Exceptions to HIPAA Privacy Rule

In limited circumstances, the HIPAA Privacy Rule permits covered entities to use and disclose health information without individual authorization. Covered entities may use and disclose protected health information without authorization for their own treatment, payment, and healthcare operations. This would include purposes such as quality assurance, utilization review, credentialing, and other activities that are part of ensuring appropriate treatment and payment.

Limitations apply to uses and disclosures for the purpose of facilitating another party's activities. Exceptions are allowed for a covered entity to disclose PHI to:

  • any other provider (even a non-covered entity) to facilitate that providers treatment activities
  • any covered entity or any provider (even a non-covered entity) to facilitate that party's payment activities
  • another covered entity to facilitate that some of that entity's healthcare operations
  • any other covered entity within the same organized healthcare arrangement for any healthcare operations arrangement.

These activities are referred to as treatment, payment, and healthcare operations (TPO). We may in the future see more clearly defined limitations to payment and healthcare operations activities. However, there are no limitations on treatment. If a healthcare provider requests the entire record to treat a patient, there should be no objection to that request. Doctors may need access to historical records to determine how to treat a critical patient. However, to bill for services or make a payment, there is no need to see the test results; the only information needed is the fact that the test has been done.

Covered entities may use or disclose protected health information for treatment, payment, and healthcare operations without the individual's authorization.

Exceptions to the HIPAA Privacy Rule with Examples

Covered entities may also use and disclose protected health information without individual authorization for certain public interest-related activities. These include:

  • oversight of the healthcare system, including licensing and regulation
  • public health, and in emergencies affecting the life or safety
  • research
  • judicial and administrative proceedings
  • law enforcement
  • to provide information to next of kin
  • for identification of the body of the deceased person or the cause of death
  • for directories
  • workers compensation
  • medical examiner
  • in other situations where the use or disclosure is mandated by other laws

These types of disclosures are to be documented in the Accounting of Disclosures and are considered non-routine. Routine disclosures are treatment, payment, and healthcare operations (TPO) and do not need to be listed on the Accounting of Disclosures log.

If you have any questions, feel free to reach us by email at support@hcp.md or by phone at 855-427-0427.

Not a current HCP client? Schedule a free consultation.