HIPAA Privacy Exceptions

Critics of the HIPAA regulations have been crying about the unnecessary regulatory burden to anyone who will listen ever since its advent.

A common complaint is that HIPAA’s purpose was partially to improve access to critical health data, but instead hamstrings medical providers’ ability to respond to unusual circumstances.

(Want to know more about allowable disclosures in typical circumstances? Check out our article on HIPAA TPO Allowable Disclosures!)

This issue has once again surfaced in the public discourse after Hurricane Harvey and the 2017 Las Vegas Shooting, in which thousands of victims sought emergency health care during a chaotic crisis.

In this article, we’ll set the record straight about the specific circumstances and events in which HIPAA privacy requirements can be waived or where HIPAA privacy exceptions exist, both in times of crisis and within normal patient care.

Patient Care During A Crisis

Historically, misreporting and misinformation about privacy laws during mass casualty events have added confusion to the chaos as providers grapple with whether or not to release information to relatives of patients and the press.

However, the HHS has the power to waive sanctions and penalties for providers that violate certain provisions during a health crisis or national emergency, giving providers the flexibility they need to take action.

As a provider, the ability to act quickly and confidently in these situations can allow you to give better care to your community in times of need.

National Emergencies

National emergencies grip the nation’s attention as family members and the public alike search for information about those in harm’s way.

For a privacy waiver (or HIPAA privacy exception) to go into effect in this circumstance, two things must happen.

  1. The President must declare an emergency or disaster;
  1. The HHS Secretary must declare a public health emergency.

Interestingly enough, this isn’t technically a waiver of HIPAA, but actually a waiver of any possible sanctions that would result from violating certain sections of the Privacy Rule.

But don’t consider it a free pass for lawlessness.

The only sections for which sanctions are waived during a national emergency are as follows:

  1. The requirements to obtain a patient’s agreement to speak with family members or friends involved in a patient’s care (45 CFR 164.510(b))
  2. The requirement to honor a request to opt out of a facility directory (45 CFR 164.510(a))
  3. The requirement to distribute a notice of privacy practices (45 CFR 164.520)
  4. The patient’s right to request privacy restrictions (45 CFR 164.522(a))
  5. The patient’s right to request confidential communications (45 CFR 164.522(b))

The fact that the President must declare a disaster and the HHS Secretary must declare a public health emergency is an important aspect to note. The President rarely declares a disaster for man-made occurrences.

Therefore, despite the fact that the HHS Secretary may want to provide a waiver in a situation like the Las Vegas shooting, they are unable to.

Even though HIPAA penalties aren’t waived, providers still have recourse within the normal boundaries of the law. The Privacy Rule states that in the case of a “severe disaster”, covered entities are allowed to locate and notify family members and guardians of patients’ location and status.

The Opioid Crisis

In October 2017, President Trump declared the opioid addiction crisis a national public health emergency.

In accordance with the President’s announcement, the OCR released a new HIPAA guidance for the opioid crisis which gives providers leeway in informing family members about the opiate use of incapacitated patients. If a patient is incapacitated, the HIPAA privacy exception allows doctors to give more information about an opioid overdose than strictly necessary for the course of treatment.

The individuals allowed to receive this information is limited to family members and other people that could prevent or lessen a threat to the patient’s safety. However, if the patient does have decision making capacity, the provider must give the patient the opportunity to decide whether or not they want this information disclosed to others.

Regular Patient Care

Communication Between Medical Providers

Providers are allowed to communicate with each other, under no uncertain terms.

There is a great deal of confusion around this provision and providers often steer on the side of safety and limit the amount of information they share. However, The Privacy Rule does not put any limit on the amount or type of PHI that providers are allowed to share between themselves, as long as the sharing is for treatment, payment, or clinical operations.

The communications do not have to remain within the same organization and can occur between providers at different covered entities in writing, by phone, fax, e-mail, or otherwise, as long as proper security protocols have been observed.

Academic Studies

Under the Privacy Rule, academic Institutional Review Boards (IRBs) may waive Authorization Requirements for scientific studies that meet specific criteria.  The Authorization requirements state that a covered entity may not use or disclose PHI without the explicit consent of the subject of that PHI.

However, this is far from a blank check for mad science.

Waivers for academic studies are only approved for studies in which it is a financial or logistical impediment to obtain authorization. For example, when a research data set containing PHI is missing contact information, it would be difficult or impossible for the researchers to obtain consent from those individuals.

Additionally, the criteria dictates that a waiver may only be used for studies if they pose minimal risk to the privacy of the individuals involved and the research absolutely cannot be completed without the waiver.

Public Health Disclosures

The Privacy Rule allows covered entities to disclose PHI, without authorization, to public health authorities.
This means that any information that a provider reports to an authorized public health authority can be disclosed without patient authorization or a specific waiver.

Some examples include:

  1. The reporting of a disease or injury;
  2. Reporting vital events, such as births or deaths;
  3. Conducting public health surveillance, investigations, or interventions.

Additionally, there are a few other public health instances in which PHI can be disclosed without authorization to entities other than public health authorities, such as:

  • Child abuse or neglect
    • A Covered Entity may report to social services or law enforcement.
  • Quality, safety or effectiveness of a product or activity regulated by the FDA
    • May be reported to any entity involved with the product as long as that entity is under the jurisdiction of the FDA.
  • Workplace Medical Surveillance
    • May be reported to an employer in fields that are required to do medical surveillance by law, such as natural resource mining
  • Contagious disease exposure
    • May be reported swiftly to those people at risk if the covered entity is legally authorized to do so in order to prevent the spread of disease.


  • Don’t believe the HIPAA haters when they say that HIPAA is severely limiting provider response.
  • Lawmakers have taken the time to address multiple situations in which exceptions to the Privacy Rule are acceptable. Maintaining a thorough knowledge of these circumstances is essential if you want your organization to stay agile while remaining in compliance with the law.

Are you still unsure about staying compliant in normal (or abnormal) circumstances?

Give Gazelle Consulting a call at (503)-389-5666! We are here to answer all of your questions and ensure that HIPAA compliance doesn’t feel like a (gazelle’s) horn in your side.

Nav close