HIPAA Exemptions Explained: Who Isn’t Covered and When PHI Can Be Disclosed

Entities Exempt from HIPAA

HIPAA protects Protected Health Information when handled by Covered Entities—health plans, health care clearinghouses, and most health care providers that conduct standard electronic transactions—and by their business associates. If an organization is not a Covered Entity or a business associate, HIPAA generally does not apply to it.

Commonly not covered by HIPAA are employers acting in their role as employers (employment records are not PHI), life and disability insurers, workers’ compensation carriers, schools and school districts whose education records are governed by FERPA, law enforcement agencies and courts, and consumer-facing health apps, wearables, or websites that are not operating for or on behalf of a Covered Entity. Banks, credit card processors, and many research sponsors are also outside HIPAA unless they sign a business associate agreement.

Remember: health information becomes PHI only when it is individually identifiable and created or received by a Covered Entity or its business associate. The same facts collected directly by an employer or a consumer app may be personal data, but it is not PHI under HIPAA.

Permitted PHI Disclosures Without Authorization

HIPAA allows certain uses and disclosures of PHI without a patient’s written authorization. Besides Treatment, Payment, and Health Care Operations (covered below), disclosures may occur when required by law; for Public Health Reporting; for Health Oversight Activities; in judicial or administrative proceedings (including responses to Judicial Subpoenas under defined safeguards); for specific Law Enforcement Requests; to avert a serious threat to health or safety; for victims of abuse, neglect, or domestic violence; for organ, eye, or tissue donation; for decedents; for specialized government functions; and as permitted by workers’ compensation laws.

All such disclosures must meet HIPAA’s “minimum necessary” standard when it applies—sharing only what is reasonably needed for the purpose—and any more stringent state privacy rules. You should document the legal basis and limit each disclosure accordingly.

Treatment Payment and Healthcare Operations

HIPAA permits Covered Entities and their business associates to use and disclose PHI for treatment (care coordination, consultations, and referrals), payment (eligibility checks, claims, and collections), and health care operations (quality assessment, training, accreditation, audits, and business planning). These core activities do not require patient authorization.

The minimum necessary rule applies to payment and operations, but not to disclosures between providers for treatment. You may also share PHI with business associates for these purposes if a business associate agreement is in place. Patients can request restrictions, and if they pay for an item or service in full out of pocket, they may require that it not be disclosed to a health plan for that item or service.

Public Health and Oversight Exceptions

Public health authorities may receive PHI without authorization for Public Health Reporting such as communicable disease reports, vital records, adverse event or product safety reports, and to notify persons at risk of exposure. In limited cases, a provider may disclose work-related illness or injury information to an employer when required by law for workplace safety programs.

Health Oversight Activities allow disclosures to government agencies for audits, inspections, investigations, licensure actions, and fraud and abuse reviews related to the health care system or public benefit programs. These disclosures support accountability while still honoring HIPAA’s minimum necessary standard.

Judicial and Law Enforcement Disclosures

For judicial and administrative proceedings, PHI may be disclosed in response to a court order or warrant (limited to what the order authorizes). For Judicial Subpoenas or discovery requests not accompanied by a court order, you must obtain patient authorization or ensure the requester has provided satisfactory assurances—such as proof of patient notice or a qualified protective order.

Law Enforcement Requests permit disclosures in specific situations: to comply with legal mandates (for example, reporting certain wounds), to locate or identify a suspect, fugitive, witness, or missing person, about a crime victim (with consent or under defined exceptions), about a decedent where death may have resulted from criminal conduct, evidence of a crime on the premises, or to prevent or lessen a serious and imminent threat. Always verify authority, document the request, and disclose the minimum necessary.

Research Use of PHI

HIPAA supports research through several pathways. You may use or disclose PHI with a research-specific authorization from the individual, or under a waiver of authorization approved by an Institutional Review Board or Privacy Board when criteria such as minimal privacy risk are met. Researchers may also review PHI “preparatory to research” on-site to design a study, and may use PHI solely about decedents for qualifying research.

De-identified Data is not PHI and can be used or shared without HIPAA restrictions if identifiers are removed under the Safe Harbor method or an expert determines that re-identification risk is very small. A Limited Data Set, which excludes direct identifiers but retains some dates and geography, may be shared for research, public health, or health care operations under a data use agreement.

Government and Employer Exemptions

HIPAA permits disclosures for specialized government functions, including activities of military command authorities (for service members), national security and intelligence operations, protective services for officials, and to correctional institutions or law enforcement when an inmate is in custody for specified safety and health purposes.

Employers are generally not Covered Entities, and employment records—even when held by a provider in its role as an employer—are not PHI. However, employer-sponsored group health plans are Covered Entities, and plan sponsors may receive PHI only as allowed for plan administration and only with required safeguards. Disclosures to employers about workplace injuries or exposures may be allowed when required by law; otherwise, an employee’s authorization is typically needed.

Key takeaway: HIPAA exemptions are narrowly tailored. Before disclosing, confirm who is asking, the legal basis, and the minimum necessary PHI to share—and check whether state law imposes stricter limits.

FAQs.

Who is not covered by HIPAA regulations?

Employers acting as employers, life and disability insurers, workers’ compensation carriers, schools governed by FERPA, law enforcement agencies, courts, banks, and most consumer health apps or wearables not working for a Covered Entity are generally outside HIPAA. HIPAA applies to Covered Entities and their business associates handling PHI.

When can PHI be disclosed without patient authorization?

Without authorization, PHI may be disclosed for treatment, payment, and health care operations; when required by law; for public health reporting; for health oversight activities; in judicial and administrative proceedings with proper process; for defined law enforcement requests; to avert a serious threat; for abuse, neglect, or domestic violence reporting; for organ donation and decedents; specialized government functions; and workers’ compensation programs.

What public health activities allow PHI disclosure?

Covered Entities may disclose PHI to public health authorities for disease and vital event reporting, adverse event and product safety monitoring, contact notification for persons at risk, and certain workplace-related reporting required by law. These Public Health Reporting disclosures must be limited to the minimum necessary.

How does HIPAA apply to research involving PHI?

Researchers can use PHI with an individual’s authorization or under an IRB/Privacy Board waiver when criteria are met. PHI may also be reviewed on-site “preparatory to research” or used solely about decedents. De-identified Data is not PHI and can be used freely, while a Limited Data Set may be shared under a data use agreement for research, public health, or operations.