Join our live webinar, “The Next Era of Audits: Flipping the Power Dynamics,” on Nov 3.
Go back to blogs

HIPAA exceptions and exemptions: How they affect your compliance strategy

Last updated on
October 17, 2025
min. read

The Health Insurance Portability and Accountability Act (HIPAA) sets strict rules for how covered entities and business associates handle protected health information (PHI). At first glance, these rules can seem absolute, but HIPAA is not without its exceptions. The law recognizes that there are circumstances where health information must be used or disclosed differently, either to protect public interests, enable essential operations, or comply with other laws.

Understanding these exceptions is critical. For one, it helps you avoid being overly restrictive in ways that could slow down care or operations. It also ensures you don’t mistakenly deny rights that individuals are entitled to. Most importantly, knowing where HIPAA draws the line helps compliance leaders strike the right balance between patient privacy and organizational obligations.

In this blog, we’ll peel back the layers of HIPAA’s exceptions, from exclusions in the very definition of PHI, to carve-outs in the Privacy Rule, Breach Notification Rule, and the Minimum Necessary standard. By the end, you’ll see that exceptions aren’t loopholes; they are carefully crafted guardrails designed to keep privacy protections strong while making room for real-world needs.

What are HIPAA exceptions?

HIPAA exceptions are specific situations where the law allows health information to be used or disclosed differently than the general rule. While HIPAA generally requires written authorization to use or disclose protected health information (PHI) for purposes beyond treatment, payment, and healthcare operations, it also explicitly permits certain disclosures without authorization, such as for public health, health oversight activities, law enforcement, and when required by law.

Exceptions outline when covered entities and business associates can act without that authorization, or when certain information is not even considered PHI under the law.

These exceptions are written directly into the HIPAA regulations by the Department of Health and Human Services (HHS). They are not loopholes or workarounds; rather, they are deliberate carve-outs designed to ensure that privacy protections do not interfere with critical functions such as public health, law enforcement, or healthcare operations.

Importance of HIPAA exceptions

While HIPAA is built to safeguard patient privacy, its exceptions are just as vital to the law’s overall design. Without them, the rules could unintentionally block important healthcare, public safety, and operational activities. Exceptions make sure that privacy protections remain strong but flexible enough to handle real-world needs.

  • Enable quality care: Providers can share information when it directly supports diagnosis, treatment, or patient safety without unnecessary delays.
  • Protect public health: Exceptions allow disclosures to public health authorities for disease tracking, outbreak response, and safety reporting.
  • Support legal and regulatory obligations: Covered entities can comply with court orders, oversight requirements, and law enforcement needs without breaching HIPAA.
  • Balance privacy with safety: Exceptions ensure that when there is a serious and imminent threat, information can be shared to protect individuals or communities.
  • Preserve operational efficiency: Health plans, providers, and business associates can carry out essential functions, like billing, audits, and compliance, without being bogged down by excessive authorization steps.

General HIPAA rule exceptions

The HIPAA Privacy Rule does not make authorization a general requirement; instead, it requires authorization only for specific uses and disclosures of PHI that are not otherwise permitted under the rule. But HIPAA also identifies specific situations where this authorization is not required. These are often called “permissive disclosures" and "mandatory disclosures" because they apply across a wide range of circumstances.

According to the HHS, covered entities may use or disclose PHI without individual authorization in the following cases:

Treatment, Payment, and Healthcare Operations (TPO):

Providers and health plans may use and share PHI for treatment coordination, billing, claims processing, quality assessments, and other essential operational activities.

  • Public health activities: Sharing PHI with public health authorities for disease control, reporting child abuse, or ensuring drug and device safety.
  • Health oversight activities: Providing information to government agencies that oversee healthcare programs and compliance.
  • Judicial and administrative proceedings: Responding to court orders, subpoenas, or other lawful processes.
  • Law enforcement purposes: Disclosing information to identify or locate a suspect, report a crime, or comply with a legal mandate.
  • Research: Allowing PHI use for research under strict conditions and privacy safeguards.
  • Serious threats to health or safety: Permitting disclosures to prevent or lessen a serious and imminent threat to individuals or the public.
  • Specialized government functions: Sharing information for military missions, national security, or correctional institutions.
  • Workers’ compensation: Disclosures authorized by state workers’ compensation laws or similar programs.

