The text of the Healthcare Insurance Portability and Accountability Act is full of HIPAA exceptions – adding to the complexity of complying with the Act and often resulting in organizations and public agencies applying far more stringent restrictions than necessary.
In 2007, the Reporters Committee for the Freedom of the Press published a Guide to Medical Privacy Law. The Guide highlighted multiple instances in which hospitals, ambulance services, schools, and public agencies unjustifiably withheld news from reporters for fear of violating HIPAA – even though several of the entities were not covered by HIPAA.
According to the Guide, the fear of violating HIPAA led to many entities applying HIPAA overzealously – often applying standards without considering when HIPAA exceptions exist. And there are many HIPAA exceptions. A comb through the Administrative Simplification provisions finds 50 uses of the word “exception” and a further 100+ uses of the word “except”.
It is impractical to list all the HIPAA exceptions in one article, especially as some exist which are not mentioned in the Administrative Simplification provisions. Therefore, we have highlighted a few of the most common exceptions and recommend Covered Entities seek professional compliance advice to identify others that may be relevant to their specific circumstances.
HIPAA General Rule Exceptions
The first HIPAA exceptions appear in the General Rule (45 CFR § 160.102). The General Rule stipulates that when there is a contradiction between HIPAA and State law, HIPAA takes precedence. However, there are multiple exceptions listed in the General Rule including that State law preempts HIPAA when the State law:
- Has more stringent privacy provisions or patients´ rights than HIPAA,
- Provides for reporting information to public health agencies, and
- Requires a health plan to report information for the purpose of audits, etc.
The first exception is the one that has caused more problems for HIPAA Covered Entities than most. This is because nearly every state has a law relating to the privacy of patient information with more stringent privacy provisions than HIPAA. However, many State laws apply to only one element of privacy information (i.e., HIV-related information), only in specific circumstances (i.e., for emergency care), or only to certain entities (i.e., pharmacists).
The other two General Rule exceptions can also be problematic for Covered Entities because, although a State law may permit certain disclosures of PHI to state and federal agencies, the information provided to state and federal agencies can be accessed via Freedom of Information requests. If Freedom of Information requests reveal the Covered Entity has provided more PHI than the minimum necessary, they would be in violation of HIPAA.
Most other uses of the word “exception” in the text of HIPAA relate to exceptions from transaction standards and medical code sets. However, it is worth noting exceptions exist to the right to revoke a patient authorization for the disclosure of PHI and to who should be given Notices of Privacy Practices (i.e., inmates of correction institutions). Covered Entities with public-facing operations may need to be familiar with these HIPAA exceptions.
Other State and Federal HIPAA Exceptions
The relationship between HIPAA and other state and federal laws can further complicate HIPAA compliance due to multiple HIPAA exceptions. The best example of a complicated relationship of this nature is the relationship between HIPAA, the Family Education Rights and Privacy Act (FERPA), and the Texas´ Medical Records Privacy Act (as amended by HB300).
Generally, public schools, colleges, and other educational institutions that provide medical services for students and staff (as a work benefit) are not considered to be Covered Entities under HIPAA. This is because medical treatments provided to students are classified as educational records and protected by FERPA, while medical services provided for staff are non-portable benefits.
Complications start to arise when an educational institution provides medical services for members of the public (i.e., a medical teaching university). Under these circumstances, the educational institution becomes a hybrid entity and has to implement safeguards in order to isolate FERPA-covered treatment records from HIPAA-covered PHI and apply two sets of rules for staff.
When the educational institution is covered by the Texas Medical Records Privacy Act, all medical treatment records relating to students, staff, and the public are subject to HIPAA-esque privacy standards. This is further complicated by the Texas Medical Records Act applying to all citizens of Texas regardless of their location. Consequently, a medical teaching university in New York could be required to comply with three sets of regulations if it accepts mature students from Texas.
Operational and Occupational Exceptions
Operational and occupation exceptions to HIPAA can occur in many different circumstances. For example:
- Ambulance services that bill electronically are subject to HIPAA; but in counties without electronic billing, HIPAA does not apply to ambulance services.
- Healthcare facilities are allowed to disclose directory “health condition” information to callers or visitors who ask about the patient by name
- Some uses and disclosures of PHI allowed by the Privacy Rule are not allowed by the Federal Substance Abuse Confidentiality Requirements (42 CFR Part 2).
