Does HIPAA Have Exceptions? (w/Examples) + FAQs

Yes, HIPAA has many exceptions. The Health Insurance Portability and Accountability Act sets strong privacy rules, but federal law also lists dozens of times when protected health information (PHI) can be shared without a patient’s written permission. These exceptions live mostly in 45 CFR 164.512, with more rules spread across the Privacy Rule, the Security Rule, and the Breach Notification Rule.

The core problem is that health data is both deeply private and urgently useful. Doctors need to treat patients, insurers need to pay claims, police need to solve crimes, and public health agencies need to stop disease spread. The HHS Office for Civil Rights enforces HIPAA, and a wrong disclosure can trigger civil penalties that reach over $2.1 million per violation category per year after the 2026 inflation adjustment.

According to the 2024 OCR Report to Congress, OCR received more than 67,000 HIPAA complaints in a single year, and misunderstanding the exceptions drives a large share of them.

Here is what you will learn in this guide:

• 🏥 Every major HIPAA exception under federal law and how each one works in real life
• ⚖️ The exact statutes, regulations, and court rulings that create each exception
• 🚓 How law enforcement, courts, and subpoenas fit into the Privacy Rule
• 🧪 How research, public health, and the 2024 Reproductive Health Final Rule change disclosures
• 🛡️ The most common mistakes that trigger OCR penalties and how to avoid them

What HIPAA Actually Protects

HIPAA protects protected health information held or sent by a “covered entity” or its “business associate.” Covered entities are health plans, health care clearinghouses, and most health care providers that bill electronically, as defined in 45 CFR 160.103. Business associates are vendors like billing companies, cloud hosts, and transcription services that touch PHI on behalf of a covered entity.

The Privacy Rule at 45 CFR Part 164, Subpart E controls uses and disclosures of PHI. The Security Rule at Subpart C controls electronic PHI safeguards. The Breach Notification Rule at Subpart D controls what happens after a leak.

Why Exceptions Exist at All

Congress built HIPAA in 1996 to move health records into the digital age without stripping patient trust. Lawmakers knew a pure “no sharing ever” rule would block treatment, payment, and public safety. So the statute told HHS to write permitted disclosures into the rules.

The plain-English idea is simple. Most sharing needs patient authorization. But some sharing is so important that the law allows it without asking, as long as the covered entity follows strict limits.

The consequence of ignoring these limits is severe. OCR can fine a covered entity up to $2,134,831 per identical violation per calendar year for willful neglect. A common misconception is that any sharing “for a good reason” is safe, but the good reason must match a specific regulatory exception.

The “Minimum Necessary” Rule Still Applies

Even when an exception permits disclosure, the covered entity must still share only the minimum necessary PHI. This rule comes from 45 CFR 164.502(b) and 45 CFR 164.514(d).

Treatment disclosures to other providers are exempt from minimum necessary, because full context helps care. Disclosures required by law are also judged against the specific law, not this standard. Everything else must be narrowed.

For example, if a subpoena asks for “all records,” the privacy officer should push back and release only the records that match the legal request. Over-disclosure, even during a valid exception, is itself a HIPAA violation.

The Treatment, Payment, and Operations Exception

The biggest HIPAA exception is the “TPO” rule in 45 CFR 164.506. Covered entities can use and disclose PHI for their own treatment, payment, and health care operations without patient authorization.

Treatment means care coordination between providers. Payment means billing, claims, and eligibility checks. Operations means quality reviews, accreditation, training, audits, and fraud detection.

Treatment Sharing Between Providers

A hospital can fax records to a specialist the patient will see next week. A pharmacist can call the prescriber to check a dose. An ambulance crew can hand a chart to the ER team.

The consequence of blocking these flows would be dangerous gaps in care. A common misconception is that patients must “sign a release” before any provider-to-provider sharing, but TPO already allows it.

For example, Maria Lopez breaks her wrist at a ski resort. The ER sends her X-rays to an orthopedic surgeon near her home. No signed authorization is needed because this is treatment under 45 CFR 164.506(c)(2).

Payment and Insurance Disclosures

Providers share PHI with health plans to get paid. Health plans share PHI with providers to confirm benefits. Both directions are covered by the payment exception.

This extends to collections agencies working on medical debt, as long as a business associate agreement is in place. The consequence of treating payment disclosures as needing authorization would be total billing chaos.

A common misconception is that a hospital needs the patient’s signature to tell the insurer about a diagnosis. The patient’s acknowledgment of the Notice of Privacy Practices already covers this routine flow.

