Navigating Exceptions to the HIPAA Security Rule: What You Must Know

The HIPAA Security Rule sets baseline safeguards for electronic protected health information (ePHI) handled by covered entities and their business associates. While “exceptions” exist, most are narrow and context-specific. This guide clarifies what is truly exempt, what is merely flexible, and how you can stay compliant without overbuilding.

Exceptions for Small Providers

There is no blanket small-entity exemption

All covered entities and business associates that create, receive, maintain, or transmit ePHI must comply. The Security Rule’s “flexibility of approach” scales requirements to your size, complexity, and risk—but it does not excuse compliance.

Use flexibility, not avoidance

• Addressable specifications are not optional. You must implement them as reasonable and appropriate or document a comparable, effective alternative.
• Prioritize controls that materially reduce risk: access controls, audit logging, encryption, and multi-factor authentication for remote and privileged access.

Document decisions through a security risk assessment

Perform and update a security risk assessment to identify threats, justify risk-based choices, and guide remediation. Keep written rationale for any alternative measure you use, and reassess after significant changes such as new EHR modules or telehealth workflows.

Employer Health Plan Exemptions

Which employer arrangements are covered

Group health plans are generally covered entities. However, a group health plan with fewer than 50 participants that is administered solely by the employer that established it is not treated as a HIPAA “health plan.” In those cases, the insurer or HMO providing benefits remains the covered entity, not the employer plan.

Firewalls between HR and the plan

Employers are not covered entities when acting as employers. If your organization also sponsors a covered health plan, separate plan administration functions from employment records, limit access to ePHI to authorized personnel, and maintain plan documents that describe permitted uses and disclosures.

Vendors and business associates

Third-party administrators, brokers, and benefit platforms that handle ePHI for a plan act as business associates and must implement Security Rule safeguards. Ensure business associate agreements, vendor risk reviews, and ongoing monitoring are in place.

Workers' Compensation Privacy

Permitted disclosures under workers’ compensation programs

The Privacy Rule allows disclosures of PHI as authorized by workers’ compensation or similar laws, including to insurers, state agencies, and employers to the extent the law permits. These permissions enable claims handling without patient authorizations.

Security obligations still apply

Even when disclosure is permitted, you must safeguard ePHI during transmission and storage. Apply minimum necessary practices, verify requestors, encrypt data in transit, and keep audit trails for disclosures related to workers’ compensation.

Personal Health Records and Wearables

When HIPAA applies

HIPAA covers data in a provider’s EHR or a health plan system, including data imported from wearables or patient apps when those tools act on behalf of a covered entity or its business associate. Once the information enters your systems as ePHI, the Security Rule applies.

When HIPAA does not apply

Consumer apps and wearable platforms that offer services directly to individuals, without acting for a covered entity, are typically outside HIPAA. Other laws may apply to those vendors, but the HIPAA Security Rule would not.

Patient access, APIs, and the information blocking exception

Providers subject to information blocking requirements should enable secure patient access while protecting systems. The privacy and security information blocking exception allows reasonable safeguards—such as identity proofing and multi-factor authentication—when they are tailored, non-discriminatory, and not used to impede access.

De-Identified and Non-Covered Information

De-identified data

Data that meet HIPAA de-identification standards—either through removal of specified identifiers or via expert determination—are not ePHI and fall outside the Security Rule. Maintain re-identification risk controls and document your method and ongoing validation.

Non-covered information categories

• Employment records held by a covered entity in its role as employer are not PHI.
• Education records governed by other laws are generally not PHI.
• Data held solely by entities that are neither covered entities nor business associates are not subject to the Security Rule.

Breach Notification Exceptions

When the breach notification rule does not require notice

• Unintentional access or acquisition by a workforce member acting in good faith and within scope of authority, with no further improper use or disclosure.
• Inadvertent disclosure between two authorized persons at the same covered entity or business associate, with no further improper use or disclosure.
• Disclosures where there is a good-faith belief the recipient could not reasonably retain the information.

Risk assessment still governs

If no exception applies, conduct the required four-factor risk assessment to determine whether there is a low probability that ePHI was compromised. Document findings, apply mitigation, and issue notifications without unreasonable delay if required.

Proposed Security Rule Updates

Themes policymakers are considering

• Codifying baseline cybersecurity practices such as multi-factor authentication, strong encryption, and timely patching.
• Strengthening vendor and business associate oversight, including incident cooperation and reporting expectations.
• Clarifying documentation for addressable controls and ongoing security risk assessment cadence.
• Aligning with sector cybersecurity goals and recognized security practices to guide enforcement discretion.

What you can do now

• Implement MFA for remote, administrative, and privileged access; encrypt ePHI in transit and at rest.
• Refresh your enterprise security risk assessment and tie remediation to clear owners and timelines.
• Inventory business associates, update agreements, and test incident response with your vendors.
• Harden identity, access, and audit logging; practice least privilege and rapid deprovisioning.
• Document recognized security practices and map them to your safeguards to demonstrate due diligence.

Conclusion

Actual HIPAA Security Rule “exceptions” are narrow. Most scenarios rely on flexible, risk-based implementation rather than exemption. Focus on accurate scoping of ePHI, disciplined security risk assessments, strong identity controls, and rigorous vendor oversight to stay compliant—even as requirements evolve.

FAQs

What entities are exempt from the HIPAA Security Rule?

The Security Rule applies to covered entities (health plans, most providers, and clearinghouses) and business associates. Some employer group health plans with fewer than 50 participants administered solely by the employer are not treated as HIPAA health plans; in those cases the insurer or HMO is the covered entity. Entities that are neither covered entities nor business associates are outside the Security Rule.

When is a HIPAA breach notification not required?

Notice is not required when an incident fits one of the rule’s narrow exceptions: good-faith, within-scope access without further misuse; inadvertent disclosure between authorized persons; or a disclosure where the recipient could not reasonably retain the information. Otherwise, you must perform a risk assessment and notify if there is more than a low probability of compromise.

How do proposed updates affect HIPAA compliance?

Proposals aim to formalize practices already considered reasonable—like multi-factor authentication, stronger encryption, vendor oversight, and documented risk assessments. Preparing now by implementing these controls and maintaining evidence of recognized security practices will reduce both risk and regulatory exposure.

What constitutes de-identified health information under HIPAA?

Information is de-identified if it either has specified identifiers removed under safe harbor or an expert determines that the risk of re-identification is very small. De-identified data are not ePHI and therefore fall outside the HIPAA Security Rule, though you should still manage re-identification risk and data-sharing controls.