Achieving compliance with all of HIPAA’s requirements is a major challenge—and understanding exceptions and fringe cases adds another layer of complexity and stress.
Failing to understand HIPAA exceptions can lead to violations of HIPAA, other federal laws, or state laws. It can also lead to additional negative outcomes, like withholding important documents and information from journalists out of fear and confusion that it is covered under HIPAA, as reported in a landmark story by the Reporters Committee for the Freedom of the Press.
To help you avoid consequences like these, we’ve summarized the major exemptions to the Health Insurance Portability and Accountability Act (HIPAA) and exceptions to its rules. Most of these are exceptions to the HIPAA Privacy Rule, but some are exceptions to the General Rule, the Breach Notification Rule, and Minimum Necessary Rule.
1. HIPAA Privacy Rule exceptions (specifically related to permitted uses and disclosures of PHI)
The HIPAA Privacy Rule permits covered entities to use and/or disclose personal health information (PHI) without patient authorization for treatment, payment, and healthcare operations (TPO). Aside from TPO, the rule only permits uses and disclosures under very specific circumstances.
Below is a quick rundown of these exceptions, which are described in more detail in 45 CFR § 164.512.
- Required by law
- Public health activities (such as reporting to a state health department or the CDC)
- Victims of abuse, neglect, or domestic violence
- Health oversight activities, such as audits
- Legal proceedings
- Law enforcement purposes
- Medical research
- Workers compensation
- Essential government functions (such as protecting the health and safety of inmates or employees in a correctional institution)
- Psychotherapy notes in limited circumstances (such as its own training or to defend itself in legal proceedings brought by the individual)
- Marketing in limited circumstances (such as communications for care coordination for the individual or to recommend alternative treatments)
- To inform next of kin, identify a body, determine cause of death, or for a medical examiner/coroner
- To facilitate organ donation or transplants
- To prevent serious threat to a person or the public’s health or safety
Even in these situations where a HIPAA release form is not required, disclosures must be documented in an Accounting of Disclosures log.
Below we’ll take a closer look at some of the most notable exceptions to this rule (like law enforcement exceptions) and to other HIPAA rules.
Recommended Reading
HIPAA Release Form Explained [+ Free Template, State Examples & Compliance Tips]
Read More
2. State law exceptions
Initially, when HIPAA was passed by Congress and went into effect, there was some confusion around who it applied to and when to comply—particularly for healthcare organizations in states that already had data privacy laws. This is still a point of misunderstanding today.
45 CFR § 160.103 is meant to address that confusion. The general rule states that, in most cases when HIPAA contradicts state law, HIPAA supersedes that law. However, there are three exceptions in which a provision of the state law would supersede HIPAA:
- The state law provides stronger data privacy provisions or patient rights: Typically only the case for a certain subset of health information in specific circumstances (e.g. HIV-related information needed for emergency care or when handled by pharmacists.
- The state law provides for reporting information to public health agencies: For example, therapists conducting psychotherapy sessions are required by state laws to warn of imminent harm or report cases of abuse.
- The state law requires a health plan to report information for the purpose of audits, monitoring, or licensure: For example, if a state law requires information from a health plan for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals, then it supersedes HIPAA.
Note that even in these cases when state law supersedes HIPAA, an entity that provides more PHI than the minimum necessary can still be found in violation of HIPAA.
Recommended Reading
History of HIPAA: How the Standard Has Evolved Since 1996
Read More3. Federal law exceptions
Similar to state law exceptions, there are cases in which other federal laws may supersede HIPAA. For example, public schools, colleges, and other educational institutions must comply with Family Educational Rights and Privacy Act (FERPA). If these entities provide medical services for students and staff as a benefit of employment, they are not usually considered covered entities under HIPAA.
However, medical teaching universities that have an educational institution that provides healthcare services to the public are considered hybrid entities and must implement safeguards to isolate and protect FERPA-covered information and so the same for HIPAA-covered PHI.