Health Care Operations Activities

Operations covers many back-office tasks. Examples include internal audits, legal reviews, and quality-of-care studies. It also covers training students and interns with real records.

A covered entity can share PHI with another covered entity for the second entity’s operations only in narrow cases. These include quality assessment and fraud detection, and only if both entities have or had a relationship with the patient.

The consequence of misreading this narrow subset is common. Many hospitals wrongly believe they can share operations data freely with any other hospital, but the rule under 45 CFR 164.506(c)(4) is far tighter.

Public Health Exceptions

Public health sharing is authorized under 45 CFR 164.512(b). Covered entities can disclose PHI to public health authorities like the Centers for Disease Control and Prevention or state health departments to prevent or control disease, injury, or disability.

This includes disease reporting, vital statistics, child abuse surveillance, and FDA-regulated product tracking. During the COVID-19 public health emergency, OCR issued enforcement discretion bulletins that widened these disclosures further.

Disease Reporting and Surveillance

Every state requires reporting for certain diseases like tuberculosis, measles, and HIV. HIPAA does not block this reporting. In fact, it expressly permits it.

The consequence of refusing to report is state-law liability on top of HIPAA silence. A common misconception among new providers is that HIPAA forbids disease reporting, but the opposite is true.

For example, Dr. Ethan Park, a family physician, diagnoses a child with measles. He reports the case to the county health department within 24 hours, as required by state law, and HIPAA allows the disclosure.

FDA and Product Safety

Manufacturers of drugs and devices can receive PHI to track adverse events, product defects, and recalls. This flows from 45 CFR 164.512(b)(1)(iii).

The exception allows reporting to the FDA MedWatch system. It also allows post-market surveillance studies required by the FDA.

A common misconception is that pharma companies can pull any patient data they want “for safety.” The rule is tightly tied to FDA-regulated products and specific safety tasks.

Workplace Medical Surveillance

Employers sometimes receive findings from workplace medical exams and injury reports. This is allowed when the employer needs the data to comply with OSHA or the Mine Safety and Health Administration.

The provider must give the employee a written notice that the information will go to the employer. The consequence of skipping this notice is a straightforward HIPAA violation, even though the underlying disclosure would otherwise be lawful.

Law Enforcement and Judicial Exceptions

HIPAA allows many disclosures to police, courts, and other legal actors under 45 CFR 164.512(e) and (f). These rules are the most misunderstood in the entire Privacy Rule.

Covered entities can share PHI in response to court orders, grand jury subpoenas, and certain administrative demands. They can also help identify or locate suspects, victims, and missing persons, with real limits.

Court Orders vs. Subpoenas

A court order signed by a judge allows disclosure of the PHI described in the order. A plain attorney-issued subpoena does not, unless extra safeguards are met.

Those safeguards include either a qualified protective order or satisfactory assurances that the patient was notified and had a chance to object. This comes from 45 CFR 164.512(e)(1)(ii).

The consequence of releasing records on a bare subpoena is a classic OCR enforcement target. A common misconception is that any legal-looking document forces disclosure, but a subpoena alone rarely does.

Identifying Suspects and Victims

Police can ask for limited information to identify or locate a suspect, fugitive, material witness, or missing person. The allowed fields are narrow: name, address, date and place of birth, Social Security number, ABO blood type, date and hour of treatment, and a short description of distinguishing physical characteristics.

Providers cannot release DNA, dental records, or tissue samples under this request. Those require a court order or warrant.

For example, Officer Daniel Kim asks a hospital if a robbery suspect matching a description came in with a gunshot wound. The hospital can confirm basic identifying facts under 45 CFR 164.512(f)(2), but not the full medical chart.

Crime Victims and Crimes on Premises

Providers can report suspected crimes that occur on their own premises to law enforcement. They can also report wounds or injuries that state law requires to be reported, such as gunshot or stab wounds.

Disclosures about a crime victim generally require the victim’s agreement, unless the victim is incapacitated and law enforcement shows that the information will not be used against the victim. The consequence of skipping the victim-agreement step is a privacy breach.

Serious Threat to Health or Safety

A covered entity can disclose PHI when it believes, in good faith, that disclosure is necessary to prevent or lessen a serious and imminent threat. The rule is at 45 CFR 164.512(j).

The disclosure must go to someone able to prevent the threat, such as the intended victim or law enforcement. This is the HIPAA cousin of the Tarasoff duty to warn from California case law.

Duty to Warn in Mental Health

Mental health providers often face this question. If a patient makes a credible threat against a specific person, the provider can warn that person and the police.

The disclosure is permissive under HIPAA, but many states make it mandatory. The consequence of ignoring a credible threat can be both civil liability and professional discipline.

