicitly that the Privacy Rule is "not set aside during an emergency," it defines additional ways that PHI can be used for "critical purposes." When it comes to sharing patient information, these exceptions are allowed in emergency situations:
It’s important to note that covered entities must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the above purposes.
In addition to the Privacy Rule exceptions listed above when it comes to emergency situations, covered entities may also use and disclose protected health information without individual authorization for the following purposes:
While protecting patient privacy was HIPAA’s main objective, it wasn’t the only one. HIPAA intended to streamline healthcare functions and improve efficiency in the healthcare industry overall.
It’s understandable that the fear of violating HIPAA has led many entities to apply HIPAA overzealously, and this is especially common when covered entities aren’t aware of the HIPAA exceptions. But applying regulations more rigorously than necessary can potentially stifle healthcare functions and harm efficiency — having the opposite effect of what HIPAA was trying to accomplish in the first place.
The HIPAA Administrative Simplification document uses the word “exception” 50 times and “except” more than an additional 100. Exceptions also exist that aren’t in this document. In other words, there are a lot of exceptions your business needs to be aware of.
If your organization is unaware of all of these HIPAA exceptions, it’s in your best interest to seek professional compliance advice in order to ensure you’re not going overboard with applying HIPAA rules and regulations. Thankfully, we here at Strike Graph are happy to help.
We’ll systematically assess your organization’s unique risk of HIPAA violations and make it easy to put controls in place. Once your new controls are up and running, we’ll then conduct an independent HIPAA compliance evaluation so you know with certainty your organization is meeting all HIPAA privacy, integrity, and security standards. It will also ensure you never break trust with your clients.
Our framework can also keep you from doing the same work multiple times by using the same controls you enter into our system across multiple years and multiple security frameworks, including SOC 2, ISO 27001, ISO 27701, PCI DSS, GDPR, and CCPA.