- Exceptions exist to the privacy requirements for psychotherapy notes when state laws mandate a duty to warn (i.e., of imminent harm) or duty to report (i.e., abuse).
- Exceptions to a patient´s right to an accounting of disclosures exist if a Covered Entity is ordered not to release the information by a health oversight agency or law enforcement officer.
HIPAA exceptions also exist in the military. Military treatment facilities are HIPAA Covered Entities; however, under the Military Command Exception, healthcare professionals are allowed to disclose Protected Health Information to command authorities without the patient´s authorization in order to report on the patient´s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.
HIPAA Privacy Rule Exceptions
The HIPAA Privacy Rule occupies Subpart E of the Administrative Simplification provisions (45 CFR § 164.501 – 164.534) and, within this subpart, there are multiple exceptions to HIPAA. To help Covered Entities and Business Associates better negotiate the volume of HIPAA Privacy Rule exceptions, we have included those that relate to confidentiality in a separate section below.
The first HIPAA Privacy Rule exception to be aware of is that the Privacy Rule does not apply to the Department of Defense (DoD), a federal agency, or any organization acting behalf of either when the DoD, federal agency, or organization acting on behalf of either provides healthcare services to an overseas foreign national beneficiary. This exception has caused some confusion because it has been interpreted in various ways, so here is a brief explanation.
Under the HIPAA Privacy Rule, Covered Entities and Business Associates must protect personally identifiable information of an individual regardless of the individual´s nationality or the location in which the Covered Entity or Business Associate collects, processes, maintains, uses, or discloses PHI. The exception exists because (for example) in a war zone it would be impractical to deny treatment to an injured soldier because they did not understand they had to give consent.
Further HIPAA Privacy Rule exceptions exist when the PHI of one individual is included with the PHI of another. This can happen if (for example) a patient´s medical record includes medical information relating to their parents. In this example, the PHI in the patient´s medical record must be safeguarded as one; and although the parents´ PHI is recorded in the patient´s medical record, neither parent has the right to access the medical record and request amendments to their PHI.
HIPAA Exceptions to Confidentiality
Most HIPAA exceptions to confidentiality relate to uses and disclosures “required by law” and “for health care operations”. These include (but are not limited to):
- When a Covered Entity is a defendant or witness in a malpractice claim.
- When a Covered Entity is contesting a licensing revocation.
- When a Covered Entity is pursuing payment of an outstanding bill.
- When a Covered Entity conducts a patient safety activity (i.e., fire drill).
- When a Covered Entity conducts training programs or credentialling activities.
HIPAA exceptions to confidentiality attributable to health care operations can be a gray area. Consequently, it is recommended any uses and disclosures in non-standard circumstances are documented and retained for disclosure of accounting purposes – even though the use or disclosure may be allowed under the HIPAA Privacy Rule. Additionally, in all cases it is important Covered Entities only disclose the minimum necessary PHI for the stated purpose.
Further HIPAA exceptions to confidentiality exist when a law enforcement official requests health data for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. However, although it is permissible to disclose an individual´s blood type under these circumstances, Covered Entities are not allowed to disclose information such as dental records, DNA, or body tissue analyses – elements of PHI that would help identify the body of a missing person.
Conversely, there are no limitations on the nature of PHI it is permissible to disclose to law enforcement officers when attending an off-site emergency, nor when disclosing PHI to a law enforcement officer on-site if the nature of the emergency is related to abuse, neglect, or domestic violence. Despite these HIPAA exceptions to confidentiality, it is recommended to seek the consent of the patient if possible, and to check state disclosure laws for superseding contradictions.
Summary: HIPAA Exceptions List
As mentioned previously, it would be impractical to compile a HIPAA exceptions list because there are many exceptions in the Transactions and Code Sets Rule that would be irrelevant to most Covered Entities. Nonetheless, to summarize what has been discussed thus far:
- HIPAA preempts state law unless a state law has stronger privacy provisions or enhances patients´ rights.
- HIPAA exceptions also exist when a state law has public agency reporting requirements.
- Exceptions to the right to revoke patient authorizations exist in certain circumstances.
- There are also exceptions to when it is necessary to provide a Notice of Privacy Practices.
- HIPAA does not apply in most schools as medical records are classed as educational under FERPA.
- Exceptions to the school exception may apply with regards to records of immunization.
- HIPAA does not apply to healthcare services and facilities that do not conduct covered transactions.