For example, Dr. Priya Natarajan, a psychiatrist, hears her patient describe a detailed plan to harm an ex-spouse. She contacts local police and the ex-spouse, relying on both HIPAA’s safety exception and her state’s duty-to-warn statute.

Suicide and Self-Harm Risk

The same exception covers threats a patient makes against themselves. A provider can alert family members, a crisis team, or emergency services to prevent suicide.

A common misconception is that HIPAA “handcuffs” providers during a crisis. The HHS guidance on mental health and HIPAA makes clear that providers can and should act.

The consequence of hiding behind HIPAA during a foreseeable suicide is malpractice exposure. HIPAA never forces a provider to stay silent when a life is at risk.

Research Exceptions

Research disclosures are controlled by 45 CFR 164.512(i). PHI can flow to researchers without authorization under three main paths.

The paths are: Institutional Review Board or Privacy Board waiver, reviews preparatory to research, and research on decedents. Each path has its own paperwork rules and limits.

IRB or Privacy Board Waiver

An IRB can waive the authorization requirement if disclosure poses minimal risk, the research cannot practicably be done otherwise, and the research cannot practicably be done without the PHI. The IRB must document the waiver.

The consequence of using waived data outside the approved protocol is a serious compliance problem. It can also trigger federal research misconduct findings.

A common misconception is that “de-identified data is research data.” De-identified data under 45 CFR 164.514(b) is not PHI at all, so no waiver is needed.

Limited Data Sets and DUAs

A limited data set strips direct identifiers but keeps dates and some geographic data. Researchers can receive a limited data set under a Data Use Agreement, per 45 CFR 164.514(e).

The DUA binds the recipient to use, security, and re-identification rules. The consequence of violating a DUA is both a HIPAA breach and a contract breach.

For example, a university epidemiologist named Dr. Samuel Reyes receives a limited data set of heart-attack admissions from a hospital system. His DUA forbids re-identification, and he must report any misuse within a short window.

Research on Decedents

Researchers can access decedent PHI after giving the covered entity written representations that the use is solely for research on decedents and that the data is necessary. No IRB waiver is required, but documentation is.

Death does not end HIPAA protection right away. Records stay protected for 50 years after death under 45 CFR 164.502(f).

The consequence of treating recently deceased patients’ records as public is a HIPAA violation. This is a common trap for genealogy and historical research projects.

Required by Law, Abuse Reporting, and Decedents

Several exceptions exist because another law already forces disclosure. HIPAA gets out of the way rather than conflict.

45 CFR 164.512(a) covers disclosures required by law. 164.512(c) covers abuse, neglect, or domestic violence reporting. 164.512(g) covers coroners, medical examiners, funeral directors, and organ procurement.

Required by Law

If a state statute, regulation, or court mandate forces a provider to disclose, HIPAA allows it. Examples include mandatory tumor registry reporting and workers’ compensation filings.

The disclosure must match the law’s exact scope. Over-sharing because “the law says so” is a common mistake.

A named example: Dr. Hannah Ogawa, an oncologist, reports a new breast cancer diagnosis to the state cancer registry. The state cancer control law requires it, so HIPAA does not block it.

Abuse, Neglect, and Domestic Violence

Providers can report suspected child abuse to state child protective services. They can also report adult abuse or neglect to the agency authorized by law.

Reports about adult domestic violence victims have stricter rules. The provider must generally get the victim’s agreement or meet narrow safety criteria.

The consequence of wrongly reporting a competent adult’s domestic violence case without agreement is both a HIPAA and a state-tort problem. The HHS OCR guidance on domestic violence lays out the analysis.

Coroners, Funeral Directors, and Organ Donation

Coroners and medical examiners get PHI to identify a decedent or determine a cause of death. Funeral directors get what they need to do their job. Organ procurement organizations get PHI to facilitate donation and transplantation.

These flows are vital and time-sensitive. The consequence of blocking them is that families cannot bury loved ones and transplant patients can lose a match.

The 2024 Reproductive Health Rule

In 2024, HHS finalized the Reproductive Health Privacy Final Rule, which took effect for most provisions by December 2024. The rule limits the use and disclosure of PHI for certain investigations related to lawful reproductive health care.

Covered entities must now obtain a signed attestation before disclosing reproductive-health PHI for law enforcement, judicial, health oversight, or coroner purposes in many situations. The attestation must state that the request is not to investigate or impose liability on a person for seeking, obtaining, providing, or facilitating lawful reproductive care.

