The Three Exceptions to a HIPAA Breach | HIPAAtrek (2024)

Table of Contents
1. Unintentional Acquisition, Access, or Use 2. Inadvertent Disclosure to an Authorized Person 3. Inability to Retain PHI In Summary Check out our Breach Notification Letter Template! Gain Peace of Mind With the Right HIPAA Compliance Tool FAQs

Many people have a “better safe than sorry” mentality when it comes to privacy and HIPAA breaches. Similar to how doctors, nurses, and technicians often consider incidental disclosures to be privacy violations, many privacy officers consider any impermissible disclosure to be a breach. However, there are three exceptions to a breach that all staff members should be aware of.

1. Unintentional Acquisition, Access, or Use

The first exception to a breach is when an employee unintentionally acquires, accesses, or uses protected health information (PHI) in good faith within the scope of their authority, and they do not further disclose the PHI in a manner not permitted by the rule.

For example, a technician might accidentally open the wrong patient chart while carrying out her authorized duties. Her viewing of PHI was both unintentional and during the course of her duties; therefore, the exception applies. However, if the technician opened the chart to snoop, she is acting deliberately and not in good faith, making the viewing of PHI a breach.

See Also
How to Write an Effective Website Privacy StatementWhat are Patient Rights Under HIPAA? - HIPAAnswersprivacyPatient Rights Charter - KwaZulu-Natal Department of Health

Additionally, if the technician shares the PHI she accidentally saw in an unallowable way, such as gossiping, then this is a breach. The only time when it’s okay to further disclose the information is if it’s used for the patient’s treatment. In this case, the exception applies.

2. Inadvertent Disclosure to an Authorized Person

The second exception to a breach is when a person authorized to access PHI accidentally shares PHI with another authorized person at the same organization, and PHI is not further disclosed in a manner not permitted by the rule.

For example, a nurse emails the wrong lab results to a doctor, and the doctor tells him that it’s the wrong file and deletes the email. The exception applies here because the disclosure was inadvertent, both the nurse and the doctor are authorized to access PHI, they both work at the same hospital, and the doctor didn’t further share the information.

3. Inability to Retain PHI

The third exception is when an organization disclosing PHI believes in good faith that the unauthorized person receiving the information wouldn’t have been able to retain it.

For example, a clinic mails explanation of benefits (EOB) letters to the wrong people, and the post office returns some of the letters unopened. Most likely, the addressees didn’t see or retain the information inside these envelopes, so the exception applies. However, the EOBs that weren’t returned should be treated as potential breaches.

The key to this exception is whether or not the unauthorized person is able to retain the information. For example, a pharmacy may hand out the wrong prescription, and the patient returns the prescription before leaving the building. In this case, the pharmacy can make an on-the-spot assessment as to whether the patient was able to retain any of the other patient’s information, such as their name or date of birth.

In Summary

Human errors are common, and not all disclosure errors threaten the privacy of PHI. If every impermissible disclosure was treated as a breach, healthcare would become gridlocked. Therefore, the HIPAA privacy rule allows these three exceptions to a breach.

See Also
What Is Invasion of Privacy in Business? | Insureon

Next time a potential breach comes to light, don’t jump to conclusions. First, gather all the facts and see whether or not an exception applies. If one does, document the incident and the exception you applied and keep it on record. If none of the exceptions apply, conduct the four-factor breach assessment to determine the risk level.

READ MORE:How to Track HIPAA Security Incidents Like a Pro

Check out our Breach Notification Letter Template!

Our free template makes it easy to create a compliant breach notification letter.

The Three Exceptions to a HIPAA Breach | HIPAAtrek (2)

Gain Peace of Mind With the Right HIPAA Compliance Tool

When a potential HIPAA violation comes to your attention, you can use the Breach Risk Assessment Tool in our HIPAA management software to discover whether or not the incident was a breach. The tool will guide you through applying the exceptions to a breach and evaluating your risk level.

If a breach did occur, you can record the details in the Breach Notification Log with the click of a button. If a breach didnotoccur, you can record the incident in the Security Incident log, along with a description of what you did to mitigate the incident.

To learn more about how HIPAAtrek can help you create a culture of compliance at your organization, request a personalized demo or reach out to us at support@hipaatrek.com.

The Three Exceptions to a HIPAA Breach | HIPAAtrek (2024)

FAQs

The Three Exceptions to a HIPAA Breach | HIPAAtrek? ›

However, there are exceptions to HIPAA breach notifications that healthcare providers and other covered entities should be aware of, such as unintentional access, accidental disclosure, or unauthorized retention.

