The objective of HIPAA is not just to secure patient privacy. The Act is likewise designed to improve healthcare functions and enhance performance in the healthcare sector. Not knowing the HIPAA exceptions can result in the application of the regulations more strictly than required by covered entities – possibly stifling healthcare operations and hurting efficiency.
This article will highlight some of the most common exceptions. Covered Entities are encouraged to get expert compliance guidance to determine others that may be appropriate to their particular situations.
HIPAA General Rule Exceptions
The first HIPAA exceptions are mentioned in General Rule (45 CFR § 160.102). According to the General Rule, when there is a conflict between HIPAA and State legislation, HIPAA takes priority. Nonetheless, there are several exceptions stated in the General Rule which include that State legislation preempts HIPAA if the State legislation:
- Has stricter privacy terms than HIPAA
- Offers reporting data to public health organizations
- Calls for a health plan to report data for audit reasons, etc.
The first exception has resulted in more difficulties for HIPAA Covered Entities compared to the others. This is because almost every state has got a law pertaining to the privacy of patient data with stricter privacy terms than HIPAA. Nonetheless, a lot of state laws are applicable to just one component of privacy data (i.e., HIV-related data), only in particular situations (i.e., for emergency care), or just to particular entities (i.e., pharmacists).
The 2nd and 3rd General Rule exceptions may likewise be troublesome for Covered Entities since, even if a State law may allow a number of disclosures of PHI to state and government institutions, the information given to state and federal organizations may be accessed through the Freedom of Information requests. When Freedom of Information requests show the Covered Entity has given far more PHI than the least required, they would violate HIPAA.
Other usages of the word “exception” in the HIPAA refer to exclusions from transaction requirements and/or medical code sets. Nevertheless, it is worth remembering that exceptions are there to have the right to repeal a patient consent for the disclosure of PHI and to whom ought to be provided Notices of Privacy Practices (i.e., inmates of correction institutions). Covered Entities having public-facing operations should be acquainted with these HIPAA exclusions.
Other State and Government HIPAA Exceptions
The relationship between HIPAA and other federal and state legislation can make HIPAA compliance more complicated because of several HIPAA exceptions. One example of this kind of complicated relationship is the one between HIPAA, the Texas Medical Records Privacy Act (as modified by HB300), and the Family Education Rights and Privacy Act (FERPA).
In general, public schools, universities, and other educational organizations that offer medical services for students and employees (as a job benefit) are not regarded as Covered Entities under HIPAA. This is due to the fact medical treatments given to students are categorized as academic records and covered by FERPA, whereas medical services given to staff are categorized as non-portable benefits.
Complications begin to come up when an educational organization gives medical services to the public (for example, a medical teaching college). Under these conditions, the educational organization turns into a hybrid entity and must have safety measures to segregate FERPA-covered treatment documents from HIPAA-covered PHI and implement two sets of guidelines for employees.
If the educational organization is protected by the Texas Medical Records Privacy Act, all medical treatment documents associated with students, employees, and the public are governed by HIPAA-Esque privacy requirements. This is even more made complex by the Texas Medical Records Act covering all citizens of Texas irrespective of their location. As a result, a medical teaching college or university in New York may have to comply with 3 different regulations in case it will take mature Texas students.
Operational and Occupational Exceptions
There are operational and occupation exceptions to HIPAA that can apply in several different conditions. For instance:
Ambulance services that generate electronic billing are covered by HIPAA; however, in counties with no electronic billing, HIPAA is not applicable to ambulance services.
Certain uses and disclosures of PHI permitted by the Privacy Rule aren’t permitted by the Federal Substance Abuse Confidentiality Requirements (42 CFR Part 2).
Exceptions occur to the privacy specifications for psychotherapy notes if state legislation requires a duty to report (i.e. abuse) or duty to warn (i.e. of imminent harm).
Exceptions to the right of a patient to an accounting of disclosures occur when a Covered Entity is instructed not to disclose the data by a health oversight bureau or law enforcement official.
HIPAA exceptions additionally are present in the military. Military treatment facilities are considered as HIPAA Covered Entities; nonetheless, with the Military Command Exception, healthcare experts are permitted to disclose PHI to command authorities without the authorization of the patient so as to state the patient’s fitness for duty, fitness to carry out a task, or fitness to execute another task required for a military mission.