How the Rule Interacts with State Law

Some states now criminalize abortion care that is lawful in other states. The final rule blocks the use of PHI to prosecute care that was lawful where it was provided.

The consequence of disclosing in violation of the rule is a fresh HIPAA violation and potential civil liability. A common misconception is that the rule bars all reproductive-health disclosures, but routine treatment, payment, and operations continue as normal.

For example, Jordan Blake, a patient, travels from a restrictive state to a permissive state for care. A prosecutor later subpoenas records in the permissive state. The provider must obtain the attestation, and if the request targets lawful care, the provider must refuse.

Patient Rights as “Exceptions”

Some HIPAA provisions look like exceptions but are actually patient rights. Patients can authorize disclosures themselves and can direct their own records to third parties.

A signed authorization under 45 CFR 164.508 unlocks disclosures that otherwise need permission. Patients can also request access to their own records under 45 CFR 164.524.

The Right of Access

Patients have the right to inspect and get copies of their designated record set. Providers must respond within 30 days, with one 30-day extension allowed.

Fees must be reasonable and cost-based. The Ciox Health v. Azar ruling struck down HHS’s attempt to extend the patient-rate fee cap to third-party directives, so providers can charge market rates when a patient directs records to a lawyer or app.

The consequence of denying access without a lawful ground is one of OCR’s top enforcement areas. The Right of Access Initiative has produced more than 40 settlements since 2019.

Accounting of Disclosures

Patients can ask for a list of certain disclosures over the past six years under 45 CFR 164.528. Disclosures for TPO, to the patient, and with authorization are not included.

The consequence of not tracking disclosures is that the provider cannot fulfill a valid request. This alone triggers OCR complaints.

A common misconception is that patients can see “everything” ever shared. The accounting right is narrower, focused mostly on non-routine disclosures like public health and law enforcement.

Three Common Scenarios

Here are three real-world situations that show how HIPAA exceptions play out.

Scenario 1: The Subpoena in Civil Litigation

Scenario 2: The ER Gunshot Wound

Scenario 3: The Public Health Outbreak

Mistakes to Avoid

HIPAA exceptions are not blank checks. The following mistakes drive a large share of OCR penalties.

• Releasing full charts on a bare attorney subpoena, which violates the 164.512(e) safeguards and can trigger six-figure fines.
• Sharing more than the minimum necessary, which turns a valid exception into a breach under 164.502(b).
• Telling employers about diagnoses without the required workplace-surveillance notice, which invalidates the disclosure.
• Confusing de-identified data with a limited data set, leading to missing Data Use Agreements and contractual exposure.
• Refusing to report child abuse because of HIPAA, which ignores 164.512(b) and violates state mandatory-reporting laws.
• Skipping the attestation for reproductive-health requests, which now violates the 2024 Final Rule.
• Giving the media patient names during emergencies, which is not a public-health exception.
• Ignoring patient right-of-access requests past 30 days, which is a top OCR enforcement target.
• Treating decedent records as unprotected, when they stay covered for 50 years under 164.502(f).
• Failing to get a business associate agreement with vendors, which makes even routine payment disclosures unlawful.

Do’s and Don’ts for Disclosures

Follow these rules to stay inside every HIPAA exception.

• Do verify the identity and authority of every requester, because fake police and fake lawyers do show up.
• Do document the exception, the legal basis, and the exact records released, so you can defend the disclosure later.
• Do train front-desk staff on subpoena handling, since untrained staff often release records they should not.
• Do route all unusual requests to the privacy officer, which keeps judgment calls consistent.
• Do use secure channels for every disclosure, because the Security Rule still applies.

Avoid these missteps at all costs.

• Don’t rely on verbal assurances from police without checking the legal form, since this is a frequent OCR finding.
• Don’t release reproductive-health records without the new attestation, because the 2024 rule is now active.
• Don’t assume consent from silence, since HIPAA requires affirmative steps in most non-TPO sharing.
• Don’t skip breach notification under 45 CFR 164.400-414, even when a disclosure started as a valid exception.
• Don’t guess at state law, because many states add tighter rules than HIPAA requires.

Pros and Cons of the Exception Framework

HIPAA’s exception system draws praise and criticism.

Benefits include:

• It keeps treatment flowing across providers without paperwork delays.
• It supports public health response during outbreaks and disasters.
• It helps law enforcement locate missing persons and solve violent crimes.
• It funds research that drives medical progress while protecting identifiers.
• It lets families navigate end-of-life and bereavement without privacy fights.

