Understanding Hipaa Exceptions and Compliance

HIPAA exceptions are a crucial aspect of the Health Insurance Portability and Accountability Act, which allows for certain exceptions to the standard rules for protected health information (PHI). This allows for flexibility in specific situations.

The HIPAA Omnibus Rule, for example, includes an exception for treatment, payment, and healthcare operations. This means that covered entities can use PHI for these purposes without needing to obtain patient authorization.

A key aspect of HIPAA compliance is ensuring that PHI is properly secured and protected. This includes implementing administrative, technical, and physical safeguards to prevent unauthorized access.

Protected health information (PHI) is a crucial concept in the healthcare industry, but it's not always clear what constitutes PHI. Any PHI created, stored, accessed, or transmitted by covered entities and business associates is protected under HIPAA.

There are exceptions to the definition of PHI, however. For example, a fitness app that tracks a user's heart rate, sleep patterns, activity levels, or calorie consumption does not constitute PHI.

Additional reading: Which of the following Is Not the Purpose of Hipaa

Appointment inquiries, such as names and phone numbers of potential patients, are also not considered PHI as long as no health information is associated with it. Once that person formally becomes a patient, however, that data becomes PHI.

Employee and education records, including known allergies, blood type, or disabilities, are not considered PHI. This is because they are not related to the individual's health.

Wearable devices, such as heart rate monitors or smartwatches, do not collect PHI. The same applies to health and fitness apps that collect or enter data.

De-identified PHI, which has had all personal identifiers removed and cannot be linked to a specific individual, is no longer considered PHI. This type of data can be used for statistics or research purposes.

Here are some examples of when data is not considered PHI:

Exceptions to HIPAA exist in various areas, including law enforcement, state laws, and specific scenarios.

If a state law is more restrictive than HIPAA, it takes precedence. For instance, if a state law requires more stringent protection of patient data, covered entities must follow the state law.

For another approach, see: What Is the Hipaa Law

There are six exceptions to the Minimum Necessary Rule, which includes requests for PHI to provide treatment, patient requests for copies of their medical records, and requests for disclosure of PHI to HHS for complaint investigation.

Here are the six exceptions to the Minimum Necessary Rule:

Additionally, there are exceptions to the Breach Notification Rule, including unintentional access or use of PHI by an employee, accidental disclosure of PHI between authorized persons, and situations where the organization believes the person who obtained or accessed the PHI will not retain or compromise the data.

HIPAA covers a wide range of healthcare entities and information, including medical records, health insurance information, and electronic financial transactions. This rule applies to all healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.

HIPAA also extends to entities that contract with Business Associates (BAs), ensuring that sensitive patient information is protected across the board.

HIPAA protects identifying patient information, including medical records, health insurance information, etc.

See what others are reading: Hipaa Records Request

An Authorization must include an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.

The expiration date can be set for a specific period, such as "one year from the date the Authorization is signed".

An Authorization remains valid until its expiration date or event, unless the individual revokes it in writing before that date or event.

The expiration date on an Authorization can exceed a time period established by State law, but a more restrictive State law would control how long the Authorization is effective.

Recommended read: Hipaa Law in Nj

A HIPAA-covered entity can disclose PHI to law enforcement or for judicial proceedings.

In certain situations, such as police using sensitive data to locate a suspect or to aid in an investigation, entities can and must release a minimum amount of PHI.

These exceptions don't grant blanket permission to release information.

Entities must release only the minimum amount of PHI needed to achieve their purpose.

Here's an interesting read: Hipaa Release Date

The U.S. Department of Health and Human Services (HHS) has established disincentives for healthcare providers who knowingly and unreasonably interfere with the access, exchange, or use of electronic health information (EHI).

These disincentives are implemented under the 21st Century Cures Act, which gives the HHS Secretary authority to establish penalties for providers who block access to EHI.

The HHS Office of Inspector General (OIG) will identify providers who have committed information blocking, and those providers will face disincentives.

The final rule on provider disincentives was released by HHS, and it includes an overview of the disincentives and common questions.

You can read the final rule, press release, and watch an information session to learn more about provider disincentives.

The disincentives final rule overview is available in PDF format, and it provides a clear summary of the rule.

Disincentives common questions are also available in PDF format, and they provide answers to frequently asked questions about the rule.

Readers also liked: Hipaa Rule of Thumb

You're likely to give the same patient an NPP only once, assuming your privacy notice contains a statement reserving the right to make changes.

Direct treatment providers that are covered entities must post their privacy notice prominently in their facility.

You must update the posted notice and all copies if you change the notice, making sure each shows the effective date.

This ensures that patients are aware of any changes to your privacy notice.

Related reading: Hipaa Privacy Rights

Information blocking is a practice by an actor that is likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information blocking exception.

The Cures Act applied the law to healthcare providers, health IT developers of certified health IT, and health information exchanges (HIEs)/health information networks (HINs). It established two different "knowledge" standards for actors' practices within the statute's definition of "information blocking."

For health IT developers of certified health IT, as well as HIEs/HINs, the law applies the standard of whether they know, or should know, that a practice is likely to interfere with the access, exchange, or use of EHI. For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and is likely to interfere with the access, exchange, or use of EHI.

The exact regulatory definition of Information Blocking can be found in the Code of Federal Regulations in 45 CFR 171.103.

You might enjoy: Certified Hipaa Professional

HIPAA and state laws sometimes contradict, but the general rule is that if a state law is more protective of the patient, it takes precedence over HIPAA.

A state law that is more restrictive than HIPAA prevails. This means that if a state law is more protective, you must follow it, but if it's less stringent, you must follow HIPAA.

Covered entities must always follow the minimum necessary rule, which requires them to only use or disclose the minimum amount of PHI necessary to accomplish the intended purpose.

If a state law contradicts HIPAA, you must follow HIPAA.

Recommended read: When Did Hipaa Become Law