The Three Exceptions to a HIPAA Breach | HIPAAtrek (2024)

Table of Contents
1. Unintentional Acquisition, Access, or Use 2. Inadvertent Disclosure to an Authorized Person 3. Inability to Retain PHI In Summary Check out our Breach Notification Letter Template! Gain Peace of Mind With the Right HIPAA Compliance Tool FAQs

Many people have a “better safe than sorry” mentality when it comes to privacy and HIPAA breaches. Similar to how doctors, nurses, and technicians often consider incidental disclosures to be privacy violations, many privacy officers consider any impermissible disclosure to be a breach. However, there are three exceptions to a breach that all staff members should be aware of.

1. Unintentional Acquisition, Access, or Use

The first exception to a breach is when an employee unintentionally acquires, accesses, or uses protected health information (PHI) in good faith within the scope of their authority, and they do not further disclose the PHI in a manner not permitted by the rule.

For example, a technician might accidentally open the wrong patient chart while carrying out her authorized duties. Her viewing of PHI was both unintentional and during the course of her duties; therefore, the exception applies. However, if the technician opened the chart to snoop, she is acting deliberately and not in good faith, making the viewing of PHI a breach.

See Also
Termination of a contract and its remedies - iPleadersTypes of Breach of ContractsEverything You Need to Know About Discharge by PerformanceDischarge of Contract (A Brief Summary!) | Lawble

Additionally, if the technician shares the PHI she accidentally saw in an unallowable way, such as gossiping, then this is a breach. The only time when it’s okay to further disclose the information is if it’s used for the patient’s treatment. In this case, the exception applies.

2. Inadvertent Disclosure to an Authorized Person

The second exception to a breach is when a person authorized to access PHI accidentally shares PHI with another authorized person at the same organization, and PHI is not further disclosed in a manner not permitted by the rule.

For example, a nurse emails the wrong lab results to a doctor, and the doctor tells him that it’s the wrong file and deletes the email. The exception applies here because the disclosure was inadvertent, both the nurse and the doctor are authorized to access PHI, they both work at the same hospital, and the doctor didn’t further share the information.

3. Inability to Retain PHI

The third exception is when an organization disclosing PHI believes in good faith that the unauthorized person receiving the information wouldn’t have been able to retain it.

For example, a clinic mails explanation of benefits (EOB) letters to the wrong people, and the post office returns some of the letters unopened. Most likely, the addressees didn’t see or retain the information inside these envelopes, so the exception applies. However, the EOBs that weren’t returned should be treated as potential breaches.

The key to this exception is whether or not the unauthorized person is able to retain the information. For example, a pharmacy may hand out the wrong prescription, and the patient returns the prescription before leaving the building. In this case, the pharmacy can make an on-the-spot assessment as to whether the patient was able to retain any of the other patient’s information, such as their name or date of birth.

In Summary

Human errors are common, and not all disclosure errors threaten the privacy of PHI. If every impermissible disclosure was treated as a breach, healthcare would become gridlocked. Therefore, the HIPAA privacy rule allows these three exceptions to a breach.

See Also
Crash Course: Four Types of Contract Breaches

Next time a potential breach comes to light, don’t jump to conclusions. First, gather all the facts and see whether or not an exception applies. If one does, document the incident and the exception you applied and keep it on record. If none of the exceptions apply, conduct the four-factor breach assessment to determine the risk level.

READ MORE:How to Track HIPAA Security Incidents Like a Pro

Check out our Breach Notification Letter Template!

Our free template makes it easy to create a compliant breach notification letter.

The Three Exceptions to a HIPAA Breach | HIPAAtrek (2)

Gain Peace of Mind With the Right HIPAA Compliance Tool

When a potential HIPAA violation comes to your attention, you can use the Breach Risk Assessment Tool in our HIPAA management software to discover whether or not the incident was a breach. The tool will guide you through applying the exceptions to a breach and evaluating your risk level.

If a breach did occur, you can record the details in the Breach Notification Log with the click of a button. If a breach didnotoccur, you can record the incident in the Security Incident log, along with a description of what you did to mitigate the incident.

To learn more about how HIPAAtrek can help you create a culture of compliance at your organization, request a personalized demo or reach out to us at support@hipaatrek.com.

