HIPAA Exceptions

By | March 10, 2022
0 Comment

The text of the Healthcare Insurance Portability and Accountability Act is full of HIPAA exceptions – adding to the complexity of complying with the Act and often resulting in organizations and public agencies applying far more stringent restrictions than necessary.

In 2007, the Reporters Committee for the Freedom of the Press published a Guide to Medical Privacy Law. The Guide highlighted multiple instances in which hospitals, ambulance services, schools, and public agencies unjustifiably withheld news from reporters for fear of violating HIPAA – even though several of the entities were not covered by HIPAA.

According to the Guide, the fear of violating HIPAA led to many entities applying HIPAA overzealously – often applying standards without considering when HIPAA exceptions exist. And there are many HIPAA exceptions. A comb through the Administrative Simplification provisions finds 50 uses of the word “exception” and a further 100+ uses of the word “except”.

It is impractical to list all the HIPAA exceptions in one article, especially as some exist which are not mentioned in the Administrative Simplification provisions. Therefore, we have highlighted a few of the most common exceptions and recommend Covered Entities seek professional compliance advice to identify others that may be relevant to their specific circumstances.

HIPAA General Rule Exceptions

The first HIPAA exceptions appear in the General Rule (45 CFR § 160.102). The General Rule stipulates that when there is a contradiction between HIPAA and State law, HIPAA takes precedence. However, there are multiple exceptions listed in the General Rule including that State law preempts HIPAA when the State law:

  • Has more stringent privacy provisions than HIPAA,
  • Provides for reporting information to public health agencies, and
  • Requires a health plan to report information for the purpose of audits, etc.

The first exception is the one that has caused more problems for HIPAA Covered Entities than most. This is because nearly every state has a law relating to the privacy of patient information with more stringent privacy provisions than HIPAA. However, many State laws apply to only one element of privacy information (i.e., HIV-related information), only in specific circumstances (i.e., for emergency care), or only to certain entities (i.e., pharmacists).

The other two General Rule exceptions can also be problematic for Covered Entities because, although a State law may permit certain disclosures of PHI to state and federal agencies, the information provided to state and federal agencies can be accessed via Freedom of Information requests. If Freedom of Information requests reveal the Covered Entity has provided more PHI than the minimum necessary, they would be in violation of HIPAA.

Most other uses of the word “exception” in the text of HIPAA relate to exceptions from transaction standards and medical code sets. However, it is worth noting exceptions exist to the right to revoke a patient authorization for the disclosure of PHI and to who should be given Notices of Privacy Practices (i.e., inmates of correction institutions). Covered Entities with public-facing operations may need to be familiar with these HIPAA exceptions.

Other State and Federal HIPAA Exceptions

The relationship between HIPAA and other state and federal laws can further complicate HIPAA compliance due to multiple HIPAA exceptions. The best example of a complicated relationship of this nature is the relationship between HIPAA, the Family Education Rights and Privacy Act (FERPA), and the Texas´ Medical Records Privacy Act (as amended by HB300).

Generally, public schools, colleges, and other educational institutions that provide medical services for students and staff (as a work benefit) are not considered to be Covered Entities under HIPAA. This is because medical treatments provided to students are classified as educational records and protected by FERPA, while medical services provided for staff are non-portable benefits.

Complications start to arise when an educational institution provides medical services for members of the public (i.e., a medical teaching university). Under these circumstances, the educational institution becomes a hybrid entity and has to implement safeguards in order to isolate FERPA-covered treatment records from HIPAA-covered PHI and apply two sets of rules for staff.

When the educational institution is covered by the Texas Medical Records Privacy Act, all medical treatment records relating to students, staff, and the public are subject to HIPAA-esque privacy standards. This is further complicated by the Texas Medical Records Act applying to all citizens of Texas regardless of their location. Consequently, a medical teaching university in New York could be required to comply with three sets of regulations if it accepts mature students from Texas.

Operational and Occupational Exceptions

Operational and occupation exceptions to HIPAA can occur in many different circumstances. For example:

  • Ambulance services that bill electronically are subject to HIPAA; but in counties without electronic billing, HIPAA does not apply to ambulance services.
  • Some uses and disclosures of PHI allowed by the Privacy Rule are not allowed by the Federal Substance Abuse Confidentiality Requirements (42 CFR Part 2).
  • Exceptions exist to the privacy requirements for psychotherapy notes when state laws mandate a duty to warn (i.e., of imminent harm) or duty to report (i.e., abuse).
  • Exceptions to a patient´s right to an accounting of disclosures exist if a Covered Entity is ordered not to release the information by a health oversight agency or law enforcement officer.

HIPAA exceptions also exist in the military. Military treatment facilities are HIPAA Covered Entities; however, under the Military Command Exception, healthcare professionals are allowed to disclose Protected Health Information to command authorities without the patient´s authorization in order to report on the patient´s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.

Why it is Important to be Aware of HIPAA Exceptions

Protecting patient privacy was not the only objective of HIPAA. The Act also intended to streamline healthcare functions and improve efficiency in the healthcare industry. Covered Entities who are not aware of the HIPAA exceptions can apply the regulations more rigorously than necessary – potentially stifling healthcare functions and harming efficiency. Therefore, if you are unaware of the HIPAA exceptions, it is in your best interests to seek professional compliance advice.

The post HIPAA Exceptions appeared first on HIPAA Journal.