- Standard disclosure rules do not apply to substance use disorder patient records.
- State laws can also override HIPAA on the non-disclosure of psychotherapy notes.
- Further exceptions exist in the Armed Forces and when an overseas foreign national beneficiary receives treatment provided by the DoD, a federal agency, or an organization working on behalf of either.
Why it is Important to be Aware of HIPAA Exceptions
Protecting patient privacy was not the only objective of HIPAA. The Act also intended to streamline healthcare functions and improve efficiency in the healthcare industry. Covered Entities who are not aware of the HIPAA exceptions can apply the regulations more rigorously than necessary – potentially stifling healthcare functions and harming efficiency. Therefore, if you are unaware of the HIPAA exceptions, it is in your best interests to seek professional compliance advice.
HIPAA Exceptions FAQs
How can I find out which State laws preempt HIPAA in my area?
Speak with a compliance professional or healthcare attorney in your area. If you would like some background information before doing so, the healthit.gov website published a “Report on State Law Requirements for Patient Permission to Disclose Health Information” (PDF). Although this may now be out of date in some areas, Appendix A includes some useful state-by-state information relating to which privacy information, circumstances, and entities are exempt from authorizations.
Does FERPA or HIPAA apply to elementary student health records maintained by a health care provider not employed by the school?
When health services are provided to students by an entity not employed by, under contract to, or otherwise acting on behalf of the school, the student health records are not educational records subject to FERPA even when the health services are provided on the school campus. For example, immunization services provided by a public health agency to students on the school campus are subject to the HIPAA Privacy Rule and, if data are stored electronically, the HIPAA Security Rule.
Where the HIPAA Privacy Rule applies, does it allow an external healthcare provider to disclose PHI about a student to a school nurse or physician?
Yes. The HIPAA Privacy Rule allows covered healthcare providers to disclose PHI about students to school nurses, physicians, and other health care providers for treatment purposes without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other healthcare needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school.
What is the duty to warn exception that applies to psychotherapy notes?
Psychotherapy notes contain sensitive information not usually required for treatment, payment, or healthcare operations, and therefore should not be disclosed without a patient´s written authorization. However, the duty to warn exception gives healthcare professionals the authority to disclose their notes when they believe a patient poses a threat to another person. This exception also protects healthcare professionals from prosecution for breach of confidentiality.
How likely is it PHI will be disclosed in a Freedom of Information request?
Under the Freedom of Information Act Exemption 6, public agencies can withhold “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” However, the inclusion of the word “can” implies PHI could be disclosed in a Freedom of Information request is the information is considered to be in the public interest. Unfortunately, different public agencies interpret Exemption 6 in different ways.
When does HIPAA not apply?
In addition to the examples discussed above, HIPAA does not apply when payments are processed by a bank or other financial institution – even when PHI is disclosed to the payment processor by the healthcare provider or health plan on whose behalf payments are being processed. Additionally, under 42 USC § 1320d-8, individuals do not have the right to request PHI is not disclosed to banks and financial institutions.
Can HIPAA information be shared with law enforcement?
HIPAA information can be shared with law enforcement, but the circumstances of each request determine what information can be shared. For example, a Covered Entity may be required by law to disclose certain types of wounds or other physical injuries or may be required to comply with a court order – in which case the court order must stipulate the scope of information required.
When sharing HIPAA information with law enforcement for identification or location purposes, §164.512 limits what information can be shared. Therefore, while it is permissible to share a patient´s name, address, type of injuries, and distinguishing features, it is not permissible to share images, dental records, or car license plate number.
What is an example of when HIPAA does not apply?
One current issue relating to when HIPAA does not apply – at least partly – concerns vendors of personal health records. Even though personal health records collect individually identifiable health information that can be used and disclosed by vendors, the HIPAA Privacy and Security Rules do not apply. However, if a vendor experiences a data breach, the vendor must comply with the Breach Notification Rule – notifying individuals and the Federal Trade Commission of the breach.
Who is exempt from HIPAA?
Although one of the objectives of HIPAA was to protect the confidentiality of health and payment information, and despite the fact that direct patient payments to healthcare providers can sometimes reveal what the payment was for (i.e., counselling services), banks and payment processors are exempt from HIPAA. Consequently, Covered Entities should be careful about how direct patient payments are initiated to comply with the minimum necessary standard.
The post HIPAA Exceptions appeared first on HIPAA Journal.