Another example is how the Federal Substance Abuse Confidentiality Requirements does not allow for certain uses and disclosures of PHI allowed by the HIPAA Privacy Rule (described in 42 CFR Part 2).
Recommended Reading
Who Needs to be HIPAA Compliant? Covered Entities vs Business Associates Explained | Secureframe
Read More4. Law enforcement exceptions
Some state laws preempt HIPAA and require covered entities to disclose PHI to law enforcement without the patient’s authorization in specific circumstances, such as reporting gunshots, stab wounds, or other violent injuries.
Other exceptions related to law enforcement purposes include:
- To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer
- To comply with a grand jury subpoena
- To respond to an administrative request, such as an administrative subpoena or summons or a civil or an authorized investigative demand
- To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person (although disclosures must be limited)
- To report child abuse or neglect
- To respond to a request for PHI about an adult victim of a crime, and the victim agrees (e.g. in cases of adult abuse, neglect, or domestic violence)
- To alert law enforcement of potential criminal activity when responding to a situation on premises or to an off-site medical emergency or death of an individual under suspicious cirumcstances
- To prevent or lessen a serious and imminent threat to the health or safety of an individual or the public
5. PHI exceptions
HIPAA applies to individually identifiable health information known as protected health information (PHI).
Under 45 CFR § 160.103, certain types of individually identifiable health information are not considered PHI and therefore are not protected by HIPAA. The four exceptions are:
- FERPA-covered education records: Health information contained within education records that are covered by the Family Educational Rights and Privacy Act (FERPA) are not PHI. Example: student immunization records maintained by a school nurse as part of the school’s records.
- Treatment records excluded under FERPA: Records described in 20 U.S.C. § 1232g(a)(4)(B)(iv) — those created and used solely for treatment of a student by a physician, psychologist, or similar professional — are excluded, provided they are not shared beyond treatment providers.
- Employment records held by a covered entity as an employer: Information maintained by a covered entity in its role as an employer is not PHI. Example: employee health information used for FMLA leave or workers’ compensation.
- Records of individuals deceased more than 50 years: Individually identifiable health information of a person who has been deceased for more than 50 years is no longer considered PHI.
These four exceptions recognize that certain contexts (education, employment, historical records) already have their own privacy protections or no longer pose a meaningful risk to privacy.
Recommended Reading
PHI vs PII: Key Differences & How to Protect Both
Read More6. Military exceptions
There are two notable HIPAA exceptions related to military treatment facilities and the Department of Defense (DoD).
First, military treatment facilities are HIPAA covered entities, but there are exceptions that do not apply to other types of covered entities.
These exceptions are special circumstances in which these facilities can disclose the PHI of service members to appropriate military command authorities. These disclosures must fall under the authorized activities detailed in the Military Command Exception, outlined in the Department of Defense Health Information Privacy Regulation (DoD 6025.18-R).
These activities include but are not limited to:
- fitness for duty determinations
- fitness to perform a particular assignment, or
- the service member’s ability to carry out any other activity essential for the military mission.
This exception does not require DoD healthcare providers to disclose PHI to commanders for these reasons; it only permits the disclosure. There are circumstances in which the provider would be required to notify the commander, including if they believe there is a serious risk of harm to self, to others, or to the mission as a result of their condition or treatment of their condition.
The second HIPAA exception related to the military is listed in 45 CFR 164.500(d): HIPAA rules do not apply to the Department of Defense or any other federal agency or private sector organization working on its behalf when providing healthcare to overseas foreign national beneficiaries.
7. Financial institution exceptions
Despite the definition of a business associate in 45 CFR 160.103—which mentions a person who provides financial services to or for a covered entity—HIPAA does not generally apply to banking and financial institutions.
Section 1179 of the Social Security Act [42 U.S.C. 1320d–8], also known as the HIPAA exemption for financial institutions, states that HIPAA rules do not apply to financial institutions that perform traditional banking and payment-related functions—such as processing checks, credit card transactions, or electronic fund transfers—on behalf of healthcare providers or patients.