Drawbacks include:

• The rules are complex, and small providers struggle to apply them.
• Many staff over-disclose, believing the exception is broader than it is.
• State-law overlays vary sharply, which confuses multi-state health systems.
• Patients rarely know their rights, so violations often go unreported.
• Enforcement is uneven, which undermines deterrence.

Key Court Rulings and Agency Actions

Courts have shaped how HIPAA exceptions work. The most important recent ruling is Ciox Health v. Azar, which struck down HHS’s 2013 and 2016 extensions of the patient-rate fee cap.

The ruling matters because it clarified that third-party directives are not the same as patient access. It also reminded HHS that rulemaking must go through notice and comment.

OCR Right of Access Settlements

Since 2019, OCR has published dozens of Right of Access settlements. Penalties range from $3,500 for solo practices to $240,000 for large systems.

The consequence of ignoring access requests is public and costly. A common misconception is that OCR only pursues huge breaches, but access cases dominate enforcement dockets.

Reproductive Health Litigation

Several states have sued to block the 2024 Reproductive Health Privacy Final Rule. A Texas federal judge partially enjoined parts of the rule in 2025, and appeals are ongoing in 2026.

Providers should watch OCR’s enforcement page and update their attestation forms as cases develop. The consequence of following outdated guidance is either under-disclosure or over-disclosure, each with its own liability.

State-Law Nuances

State laws sometimes add tighter rules than HIPAA. When a state law is more protective, it controls.

California’s Confidentiality of Medical Information Act adds extra consent requirements for many disclosures. Texas’s Medical Records Privacy Act expands the definition of covered entities. New York’s SHIELD Act adds breach-notification duties for private health data.

Mental Health and Substance Use

Substance use disorder records from federally assisted programs also fall under 42 CFR Part 2. Part 2 is stricter than HIPAA, and recent 2024 amendments aligned some rules with HIPAA but kept extra patient consent requirements.

The consequence of applying only HIPAA to a methadone clinic’s records is a Part 2 violation. A common misconception is that the 2024 alignment rule “merged” the two, but many Part 2 protections still stand.

Minors and Family Access

State laws control whether minors can consent to their own care and block parental access. California, Oregon, and Washington give minors strong autonomy over certain sensitive services. Other states give parents broader access.

The consequence of applying the wrong state rule is either a privacy breach or an angry parent complaint. Providers must map their EHR’s family-access settings to each state where they operate.

FAQs

Can a hospital share my records with another hospital without asking me?

Yes. If the sharing is for your treatment, payment, or the health care operations of either hospital under a narrow set of rules, no authorization is needed under HIPAA’s TPO exception.

Does HIPAA let police get my medical records?

Yes. Police can get limited identifying information and, with a court order, warrant, grand jury subpoena, or proper safeguards on a regular subpoena, they can get more detailed records.

Can my employer see my medical records under HIPAA?

No. Employers generally cannot see your medical records without your written authorization, except for narrow workplace medical surveillance reports with advance notice to you.

Does HIPAA apply after a patient dies?

Yes. HIPAA protects a decedent’s records for 50 years after the date of death, with specific exceptions for coroners, funeral directors, and research on decedents.

Can schools share student health records under HIPAA?

No. Most school health records fall under the Family Educational Rights and Privacy Act, not HIPAA, because schools are usually not covered entities under federal health privacy law.

Does HIPAA block mandatory child abuse reporting?

No. HIPAA expressly permits disclosures to state child protective agencies and never overrides a state mandatory reporter law, so providers must still report suspected abuse.

Can researchers use my data without my consent?

Yes. An Institutional Review Board or Privacy Board can waive authorization if the research is minimal risk and cannot practicably be done with authorization or without the PHI.

Does the 2024 reproductive health rule apply to all states?

Yes. The rule applies to all HIPAA covered entities nationwide, though ongoing litigation in 2025 and 2026 has narrowed some parts in certain federal districts.

Can a provider warn someone I threatened to harm?

Yes. HIPAA’s serious-and-imminent-threat exception lets providers disclose the minimum necessary PHI to the potential victim or law enforcement to prevent the threat.

Does HIPAA let me see my own medical records?

Yes. Patients have a federal right of access to their designated record set, and providers must respond within 30 days for a reasonable, cost-based fee.

Can I be charged market rates for sending records to my lawyer?

Yes. After Ciox Health v. Azar, providers can charge market-based fees when you direct records to a third party like a lawyer, instead of the patient-access fee cap.

Does HIPAA apply to my fitness tracker or wellness app?

No. Most direct-to-consumer apps are not covered entities or business associates, so HIPAA does not apply, though the Federal Trade Commission’s Health Breach Notification Rule may.