FAQ
FAQ’s
What information is exempt from HIPAA?

What information is exempt from HIPAA?

The HIPAA Exemption relates to the usage of identifiable health information and is applicable when such usage is regulated for 3 specific purposes under HIPAA. These purposes include research, healthcare operations, and public health activities. This is where you need to refer to “HIPAA general rule expectations” for more clarity.

HIPAA general rule exceptions

HIPAA General Rule exceptions clarify the hierarchy when conflicts arise between HIPAA regulations and State laws. The General Rule says that, in most cases, HIPAA takes priority over State law. However, several exceptions exist, including situations where State law:

  • Has stricter privacy provisions or patient rights
  • Requires reporting to public health agencies
  • Imposes reporting for audit purposes

Here, the primary challenge for HIPAA Covered Entities often brews from the first exception itself. This is because many states have laws with more stringent privacy provisions than HIPAA. However, these laws may only apply to specific types of health information (e.g., HIV-related data), specific situations (e.g., emergency care), or certain entities (e.g., pharmacists).

The other two General Rule exceptions can also cause significant challenges no less. You can’t be lax here. If state law permits PHI disclosures to state and federal agencies, the information you share can be subject to Freedom of Information requests. If such requests reveal that you have disclosed more PHI than necessary, you might violate HIPAA.

These exceptions include various vital activities, including:

  • Public health, and in emergencies affecting life or safety
  • Research
  • Oversight of the healthcare system, including licensing and regulation
  • Body identification of the deceased person or investigation of the cause of death
  • Workers’ compensation
  • Medical examiner
  • Judicial and administrative proceedings
  • Law enforcement
  • Informing next of kin
  • For directories
  • In other situations where the use or disclosure is mandated by other laws (i.e., state and local)

Was this article helpful?

How can we improve this article?

Related questions

  • Which is the latest version of the PCI DSS compliance?
  • What is the current version of ISO 27001?
  • What is PCI DSS compliance verification?
  • What are PCI DSS compliance milestones?
  • What are the three steps of PCI compliance?
  • What are the functions of PCI?
  • How often must PCI DSS compliance be validated?
  • What is required for PCI DSS compliance?
  • How to reduce PCI DSS cost?
  • Does ISO 27001 require MFA?

Found this useful?

Get SOC 2 compliance
ready in 4 weeks!

Try Sprinto

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Contact sales