The text of the Healthcare Insurance Portability and Accountability Act is full of HIPAA exceptions – adding to the complexity of complying with the Act and often resulting in organizations and public agencies applying far more stringent restrictions than necessary.
In 2007, the Reporters Committee for the Freedom of the Press published a Guide to Medical Privacy Law. The Guide highlighted multiple instances in which hospitals, ambulance services, schools, and public agencies unjustifiably withheld news from reporters for fear of violating HIPAA – even though several of the entities were not covered by HIPAA.
According to the Guide, the fear of violating HIPAA led to many entities applying HIPAA overzealously – often applying standards without considering when HIPAA exceptions exist. And there are many HIPAA exceptions. A comb through the Administrative Simplification provisions finds 50 uses of the word “exception” and a further 100+ uses of the word “except”.
It is impractical to list all the HIPAA exceptions in one article, especially as some exist which are not mentioned in the Administrative Simplification provisions. Therefore, we have highlighted a few of the most common exceptions and recommend Covered Entities seek professional compliance advice to identify others that may be relevant to their specific circumstances.
HIPAA General Rule Exceptions
The first HIPAA exceptions appear in the General Rule (45 CFR § 160.102). The General Rule stipulates that when there is a contradiction between HIPAA and State law, HIPAA takes precedence. However, there are multiple exceptions listed in the General Rule including that State law preempts HIPAA when the State law:
- Has more stringent privacy provisions than HIPAA,
- Provides for reporting information to public health agencies, and
- Requires a health plan to report information for the purpose of audits, etc.
The first exception is the one that has caused more problems for HIPAA Covered Entities than most. This is because nearly every state has a law relating to the privacy of patient information with more stringent privacy provisions than HIPAA. However, many State laws apply to only one element of privacy information (i.e., HIV-related information), only in specific circumstances (i.e., for emergency care), or only to certain entities (i.e., pharmacists).
The other two General Rule exceptions can also be problematic for Covered Entities because, although a State law may permit certain disclosures of PHI to state and federal agencies, the information provided to state and federal agencies can be accessed via Freedom of Information requests. If Freedom of Information requests reveal the Covered Entity has provided more PHI than the minimum necessary, they would be in violation of HIPAA.
Most other uses of the word “exception” in the text of HIPAA relate to exceptions from transaction standards and medical code sets. However, it is worth noting exceptions exist to the right to revoke a patient authorization for the disclosure of PHI and to who should be given Notices of Privacy Practices (i.e., inmates of correction institutions). Covered Entities with public-facing operations may need to be familiar with these HIPAA exceptions.
Other State and Federal HIPAA Exceptions
The relationship between HIPAA and other state and federal laws can further complicate HIPAA compliance due to multiple HIPAA exceptions. The best example of a complicated relationship of this nature is the relationship between HIPAA, the Family Education Rights and Privacy Act (FERPA), and the Texas´ Medical Records Privacy Act (as amended by HB300).
Generally, public schools, colleges, and other educational institutions that provide medical services for students and staff (as a work benefit) are not considered to be Covered Entities under HIPAA. This is because medical treatments provided to students are classified as educational records and protected by FERPA, while medical services provided for staff are non-portable benefits.
Complications start to arise when an educational institution provides medical services for members of the public (i.e., a medical teaching university). Under these circumstances, the educational institution becomes a hybrid entity and has to implement safeguards in order to isolate FERPA-covered treatment records from HIPAA-covered PHI and apply two sets of rules for staff.
When the educational institution is covered by the Texas Medical Records Privacy Act, all medical treatment records relating to students, staff, and the public are subject to HIPAA-esque privacy standards. This is further complicated by the Texas Medical Records Act applying to all citizens of Texas regardless of their location. Consequently, a medical teaching university in New York could be required to comply with three sets of regulations if it accepts mature students from Texas.
Operational and Occupational Exceptions
Operational and occupation exceptions to HIPAA can occur in many different circumstances. For example:
- Ambulance services that bill electronically are subject to HIPAA; but in counties without electronic billing, HIPAA does not apply to ambulance services.
- Healthcare facilities are allowed to disclose directory “health condition” information to callers or visitors who ask about the patient by name
- Some uses and disclosures of PHI allowed by the Privacy Rule are not allowed by the Federal Substance Abuse Confidentiality Requirements (42 CFR Part 2).
- Exceptions exist to the privacy requirements for psychotherapy notes when state laws mandate a duty to warn (i.e., of imminent harm) or duty to report (i.e., abuse).
- Exceptions to a patient´s right to an accounting of disclosures exist if a Covered Entity is ordered not to release the information by a health oversight agency or law enforcement officer.
HIPAA exceptions also exist in the military. Military treatment facilities are HIPAA Covered Entities; however, under the Military Command Exception, healthcare professionals are allowed to disclose Protected Health Information to command authorities without the patient´s authorization in order to report on the patient´s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.
Why it is Important to be Aware of HIPAA Exceptions
Protecting patient privacy was not the only objective of HIPAA. The Act also intended to streamline healthcare functions and improve efficiency in the healthcare industry. Covered Entities who are not aware of the HIPAA exceptions can apply the regulations more rigorously than necessary – potentially stifling healthcare functions and harming efficiency. Therefore, if you are unaware of the HIPAA exceptions, it is in your best interests to seek professional compliance advice.
HIPAA Exceptions FAQs
How can I find out which State laws preempt HIPAA in my area?
Speak with a compliance professional or healthcare attorney in your area. If you would like some background information before doing so, the healthit.gov website published a “Report on State Law Requirements for Patient Permission to Disclose Health Information” (PDF). Although this may now be out of date in some areas, Appendix A includes some useful state-by-state information relating to which privacy information, circumstances, and entities are exempt from authorizations.
Does FERPA or HIPAA apply to elementary student health records maintained by a health care provider not employed by the school?
When health services are provided to students by an entity not employed by, under contract to, or otherwise acting on behalf of the school, the student health records are not educational records subject to FERPA even when the health services are provided on the school campus. For example, immunization services provided by a public health agency to students on the school campus are subject to the HIPAA Privacy Rule and, if data are stored electronically, the HIPAA Security Rule.
Where the HIPAA Privacy Rule applies, does it allow an external healthcare provider to disclose PHI about a student to a school nurse or physician?
Yes. The HIPAA Privacy Rule allows covered healthcare providers to disclose PHI about students to school nurses, physicians, and other health care providers for treatment purposes without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other healthcare needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school.
What is the duty to warn exception that applies to psychotherapy notes?
Psychotherapy notes contain sensitive information not usually required for treatment, payment, or healthcare operations, and therefore should not be disclosed without a patient´s written authorization. However, the duty to warn exception gives healthcare professionals the authority to disclose their notes when they believe a patient poses a threat to another person. This exception also protects healthcare professionals from prosecution for breach of confidentiality.
How likely is it PHI will be disclosed in a Freedom of Information request?
Under the Freedom of Information Act Exemption 6, public agencies can withhold “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” However, the inclusion of the word “can” implies PHI could be disclosed in a Freedom of Information request is the information is considered to be in the public interest. Unfortunately, different public agencies interpret Exemption 6 in different ways.