These exceptions are not blanket permissions. Each comes with conditions that covered entities must carefully follow, including limiting disclosures to the minimum necessary and documenting when exceptions are applied.

Exceptions to PHI definitions

Not every piece of health-related information falls under the scope of HIPAA. The law clearly defines what qualifies as protected health information (PHI) — and just as importantly, it identifies what does not. Understanding these exceptions helps compliance leaders avoid overextending HIPAA rules to data that isn’t covered.

According to the HHS, the following are not considered PHI and therefore fall outside HIPAA’s protections:

  • Education records: Records maintained by schools that are subject to the Family Educational Rights and Privacy Act (FERPA) are not covered by HIPAA.
  • Employment records: Information that an employer holds in its role as an employer (such as HR files, sick leave notes, or workplace injury reports) is excluded.
  • De-identified health information: Data that has been stripped of identifiers so that individuals cannot be reasonably identified is not considered PHI. HIPAA sets specific standards for de-identification, including the “Safe Harbor” method and expert determination.
  • Health information of individuals deceased for more than 50 years: Once this time period has passed, HIPAA protections no longer apply to the decedent’s health information.

These exclusions matter because they determine the boundary of HIPAA’s reach. Data that doesn’t qualify as PHI may still be sensitive, but it falls outside the scope of HIPAA’s privacy and security requirements.

HIPAA privacy rule exceptions

The HIPAA Privacy Rule gives individuals important rights over their health information, including the right to access, inspect, and request copies of their records. But these rights are not absolute. HIPAA outlines specific exceptions where access can be limited or certain disclosures are permitted without authorization.

Under HHS guidance, the key exceptions within the Privacy Rule include:

  • Psychotherapy notes: Patients do not have the right to access psychotherapy notes maintained separately by a mental health professional.
  • Information compiled for legal proceedings: Records prepared for use in a civil, criminal, or administrative action may be withheld.
  • Risk of harm: Access may be denied if a licensed healthcare professional determines that releasing the information is reasonably likely to endanger the life or safety of the individual or another person.
  • Personal representatives: HIPAA generally allows personal representatives to act on behalf of individuals, but exceptions apply when state law restricts this or when disclosure could cause harm.
  • Incidental disclosures: Certain incidental disclosures are not considered HIPAA violations, provided that reasonable safeguards are in place (for example, a hospital visitor overhearing a patient’s name in a waiting area).

These exceptions are designed to balance patient rights with safety, confidentiality, and legal obligations. Covered entities must evaluate each situation carefully and document the reasons for applying any exception.

HIPAA breach notification rule exceptions

HIPAA requires covered entities and business associates to notify affected individuals, HHS, and, in some cases, the media when a breach of unsecured PHI occurs. But not every unauthorized use or disclosure of PHI qualifies as a breach. The Breach Notification Rule outlines exceptions that recognize certain situations as low risk or outside the intent of the rule.

According to the HHS, the following do not count as breaches:

  • Unintentional access by a workforce member: When a staff member unintentionally accesses or uses PHI in good faith and within the scope of their job. Example: a nurse mistakenly opens the wrong patient file but immediately closes it.
  • Inadvertent disclosures within the organization: When PHI is shared by one authorized individual to another within the same covered entity or business associate, and both are permitted to access the information.
  • Information not reasonably retained: When unauthorized disclosure occurs, but the recipient cannot reasonably retain the PHI. Example: mailing results to the wrong address and the letter is returned unopened.

These exceptions prevent organizations from being overburdened with breach notifications in cases where the privacy risk is minimal. However, covered entities must still evaluate incidents and document why they fall under an exception.