However, this exception is limited. In a response to comments in the 2013 Final Rule, HHS clarified that Section 1179 exempts only “certain activities of financial institutions from the HIPAA Rules” and that a financial institution performing additional functions beyond these standard payment processing activities may be considered a business associate under HIPAA. For example, a bank or payment processor that manages accounts receivable, performs medical billing services, or handles patient data on behalf of a healthcare provider would not be exempt and would need to comply with HIPAA rules.
8. Health plan exceptions
While HIPAA generally applies to most health plans that transmit electronic protected health information (ePHI), several types are excluded. The three exceptions are:
- Small, employer-administered group plans: Group health plans with fewer than 50 participants that are administered solely by the employer that established and maintains the plan are not covered entities under HIPAA.
- Certain government-funded programs: Programs whose main purpose is not to provide or pay for healthcare (such as food assistance programs) or whose primary activity is directly providing care (such as community health centers or grant-making agencies) are exempt.
- Specific insurance entities: Insurers that provide only workers’ compensation, automobile insurance, or property and casualty insurance are not subject to HIPAA.
9. HIPAA Breach Notification Rule exceptions
There are a few scenarios that technically fall under the definition of a healthcare data breach, yet the U.S. Department of Health and Human Services (HHS) makes exceptions for them. According to 45 CFR 164.402, breaches exclude:
- Unintentional access or use of PHI by an employee, made in good faith and within the scope of their authority
- Accidental disclosure of PHI between authorized persons
- The organization confidently believes that the person who obtained or accessed the PHI will not retain or compromise the data
If any of the three exceptions are true, then PHI is not considered “breached” and the covered entity isn’t required to notify affected parties or HHS under the Breach Notification Rule.
Recommended Reading
What 2025 Healthcare Data Breaches & Biggest of All Time Reveal About Protecting PHI
Read More10. HIPAA Minimum Necessary Rule exceptions
In 45 CFR 164.502(b), the HHS outlines six exceptions to the Minimum Necessary Rule:
- Healthcare providers making requests for PHI to provide treatment to a patient
- Patients making requests for copies of their own medical records
- Requests for PHI when there is a valid authorization
- Requests for PHI that are required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules
- Requests for disclosure of PHI to HHS for complaint investigation, compliance review, or enforcement
- Requests for PHI that are otherwise required by law
If you are ever unsure whether HIPAA rules apply, it’s best to consult with a healthcare attorney or HIPAA compliance professional.
Recommended Reading
Who Enforces HIPAA + How To Make Sure Your Business Is Compliant
Read MoreHIPAA Exceptions List
Understanding where HIPAA does and doesn’t apply can be challenging given the number of overlapping rules, definitions, and special cases. To make it easier, we’ve summarized the key exceptions and exemptions covered in this article below.
Use this table as a quick reference list to see which entities, records, and activities fall outside HIPAA’s scope and under what circumstances.
| HIPAA exception | Description | Examples | Source |
|---|---|---|---|
| Privacy Rule | Permitted uses and disclosures without authorization beyond treatment, payment, and operations | Public health reporting; law enforcement requests; legal proceedings; organ donation; preventing serious threats | 45 CFR §164.512 |
| State Law | When state law provides stronger privacy protections, requires reporting, or supports oversight | HIV status reporting; mandatory abuse reporting; public health surveillance | 45 CFR §160.103 |
| Federal Law | When another federal law takes precedence over HIPAA | FERPA education records; Substance Use Disorder (SUD) treatment confidentiality | 45 CFR §160.103; 42 CFR Part 2 |
| Law Enforcement | Specific permitted disclosures for law enforcement purposes | Court orders; subpoenas; identifying suspects; reporting crimes on premises | 45 CFR §164.512(f) |
| PHI | Four categories not considered PHI | FERPA education records; treatment records under FERPA; employment records; records > 50 years old | 45 CFR §160.103 |
| Military | Limited disclosure for military mission and exception for DoD | Fitness-for-duty determinations; DoD exception when providing care to overseas foreign national beneficiaries | DoD 6025.18-R; 45 CFR §164.500(d) |
| Financial Institutions | Banks/financial institutions performing traditional payment processing are exempt | Authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums | Section 1179 of the Social Security Act [42 U.S.C. 1320d–8] |
| Health Plan | Specific health plan types excluded | Employer-only group plans < 50 participants; non-healthcare government programs; workers’ compensation insurers | 45 CFR §160.103 |
| Breach Notification Rule | Exceptions to breach definition | Unintentional access; inadvertent disclosure; non-retained PHI | 45 CFR §164.402 |
| Minimum Necessary Rule | Six permitted exceptions | Treatment purposes; patient requests; valid authorizations; legal requirements; HHS compliance reviews; transactions/administrative simplification | 45 CFR §164.502(b) |
This post was originally published in February 2023 and has been updated on October 7, 2025 for comprehensiveness.
