Exceptions to the HIPAA Privacy Policy

Section 1. Exceptions to the HIPAA Privacy Policy

Although the privacy rule has placed stringent parameters around the transmission of personal health information, it is recognized that health providers are required to maintain and transmit PHI in the course of conducting business. There are several situations in which the medical facility is not required to notify the patient or obtain written express permission for a disclosure.

The scenarios that do not require written patient authorization are:

  • A covered entity is allowed under the privacy rule to disclose protected health information to the patient or authorized representative without prior written approval.
  • A covered entity may also disclose PHI to aid in TPO, which is the acronym for "Treatment, Payment and Health Care Operations". These are the situations in which a medical provider (who is a covered entity) shares patient information with other covered entities or business associates, in an effort to treat the patient's illness, receive payment for services rendered, or to engage in quality checks and case management in an effort to enhance health care operations.

Protected health information is shared under the umbrella of TPO in almost every medical-related facility, from a large hospita,l to the corner drugstore and is defined below:

Treatment - This is defined as personal health information transmitted while in the act of providing, coordinating, or managing the health care of a patient. This includes consultations between doctors. An example is a primary care physician consulting with a specialist regarding a patient's diagnosis and treatment plan. Also included is information transmitted when referring a patient for outpatient laboratory testing or a diagnostic ultrasound.

Payment - This is defined as all activities that a provider of health service must undertake to receive payment for a health encounter. This includes submitting a claim to the patient's health plan for payment, checking patient eligibility and claim status, receiving and applying payment and rejections, as well as billing the patient for applicable co-pays and co-insurance.

Health Care Operations - In the course of business, a medical practitioner or establishment will engage in a number of administrative tasks to ensure the smooth and effective operation of the business. These tasks include audits of patient files, quality checks and improvement initiatives, staff competency and compliance evaluations, as well as administrative duties -- such as de-identifying PHI and creating data sets of patient information for research purposes.

  • Opportunity to Agree or Object - There are some instances in which there may not be time to obtain a formal written authorization. In these cases, it is permissible to obtain an informal verbal authorization from the patient or his authorized representative. Asking the patient outright can also be waived if there has been significant opportunity for the patient to agree or disagree to the request for disclosure. If the patient is incapacitated and there is no authorized representative, medical professionals may use their professional judgment and ethics in determining what information to disclose.

Informal authorization is also acceptable in the case of discussing treatment and outcomes with a patient's spouse and family members that are involved in the patient's care. Informal authorization is also applicable for the purposes of notifying family members responsible for the patient about their location, condition, or death.

  • Incidental Use and Disclosure - It is possible for protected health information to be disclosed in a situation for which the patient has not provided express written permission. However, it is considered permissible if this disclosure was incidental or related to another use or disclosure that the patient has given permission for.

This usage of PHI is acceptable as long as the covered entity can assure that there exists in the organization a reasonable safeguard against the misuse of PHI. Also, it is critical that the information shared adhere to the "minimum necessary" rule that will be explained in an upcoming lesson.

Interested in learning more? Why not take an online HIPAA Compliance course?
  • Public Interest and Benefit Activities - Otherwise protected health information can be released without patient consent in 12 scenarios, which are labeled as "national priority purposes." This is the release of personally identifiable health information to non-medical entities. In these situations, there seeks to be a balance between maintaining individual privacy rights and the need to identify someone to serve the interest of the public.

The scenarios that fall under the umbrella of public trust are as follows:

- Required by Law - Information may be provided by a covered entity to law enforcement officials to fulfill a court order, statute, or legal regulation.

- Public Health Activities - Covered entities can reveal protected health information to 1. Public health officials who are responsible for monitoring and stopping the spread of disease or injury. 2. FDA-regulated companies if there is data that would support the monitoring of effectiveness or adverse events related to their products. 3. Individuals who may have been exposed to transmittable diseases that are tracked by the government and require reporting. 4. Information may be released to employers regarding employees in order to evaluate work-related illnesses or claims, manage workers compensation claims, and OSHA violations.

- Victims of Abuse, Neglect, or Domestic Violence - In cases of suspected abuse, it is permissible to report the incident to the authorities, including providing protected health information.

- Health Oversight Activities - Personally identifiable health information may be released to government agencies that are responsible for providing oversight for the health care system, including government health programs, such as Medicare and Medicaid.

- Judicial and Administrative Proceedings - PHI may be disclosed to the court system in response to a subpoena, court order or administrative tribunal. Notice should be sent to the subject of the order that their information has been shared.

- Law Enforcement Purposes - Protected health information may be shared with law enforcement officials under the following circumstances: 1. As required by law to adjudicate warrants or subpoenas. 2. To locate a suspect, witness, or fugitive. 3. Provide law enforcement officials with information on the victim, or suspected victim, of a crime. 4. To notify law enforcement in the case of a suspicious death, which may have resulted from criminal activity. 5. As evidence of a crime that occurred in the facility of a covered entity. 6. A covered entity may provide PHI in the case of an emergency involving one of its patients, even if the incident occurred offsite. Also to inform law enforcement about a possible crime, victims, perpetrators, or location thereof.

- Decedents - In the case of death, PHI can be disclosed to the coroner's office for identification purposes, and to determine the cause of death. PHI many also be released to the funeral home as needed.

- Organ Donation - PHI can be released by covered entities to facilitate the donation of cadaver organs and tissue.

- Research - PHI can be released in the case of medical research, provided the researchers warrant that the information is necessary for the preparation or execution of the research study and will not be used in any other way.

- Serious Threat to Health and Safety - PHI can be released without consent to law enforcement officials to aid in the capture of an escaped prisoner or a violent criminal. Protected health information can also be released if there is credible reason to believe that there is an imminent threat to an individual or the public at large.

- Essential Government Functions- Covered entities are allowed to release protected health information for the completion of government duties and functions, including military missions, national security initiatives, protection of the President, for evaluating State Department employees and providing health services to inmates.

- Workman's Compensation- Covered entities may release PHI without authorization in the course of evaluating and certifying employee injury claims.

  • Limited Data Set- For the purposes of research, health care operations and public health, identifying information may be removed from a select group of patient records and the remaining data transmitted. There is limited data left, but what remains is able to be used for statistical, research, or policy-making purposes.

Food for Thought

Were you aware that there were so many instances in which PHI could be shared without patient authorization?
What are your thoughts regarding this?
Does this make you look at your own health information differently?


Although the HIPAA privacy policy strives to protect patients and limit disclosures of PHI, it also acknowledges that there are some instances in which disclosure is necessary to maintain the law, protect public interest, and expedite medical care.