The Three Exceptions to a HIPAA Breach: A Guide for Medical Practitioners

The Three Exceptions to a HIPAA Breach: A Guide for Medical Practitioners

Many people take a “better safe than sorry” approach when it comes to HIPAA breaches, with medical care staff considering even the most seemingly innocuous incident a serious violation. But, despite this safety-first outlook, there are three exceptions to a breach that team members should be aware of; knowing when the boundaries shift could make all of the difference in properly preserving patient privacy. Whether you’re new to health care or have years of experience under your belt, familiarizing yourself with these three breaches of confidentiality is an essential step in protecting your patients and brand alike.

HIPAA Breach is a serious violation of the Health Insurance Portability and Accountability Act, but there are some exceptions to be aware of. The HIPAA Privacy Rule allows for certain uses and disclosures of protected health information without patient authorization. These exceptions include communication between health care providers, payment processing, protecting public safety, disclosure to families or friends involved in the patient’s care, as well as other legitimate purposes. Additionally, a HIPAA compliance checklist can help ensure that your organization is compliant with all applicable aspects of the law. Being aware of legal requirements and reviewing HIPAA-related data security policies and procedures on a regular basis are key components of any successful compliance program.  


1. Unintentional Acquisition Or Access:

An unintentional breach of protected health information (PHI) is inevitable. However, sometimes an employee's good intentions create exceptions to the rule - when an individual acquires, accesses, or uses PHI within the scope of their authority and does not further distribute this confidential material in a way that goes against HIPAA standards. In these cases, it shows that breach protocols were respected and followed with care.



Working in a healthcare facility can be a tricky place at times. There are lots of rules and regulations that even the most experienced employee must keep in mind to ensure they remain compliant with regulations. Take, for instance, the scenario of a technician accidentally opening up the wrong patient chart while doing her job; under normal circumstances, this view would generally be considered authorized because it was unintentional and as part of their duties. However, if there's any malicious intent behind it and snooping is involved then that changes everything. In such cases, PHI viewing would no longer be covered by the exception and would instead count as a breach - something to consider before looking at someone else's health information.


In the healthcare sector, it's vital to keep all Protected Health Information (PHI) confidential and only share it in allowed conditions. If a technician should happen to come across any PHI inadvertently, the preferred course of action is for them to inform their supervisor and take steps to correct the error. Unfortunately, if the technician wishes to 'spread the word' so to speak by gossiping or discussing with others, then that counts as a breach - no matter how innocent their intentions may be. The only situation that this rule doesn't apply is when that information needs to be shared due to being necessary for the patient's treatment. When it comes down to health; discretion is key.


2. Inadvertent Disclosure to an Authorized Person:

Accidental disclosure of PHI can, unfortunately, occur from time to time, particularly when multiple people are authorized to access the same confidential material. In these circumstances, however, healthcare organizations can take advantage of an exciting exception in the HIPAA rule: if a person who is trusted enough to gain access to PHI accidentally sends it over to an equally-trusted colleague within the same organization, there is no violation as long as its use isn't extended further than permissible according to the regulations. While we hope that such mistakes will never happen, this exception ensures that organizations don't have to worry greatly about certain unpredicted lapses in judgment among staff members.


In a bizarre case of accidental disclosure, a nurse emails the incorrect lab results to a doctor, who recognizes that it is wrong and deletes it. Even though an email was briefly sent with protected health information (PHI) involved, HIPAA violations don't need to be sounded! Both the nurse and the doctor are allowed access to PHI, so there aren't any breaches there. Plus, they both work at the same hospital, which, more often than not, means their security systems are aligned, allowing for smoother communications around PHI when needed. Mercifully, the doctor did not further share this information, which could have changed the outcome drastically, ending this incident in a fortunate and fortuitous manner.


3. Inability to Retain PHI

In many cases, an errant disclosure of PHI may not be considered a breach if it meets the criteria of one of three exceptions. Among them is when an organization assumes in good faith that the unauthorized person receiving information had no opportunity to retain it. Take, for instance, a clinic sending out EOB letters - if some are returned unopened by the post office, the chances that their contents were viewed can be safely assumed to be low. By taking this 'third exception' into account, healthcare providers have some wiggle room to protect sensitive patient data without reporting a breach each time something is sent awry.


When it comes to unauthorized disclosures, the central question is whether or not the wrong recipient kept any confidential information. Take a pharmacy, for instance – they may have accidentally issued someone else's prescription, and when told of the error, the patient promptly returned it. In this situation, it’s able to be assessed with relative ease if the individual retained any of the details like name or date of birth – as it’s often difficult to forget certain information. Nevertheless, unauthorized disclosure should always be taken seriously, as one never knows what could have been committed to memory and further exploited.

Editorial Team
This article was written by Editorial a Consultant at Industrial Psychology Consultants (Pvt) Ltd

Related Articles


Sign up now to get updated on latest posts and relevant career opportunities