HIPAA Privacy Rule Exceptions List: When Protected Health Information (PHI) Can Be Disclosed Without Authorization

As a covered entity or business associate, you may disclose protected health information without a signed authorization in limited, well-defined situations. This HIPAA Privacy Rule exceptions list explains when disclosure is permitted, what safeguards apply, and how to document requests.

In every case, verify the requestor’s authority, disclose only the minimum necessary, and prefer De-identified Health Information or a limited data set when full identifiers are not needed.

Required by Law

What “required by law” means

You may disclose PHI when a statute, regulation, or court order compels it. Common examples include mandatory reporting of certain injuries, vital records submissions, and compliance with state Workers' Compensation Program requirements.

Key safeguards

• Confirm the legal basis (e.g., statute, regulation, or order) and the scope of information requested.
• Apply the minimum necessary standard; redact extraneous identifiers.
• Document the legal authority and what you released for your disclosure log.

Examples

• Submitting injury or illness reports needed to administer a Workers' Compensation Program.
• Responding to a valid court order directing production of specific medical records.
• Providing limited data needed for required state registries.

Public Health Activities

Permitted public health disclosures

You may disclose PHI to a public health authority for disease control, reporting adverse events, and similar Public Health Surveillance activities. Typical recipients include state health departments and federal public health agencies.

• Reporting communicable diseases, lab results, and immunization data when authorized.
• Notifying authorities about adverse events, product defects, or recalls to protect the public.
• Sharing exposure and monitoring information for outbreaks or environmental hazards.

Using data responsibly

• Share the minimum necessary; when feasible, provide De-identified Health Information or a limited data set under a data use agreement.
• Record the recipient, date, and purpose to support your accounting of disclosures process.

Health Oversight Agency activities

Separate from public health, disclosures are also permitted to a Health Oversight Agency for audits, inspections, licensure, and investigations of the health care system. Examples include state medical boards or inspector general offices conducting oversight.

Health Research

When PHI may be used or disclosed without authorization

• IRB or Privacy Board waiver: An Institutional Review Board can approve a waiver of authorization when criteria such as minimal risk and impracticability are met.
• Preparatory to research: Review PHI on-site to design a study or assess feasibility, without removing identifiers.
• Research solely on decedents: With documentation of the research purpose and need for PHI.
• Limited data set: Disclose under a data use agreement that restricts re-identification and further use.
• De-identified Health Information: Not PHI and may be used freely once properly de-identified.

Documentation to maintain

• IRB/Privacy Board waiver or alteration approval and protocol details.
• Representations for preparatory or decedent research, including scope and safeguards.
• Data use agreements for limited data sets and logs of what was shared.

Abuse Neglect or Domestic Violence Reporting

Permitted disclosures

You may disclose PHI to a government authority authorized to receive reports of abuse, neglect, or domestic violence. For children, reporting is typically mandated; for adults, disclosure depends on applicable law and professional judgment about the individual’s best interests.

Safeguards and notices

• Share only what is necessary for the report and consider the individual’s safety when deciding whether to inform them.
• If informing the individual could place them at risk, you may delay notice consistent with law and agency guidance.
• Document the authority notified, what was disclosed, and your rationale.

Law Enforcement Disclosures

When you may disclose to law enforcement

• Court order, warrant, or summons directing disclosure.
• Subpoena Compliance consistent with privacy safeguards (or as addressed by your legal counsel).
• Limited information to identify or locate a suspect, fugitive, material witness, or missing person.
• Information about a crime victim, subject to additional conditions.
• Evidence of a crime that occurred on your premises or in response to a medical emergency where a crime is suspected.
• Reporting death or serious injury when criminal conduct may be involved.

Limits and safeguards

• Provide only the narrow set of identifiers permitted when assisting identification/location requests.
• Verify the requesting officer’s identity and legal authority before disclosing.
• Log disclosures as required and retain copies of legal process received.

Judicial and Administrative Proceedings

Orders, subpoenas, and protective measures

• Court or administrative orders: Disclose only what the order specifies.
• Subpoena Compliance without a court order generally requires “satisfactory assurances” or notice to the individual, or a qualified protective order limiting use and redisclosure.
• Work with counsel to tailor production sets, apply redactions, and ensure minimum necessary.

Practical steps

• Authenticate the request, scope, and return address for records.
• Document production decisions, including any objections, redactions, and protective orders.
• Update your policies and train staff on routing legal requests promptly.

Cadaveric Organ and Tissue Donation

Permitted disclosures

You may disclose PHI to organ procurement organizations, eye or tissue banks, and similar entities to facilitate cadaveric organ and tissue donation and transplantation. Timely information sharing helps evaluate suitability and coordinate recovery.

Safeguards

• Limit disclosures to information necessary for donation screening and coordination.
• Verify the recipient organization’s role and maintain a record of the disclosure.

Conclusion

HIPAA permits disclosures without authorization only in defined scenarios, with strict safeguards. As a covered entity, apply minimum necessary, verify authority, prefer de-identification, and document your decisions. These practices enable essential public interests while protecting patient privacy.

FAQs

What are the main exceptions to the HIPAA Privacy Rule?

Key exceptions to the HIPAA Privacy Rule include disclosures required by law; public health activities and Public Health Surveillance; health oversight; certain research pathways (such as IRB waiver, preparatory to research, decedent research, and limited data sets); reports of abuse, neglect, or domestic violence; law enforcement purposes; judicial and administrative proceedings; and cadaveric organ and tissue donation.

When can PHI be disclosed without patient authorization?

PHI may be disclosed without a signed authorization when a law or court order compels it, when needed for public health or health oversight, for permitted research with appropriate approvals or documentation, to report abuse or neglect, for specified law enforcement requests, in response to legal process with proper safeguards, and to support organ and tissue donation. Always apply the minimum necessary standard and keep records of what you shared.

How are disclosures for public health purposes regulated?

Disclosures to public health authorities must be for legitimate public health purposes such as disease reporting, surveillance, or addressing product and environmental risks. You should verify the authority of the recipient, share only what is necessary, and prefer De-identified Health Information or a limited data set when feasible, documenting each disclosure as required.

What is the role of an IRB in HIPAA research exceptions?

An Institutional Review Board may approve a waiver or alteration of authorization when criteria such as minimal privacy risk and impracticability of obtaining individual permissions are met. The IRB’s documentation, combined with data minimization and other safeguards, allows a covered entity to disclose PHI for research without individual authorization under the HIPAA Privacy Rule.