HIPAA minimum necessary rule exceptions

One of HIPAA’s cornerstones is the Minimum Necessary Rule, which requires covered entities and business associates to limit the use, disclosure, and request of PHI to the minimum needed to accomplish the task. But this standard does not apply in every situation. The law makes clear exceptions where the full use or disclosure of PHI is permitted.

According to the HHS, the Minimum Necessary Rule does not apply to the following:

  • Disclosures to or requests by a healthcare provider for treatment purposes: Providers need access to the full record to deliver safe and effective care.
  • Disclosures made to the individual: Patients have the right to receive their own health information without restriction.
  • Uses or disclosures authorized by the individual: When a patient gives written authorization, the minimum necessary standard does not apply.
  • Disclosures required by law: When another law mandates disclosure, HIPAA’s limitation is set aside.
  • Disclosures to HHS for enforcement: Full access is permitted when the Department of Health and Human Services investigates compliance.
  • Disclosures required by the HIPAA statute itself: Certain disclosures mandated by the Health Insurance Portability and Accountability Act of 1996, such as providing health information to the Social Security Administration for disability claims, are not subject to the minimum necessary standard.
  • Uses or disclosures required for compliance with HIPAA regulations: Certain operational or regulatory processes require unrestricted PHI access.

These exceptions reflect a balance: while limiting unnecessary access protects privacy, HIPAA ensures that essential care, legal duties, and compliance activities are not disrupted.

Operational and occupational exceptions

HIPAA compliance is not just about patient rights; it also governs how organizations run their daily operations. Even here, HIPAA includes exceptions to ensure that necessary business, administrative, and occupational functions can take place without creating barriers.

Based on HHS and CMS guidance, the key operational and occupational exceptions include:

  • Business associate agreements (BAAs): Normally, covered entities must have a BAA in place before sharing PHI with a business associate. However, no BAA is required when PHI is disclosed for treatment purposes or when a provider consults with another provider who is also a covered entity under HIPAA.
  • Administrative simplification standards: HIPAA requires standard electronic transactions (like claims, eligibility checks, or remittance advice). But exceptions exist:

    • Direct data entry (DDE) transactions: Providers entering data directly into a payer’s system are not required to use standard transaction formats.
    • Formal exception requests: Organizations may apply to CMS for an exception to a transaction or code set standard when compliance is not feasible.
  • Workforce access in occupational roles: Some disclosures within an organization are permitted without patient authorization when workforce members need PHI to perform essential duties, provided they are authorized under HIPAA’s role-based access rules.

These exceptions recognize that healthcare is both a service and a business. They ensure that compliance doesn’t get in the way of operational realities while still keeping guardrails in place to protect PHI.

Other state and federal exceptions

HIPAA establishes national standards for protecting health information, but it does not exist in isolation. The law interacts with other state and federal requirements, and in some cases, those rules either override or narrow HIPAA’s application. These exceptions ensure that HIPAA works in harmony with broader legal frameworks rather than in conflict with them.

According to HHS guidance, the key state and federal exceptions include:

  • Preemption and state law: HIPAA generally overrides conflicting state laws, but there is an exception when a state law is more stringent. If state law gives individuals greater privacy rights or stronger access protections, that law takes precedence.
  • Public health and safety requirements: State laws that require reporting of diseases, injuries, or births and deaths continue to apply alongside HIPAA.
  • Other federal mandates: Certain federal laws can create carve-outs, such as those relatingto national security, intelligence activities, or military missions.
  • Workers’ compensation programs: State workers’ compensation laws that require disclosure of health information remain effective and are not preempted by HIPAA.

These exceptions highlight HIPAA’s cooperative design: instead of being a stand-alone rulebook, it works as part of a larger legal ecosystem where privacy protections must balance with other obligations.

HIPAA exceptions are deliberate provisions that balance privacy with patient care, public health, and operational needs, making it essential for CISOs and CEOs to understand and embed them into daily workflows without disrupting efficiency or compliance.

