What the HIPAA Privacy Rule Does Not Apply To: Examples and Exceptions

De-identified Health Information

The HIPAA Privacy Rule protects individually identifiable health information (IIHI) held by covered entities and business associates. Once data are truly de-identified, they are no longer IIHI, and the Privacy Rule does not apply. De-identification can occur in two accepted ways: the Safe Harbor method (removing specific identifiers) or an expert determination that the risk of re-identification is very small.

De-identified datasets can be used, shared, and analyzed without HIPAA restrictions. However, a “limited data set” (which may include dates, city, or ZIP) is still PHI and requires a data use agreement. Because de-identified information sits outside HIPAA, the Minimum Necessary Standard Exceptions are not needed to justify its use.

• Examples: population-level dashboards, algorithm development using de-identified claims, and benchmarking reports that contain no IIHI.
• Common pitfalls: retaining small-cell geographies or free-text notes that reveal identity; always validate de-identification before disclosure.

Employment Records

HIPAA does not cover employment records held by an employer in its role as an employer, even if the employer is a hospital or health plan. These files are not PHI under HIPAA. They include documents maintained for human resources, occupational health administration, and workplace safety programs.

Examples include FMLA certifications, ADA accommodation forms, drug-testing results, fitness-for-duty notes, and workers’ comp leave paperwork kept by the employer. While HIPAA is out of scope, other laws may apply, and State Law Preemption rules mean stricter state privacy or labor laws can control how these records are handled.

Education Records

Education records and student “treatment records” protected by FERPA are excluded from HIPAA. When a school provides health services to students and keeps those records as part of the student file, the HIPAA Privacy Rule does not apply to those records.

Examples include school nurse logs, immunization documentation maintained in the student record, and counseling notes kept under FERPA. If a university hospital treats the public, those clinical records are HIPAA PHI, but a student’s FERPA-covered education records remain outside HIPAA. State Law Preemption still matters because state immunization and student privacy laws can impose additional requirements.

Public Health Activities

The Privacy Rule permits disclosures of PHI without authorization for public health activities—part of HIPAA’s Public Interest and Benefit Activities. Covered entities may report communicable diseases, adverse events, vital statistics, or exposures to authorized public health authorities. Disclosures should be limited to the minimum necessary for the stated purpose unless a law requires specific data elements.

• Examples: reporting COVID-19 or TB cases, submitting vaccine adverse event data, notifying partners about significant exposures, and supporting recalls of contaminated products.
• Tip: document the authority and purpose for each disclosure, and tailor the dataset to what the public health authority needs.

Health Oversight Activities

Disclosures are also allowed for health oversight activities such as audits, inspections, licensure reviews, or investigations by agencies that oversee the health care system or government programs. These oversight functions are distinct from law enforcement and remain within the public interest framework.

Research with an Institutional Review Board Waiver

Research is another permitted pathway. If obtaining patient authorization is impracticable, an Institutional Review Board Waiver (or Privacy Board waiver) can allow access to PHI when privacy risks are minimal and protections are in place. Even with a waiver, apply the minimum necessary standard and consider limited data sets with a data use agreement where feasible.

Judicial and Administrative Proceedings

Covered entities may disclose PHI in judicial or administrative proceedings when responding to a court or administrative order (only the information expressly required) or to a subpoena, discovery request, or other lawful process accompanied by satisfactory assurances (for example, that the individual has been notified or a protective order is in place). Always limit disclosures to what is requested and necessary.

Minimum Necessary Standard Exceptions do not apply to disclosures required by law or under a valid court order, but they do apply to most other process-based disclosures. Maintain documentation of the request, basis, and scope.

Workers' Compensation Disclosures

Workers' Compensation Disclosures are permitted to the extent authorized by and necessary to comply with workers’ compensation or similar laws. Typically, this allows sharing injury and treatment information with insurers, administrators, or employers involved in the claim, consistent with statutory limits.

Law Enforcement Disclosures

The Privacy Rule allows—but does not require—certain disclosures to law enforcement without patient authorization. These include complying with warrants, subpoenas, or summons; responding to requests to locate or identify a suspect, fugitive, material witness, or missing person; reporting certain wounds or injuries required by law; and providing limited information about a crime on the premises.

For a suspected victim of a crime, disclosure generally requires the individual’s agreement, unless the individual cannot agree and law enforcement represents that immediate law-enforcement activity depends on the disclosure. Share only what is necessary for the purpose, and document the request, legal authority, and scope.

• Examples: reporting gunshot wounds as required by state law; confirming a patient’s admission status to help locate a missing person; responding to a grand jury subpoena.
• Notable limits: do not disclose psychotherapy notes or substance use disorder records protected by other federal rules without proper authority.

Serious Threats to Health or Safety

Covered entities may disclose PHI in good faith to prevent or lessen a serious and imminent threat to a person or the public. Disclosures may be made to someone who can avert the threat, such as law enforcement or an at-risk individual. This exception is narrow: assess credibility, document your rationale, and disclose no more than needed.

This pathway also fits within Public Interest and Benefit Activities and operates alongside state “duty to warn” or similar laws. State Law Preemption means stricter state standards for warning or confidentiality can govern your response.

Conclusion

In short, the HIPAA Privacy Rule does not apply to de-identified data, employment records, or FERPA-protected education records. It also permits narrow, purpose-driven disclosures of PHI without authorization for public health, oversight, judicial and administrative processes, law enforcement needs, workers’ compensation, and to address serious threats—each bounded by the minimum necessary principle and, where applicable, State Law Preemption.

FAQs

What types of information are excluded from the HIPAA Privacy Rule?

De-identified datasets that are no longer individually identifiable health information, employment records kept by an employer, and FERPA-protected education and student treatment records are outside HIPAA. Additionally, information that never related to a person’s health care or payment isn’t PHI and falls outside the Rule.

When can protected health information be disclosed without patient authorization?

Disclosures are allowed for Public Interest and Benefit Activities, including public health reporting, health oversight activities, judicial and administrative proceedings, specific law enforcement purposes, Workers' Compensation Disclosures, and to prevent a serious and imminent threat. Research may proceed without authorization under an Institutional Review Board Waiver when criteria are met. Minimum Necessary Standard Exceptions apply to certain required-by-law disclosures and treatment uses.

How does the Privacy Rule interact with state laws?

HIPAA generally preempts contrary state laws, but State Law Preemption preserves stricter state rules that offer greater privacy protection or address specific reporting needs (for example, certain disease, injury, or abuse reporting). Always check whether a state requirement is more stringent or expressly mandated; if so, follow the state rule.

What exceptions exist for law enforcement disclosures under HIPAA?

Permitted disclosures include responding to warrants, subpoenas, or summons; limited information to locate a suspect or missing person; reporting certain injuries required by law; disclosures about crimes on the premises; and, in specific conditions, disclosures about a suspected victim. Each disclosure must be narrowly tailored to the purpose and documented, observing the minimum necessary standard where applicable.