Get More Info Here
What are the exceptions to the HIPAA policy? ›

General HIPAA exceptions

One example is for teaching universities where an educational institution might provide healthcare services to the public. Another exception is for military doctors who may be required to disclose PHI when reporting on a patient's fitness for duty.

Explore More
What is exempt from the HIPAA security rule? ›

Life insurers, employers, workers compensation carriers, most schools and school districts, many state agencies like child protective service agencies, most law enforcement agencies, and many municipal offices are exempt from the HIPAA Security Rule, even though they may have health information about you.

Show Me More
What are 3 ways of violating HIPAA? ›

What are 3 common HIPAA violations? The 3 most common HIPAA violations according to HHS´ Enforcement Highlights report are impermissible uses and disclosures of PHI, a lack of safeguards for PHI, and the lack of patient access to PHI.

Learn More
What are HIPAA exceptions to authorization? ›

Examples of HIPAA Privacy Rule Exceptions:

Covered entities may also use and disclose protected health information without individual authorization for certain public interest-related activities. These include: Oversight of the healthcare system, including licensing and regulation.

Discover More Details
What are the three exceptions to HIPAA breach? ›

However, there are exceptions to HIPAA breach notifications that healthcare providers and other covered entities should be aware of, such as unintentional access, accidental disclosure, or unauthorized retention.

Discover More Details
What is the exception to HIPAA crimes? ›

HIPAA Law Enforcement Exception Defined

If a court order, court-ordered warrant, subpoena or administrative request has been issued. To identify or locate a suspect, fugitive, material witness or missing person. To answer a law enforcement official's request for information about a victim or suspected victim of a crime.

See More
What is the HIPAA Rule 3? ›

HIPAA Rule 3: The Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification of a breach involving unsecured PHI. A breach is any impermissible use or disclosure of PHI under the Privacy and Security Rules.

Learn More
Which of the following 3 are considered HIPAA violation penalties? ›

What are the penalties for violating HIPAA?
CulpabilityMinimum Penalty per Violation 1Annual Cap
1. No Knowledge3$100$25,000
2. Reasonable cause4$1,000$100,000
3. Willful neglect, timely corrected5$10,000$250,000
4. Willful neglect, not timely corrected6$50,000$1,500,000

Read On
What qualifies as a HIPAA breach? ›

A breach of HIPAA is considered to be any acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information.

Find Out More

What are the allowable HIPAA exceptions in emergency situations? ›

HIPAA Emergency Exception

The Privacy Rule authorizes HIPAA exceptions during emergencies when treating an individual patient or for public health safety. During such a situation, security becomes a top priority over patient privacy. The HIPAA Privacy Rule is not suspended during a national or public health emergency.

Explore More
Which of the following are exceptions to the confidentiality requirement under HIPAA? ›

HIPAA is an act that is in place to protect a patient's privacy. There are some situations that are exempt from that confidentiality, such as child abuse, elder abuse, gunshot wounds, and abortions (when required from a court).

Get More Info
What is the command exception to HIPAA? ›

Under the HIPAA Military Command Exception, a covered entity may disclose the PHI of service members for authorized activities to appropriate military command authorities. This exception does not require covered entities to disclose PHI to commanders, it only permits the disclosure.

Discover More Details
Under what circ*mstances does HIPAA not apply? ›

HIPAA does not apply to healthcare services and facilities that do not conduct covered transactions. Standard disclosure rules do not apply to substance use disorder patient records. State laws can also override HIPAA on the non-disclosure of psychotherapy notes.

Find Out More
What are the exceptions to the minimum necessary standard HIPAA? ›

Are There Exceptions to the HIPAA Minimum Necessary Standard? The minimum necessary standard does not apply to the following: Disclosures to or requests by a health care provider for treatment purposes. Disclosures to the individual who is the subject of the information.

Continue Reading
What is the exception to HIPAA public safety? ›

As a physician, you may — when consistent with applicable law and standards of ethical conduct — use or disclose PHI if you believe in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.

Continue Reading
Top Articles
A Broad Range of Crime Data
How to mute accounts on X and what happens after muting
Zanor column: Former Killingly star Jax still raking, and must-see college football games
Verification of Identity & Protection of Student Privacy
Dog Gone Resort
Verity Or Falsity Of A Proposition Crossword Clue
Erin Burnett Without Makeup
Opening Hours, Price and Opinions
Sarah Dreyer Obituary
Papa's Games | Play Online for Free | NuMuKi
Verizon Internet Senior Discount Seniorstab
Krunker mod menu download
Latest Posts
How to Record Charitable Contributions in QuickBooks®
Which place receives the highest rainfall in the world?
Article information

Author: Nathanael Baumbach

Last Updated:

Views: 5833

Rating: 4.4 / 5 (75 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.