That’s where the right tools make a difference.

Scrut helps you stay audit-ready by automating HIPAA compliance end-to-end, from policy management and evidence collection to risk tracking and vendor assessments. With 100+ integrations, you can monitor controls continuously, document exceptions correctly, and avoid drowning in manual work.

Scrut Book a Demo Banner

FAQs

What are the 3 exceptions to HIPAA?

HIPAA has more than three exceptions, but the most commonly cited under the Breach Notification Rule are:

  1. Unintentional access or use of PHI by a workforce member in good faith and within the scope of their authority.
  2. Inadvertent disclosure of PHI between two authorized persons within the same organization.
  3. Unauthorized disclosure where the recipient cannot reasonably retain the information.

When does state or federal law preempt HIPAA?

HIPAA generally preempts state laws that conflict with its requirements. However, if a state law is more stringent, meaning it gives individuals greater privacy protections or access rights, that law takes precedence. Federal laws like those related to national security or military operations can also override HIPAA.

Does HIPAA apply to the military?

Yes, but with exceptions. HIPAA allows disclosures of PHI for specialized government functions, including military missions. For example, military command authorities may access health information necessary to carry out their duties.

When does HIPAA not apply?

HIPAA does not apply to health information that is not PHI. This includes education records covered by FERPA, employment records held by an employer in its role as an employer, and de-identified health information.

Who does HIPAA not apply to?

HIPAA applies only to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. It does not apply to entities like employers, life insurers, schools (unless they provide healthcare and transmit data electronically), or law enforcement agencies.

Who is exempt from HIPAA?

Entities not defined as covered entities or business associates are exempt. For example, most schools, employers, and law enforcement agencies are not bound by HIPAA.

Can HIPAA information be shared with law enforcement?

Yes. HIPAA permits disclosures to law enforcement in specific situations, such as complying with a court order, locating a suspect, reporting a crime, or when required by law.

Can hospitals release information to the police?

Yes, but only under HIPAA’s permitted disclosures to law enforcement. For example, hospitals can release information to comply with a warrant, to report a crime on the premises, or to help locate a suspect or missing person. They cannot release information simply because law enforcement requests it; a valid HIPAA basis must apply.

How likely is it that PHI will be disclosed in a Freedom of Information request?

Very unlikely. HIPAA-protected health information is exempt from disclosure under the Freedom of Information Act (FOIA). Agencies must withhold PHI to comply with HIPAA privacy protections.

Does FERPA or HIPAA apply to elementary student health records maintained by a healthcare provider not employed by the school?

If the records are created or maintained by a healthcare provider not employed by the school and the school does not maintain them, HIPAA applies. FERPA only applies to education records maintained by schools or school employees.

Does HIPAA permit healthcare providers to disclose PHI without authorization?

Yes, in specific circumstances. Providers may disclose PHI without authorization for treatment, payment, and healthcare operations, as well as for public health activities, law enforcement purposes, and other exceptions defined in the Privacy Rule.

Liked the post? Share on:
Megha Thakkar
Scrut Automation
Scrut Automation
Authored by

Megha Thakkar is a Certified Information Systems Auditor (CISA) and technical content writer who loves turning complex cybersecurity and compliance topics into stories people actually want to read. With a background as an Associate CPA (Australia) and CA Intermediate (India), she blends her love for finance and technology to bring clarity to every piece she writes. She’s known for her sharp eye for editing and content management, making sure every word earns its place.

Table of contents
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6
Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
I agree to receive marketing insights and other communications from Scrut Automation.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Risk Management
Vendor Security
5 infosec compliance questions to ask potential SaaS vendors
Others
ISO 27001
Risk Management
Compliance Essentials
Understanding security frameworks: 10 common frameworks
Compliance Essentials
Risk Management
Product Updates
How Scrut helps achieve compliance with DORA

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.
HIPAA