The Three Exceptions to a HIPAA Breach | HIPAAtrek (2024)

FAQs

The Three Exceptions to a HIPAA Breach | HIPAAtrek? ›

However, there are exceptions to HIPAA breach notifications that healthcare providers and other covered entities should be aware of, such as unintentional access, accidental disclosure, or unauthorized retention.

Discover More Details
What is exempt from HIPAA? ›

There are other types of information covered by the exemption, such as de-identified information, some information collected for clinical trials, and aggregate consumer information. Additionally, medical information already covered under California's Confidentiality of Medical Information Act, is also exempt.

Read More
What are the exceptions to the right of privacy under HIPAA? ›

HIPAA Privacy Rule exceptions

Typically these cases involve a healthcare provider's treatment, payment, and healthcare operations (TPO). Other exceptions include cases of public interest.

Learn More
Can you think of any exceptions to HIPAA? ›

Most HIPAA exceptions to confidentiality relate to uses and disclosures “required by law” and “for health care operations”. These include (but are not limited to): When a Covered Entity is a defendant or witness in a malpractice claim.

Get More Info Here
What are security exceptions? ›

A security exception is when a policy, procedure or control is temporarily bypassed, using an exception process, for valid business reasons. It's an “exception to the rule” justified by the company's business mission, so to speak.

Show Me More
What are the two exceptions for patient access to their health information medical record? ›

Information Excluded from the Right of Access

This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.

Read The Full Story
Does HIPAA have exceptions for public health? ›

What is the HIPAA Public Health Exception? The HIPAA Privacy Rule recognizes that public health authorities and others who ensure public health and safety, be given access to protected health information (PHI) to carry out public health activities.

Read More
What are the exceptions to privacy? ›

Information compiled in reasonable anticipation of a civil action proceeding. Material reporting investigative efforts pertaining to the enforcement of criminal law including efforts to prevent, control, or reduce crime or to apprehend criminals.

Show Me More
What are the 3 main purposes of HIPAA? ›

1. Privacy of health information 2. Security of electronic records, 3. Administrative simplification, and insurance portability.

View Details
What are two exceptions to confidentiality in healthcare? ›

The patient is a danger to themselves or others. The patient is diagnosed with a communicable disease such as HIV. There are health insurance-related complications.

Learn More Now

What are the exceptions to medical confidentiality? ›

They may need to share information with law enforcement. A doctor may (or in some cases, must) break the doctor-patient confidentiality law when there's evidence of: A crime or intention to commit a crime. Child abuse or neglect.

Know More
What are the exceptions to confidentiality in healthcare? ›

Other legal exceptions to a breach of doctor-patient confidentiality include: Medical treatment of injuries that could relate to criminal conduct (e.g., gunshot wounds, drunk driving, hit and run) Disclosures to the patient's health insurance company to get insurance coverage for treatment.

Read On
What are the 3 security measures that should be guaranteed in every secure system? ›

An effective system satisfies all three components: confidentiality, integrity, and availability. An information security system that is lacking in one of the three aspects of the CIA triad is insufficient. The CIA security triad is also valuable in assessing what went wrong—and what worked—after a negative incident.

Learn More
Which 3 items make up the security triad? ›

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.

Learn More Now
Top Articles
A Beginner’s Guide to Ghostwriting: All the Facts (w/o the Fluff)
(FREE) Add Grid to Photo Online: 5 Ways to Use Grids Creatively - MockoFUN 😎
Rails to Trails: Cedar Brook Bridge Repair Fundraiser
The UPS Store | Ship & Print Here > 100 Industrial Dr
Ark Mindwipe Tonic Command
Powersave Nathan Gilroy
Marlin Markets Weekly Ad
Amanda Bellaci
No Hard Feelings Showtimes Near Cinemark Tinseltown Pueblo
Craigslist En Brownsville Texas
Crazy 8S Cool Math
Candy Crush Level 531 Frog
Latest Posts
BMW Apple Carplay & Android Auto: How to retrofit? | Complete guide
Cloud Computing Market Share, Size, Trends - [2022-2026]
Article information

Author: Dr. Pierre Goyette

Last Updated:

Views: 5452

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.