FAQs
Who is exempt from HIPAA?
Entities that are not healthcare providers, health plans, or healthcare clearinghouses, and do not otherwise meet the definition of a business associate, are not covered by HIPAA. This includes employers, life insurance companies (when not acting as health plans), workers' compensation carriers, many schools and school districts, many state agencies like child protective services, and many law enforcement agencies.
What is exempt from HIPAA?
HIPAA does not apply to all health information, just as it does not apply to all entities that handle health-related information. Exemptions include:
- De-identified Health Information: Information that has had all personally identifiable information removed, meeting the HIPAA Privacy Rule's standards for de-identification, is not covered by HIPAA. There are two methods to achieve de-identification: the Expert Determination Method and the Safe Harbor Method.
- Employment Records: Employment records held by a covered entity in its role as an employer are exempt from HIPAA. This includes employment-related information that the covered entity maintains in its human resources department.
- Educational Records: Records covered by the Family Educational Rights and Privacy Act (FERPA) are exempt from HIPAA. This includes educational records like grades and transcripts that are directly related to a student and maintained by an educational institution or party acting on its behalf.
What are specific examples of health data that is not considered PHI and are exempt from HIPAA?
Beyond the four legal exceptions, certain types of health-related data are not considered PHI because they are not created, received, maintained, or transmitted by a covered entity or business associate. This means HIPAA does not apply to them — though other privacy laws or company policies may.
For example, a fitness app that tracks a user’s heart rate, sleep patterns, activity levels, or calorie consumption does not constitute PHI.
Below are other examples where health data is not classified as PHI:
- Appointment inquiries: Names and phone numbers of potential patients who call to make an appointment are not considered PHI, because no health information is associated with it. Once that person formally becomes a patient, however, that data becomes PHI and is protected.
- Wearable devices: Data collected by wearable devices including heart rate monitors or smartwatches is not PHI.
- Health and fitness apps: Data collected by or entered into a mobile fitness or health app is not PHI.
- De-identified PHI used for statistics or research purposes: Organizations sometimes use de-identified PHI for statistics or research purposes. This health data has had all personal identifiers removed and cannot be linked to a specific individual so it is no longer considered PHI.
What are the three exceptions to the breach definition?
Under the HIPAA Breach Notification Rule, there are specific situations where an unauthorized use or disclosure of protected health information (PHI) is not considered a breach. These exceptions are:
- Unintentional Acquisition, Access, or Use by Workforce Members: If a workforce member of a covered entity or business associate unintentionally acquires, accesses, or uses PHI in good faith and within the scope of their authority, and the information is not further used or disclosed in a manner not permitted by the Privacy Rule, it is not considered a breach.
- Inadvertent Disclosure Between Persons Authorized to Access PHI: If the unauthorized disclosure of PHI occurs inadvertently between two individuals who are both authorized to access PHI at the same covered entity or business associate (or organized healthcare arrangement), and the information is not further used or disclosed in a manner not permitted by the Privacy Rule, it is not considered a breach.
- Disclosure to Unauthorized Person Where PHI is Not Further Disclosed: If a covered entity or business associate discloses PHI to an unauthorized person, but the entity or associate has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information, it is not considered a breach.
