A law firm sends a request for medical records related to a personal injury case. There’s no patient authorization included, just a subpoena. The HIM team hesitates. Is this valid under HIPAA? Can the records be released, or does this require authorization? The request sits in limbo, not because the team lacks diligence, but because the answer isn’t immediately clear.
HIPAA includes a set of well-defined exceptions that permit the disclosure of protected health information (PHI) without patient authorization. These exceptions are not loopholes or vague permissions; they are legal mechanisms that enable critical information sharing in specific circumstances.
HIM professionals need to protect patient privacy while accurately fulfilling legal requests without unnecessary delays. Understanding HIPAA exceptions is essential to meeting both privacy obligations and compliance demands.
These examples are provided for educational purposes and are not intended to serve as legal advice.
HIPAA Exceptions Overview
This article is designed to help Health Information Management (HIM) professionals and compliance teams understand when HIPAA permits the release of protected health information (PHI) without patient authorization.
Here’s what you’ll learn:
- How to identify a legally valid HIPAA exception and avoid mistaken disclosures
- Real-world HIM scenarios where exceptions may apply
- Frequent mistakes HIM professionals make when interpreting exceptions
- How state laws may override HIPAA in some instances
- How modern technology supports compliant record release
What Is a HIPAA Exception?
HIPAA exceptions are specific circumstances under which covered entities may disclose protected health information (PHI) without patient authorization, as outlined in the HIPAA Privacy Rule (45 CFR §§ 164.502 to 164.514).
Exceptions fall into three primary categories, each with distinct operational relevance:
- Treatment, payment, and healthcare operations (TPO): Routine disclosures that support direct care, reimbursement, or internal business functions
- Public interest and benefit activities: Disclosures permitted for public health, safety, law enforcement, and similar societal needs
- Required by law scenarios: Disclosures mandated by another federal, state, or local law that explicitly compels PHI release
While HIPAA permits these disclosures, they are not automatic. Every exception has boundaries, and each request must be evaluated against its legal criteria before any information is released.
In most cases, the Minimum Necessary Rule applies. This means you can only disclose the smallest amount of PHI required to accomplish the intended purpose.
The primary exceptions to this rule are:
- Disclosures to or by healthcare providers for treatment
- Disclosures made directly to the individual
- Disclosures required by law
Misclassifying a request under the wrong HIPAA exception may lead to improper disclosures. If the documentation is incomplete, the legal basis is unclear, or the purpose does not clearly align with the exception, pause and escalate. Releasing too much, too soon, or under the wrong rule puts your organization at serious risk.
The Treatment, Payment, and Healthcare Operations (TPO) HIPAA Exception
Treatment, payment, and operations (TPO) is the most common HIPAA exception. For this, all disclosures must directly support the delivery of healthcare, the financial support of that care, or the internal activities that ensure the organization functions properly and safely.
This exception allows covered entities to use or disclose PHI without patient authorization when doing so is necessary for:
- Treatment: Delivering or coordinating patient care between providers.
- Payment: Obtaining reimbursement from payors or determining benefit eligibility.
- Operations: Performing internal functions essential to business operations, such as quality improvement, legal reviews, or training.
However, this exception is also one of the most frequently misapplied. HIM and compliance professionals must be careful not to stretch the definition of “operations” to cover disclosures that fall under research, marketing, or external analytics.
Additionally, disclosures to business associates under this exception require a valid Business Associate Agreement (BAA) and must be limited to what’s necessary for the contracted services.
Although disclosures for TPO purposes do not need to be included in a patient’s accounting of disclosures, HIM departments should still document access internally.
Example of Correct Use
A cardiologist requests hospital records for a patient recently discharged after a heart attack. The hospital’s HIM team provides the discharge summary, medication list, and cardiac imaging reports to support outpatient follow-up and ongoing care coordination.
Example of Incorrect Use
A third-party analytics company asks for broad access to patient records to develop a predictive model for future population health outreach. The vendor claims the use qualifies under “operations.” The HIM department, without verifying contractual protections or checking whether the use is permissible under HIPAA, grants full access to clinical data.
How State Law Interacts with HIPAA
HIPAA creates a national baseline for patient privacy, but it does not override state laws that are more protective of health information. When a state law provides stricter privacy standards than HIPAA, the state law takes precedence.
This is especially important in areas where state legislatures have introduced added safeguards for sensitive categories of information. Common examples include:
- Mental health records
- Substance use disorder treatment
- Status for HIV and other STIs
- Reproductive health data
- Minors’ health information
For example, California’s Confidentiality of Medical Information Act (CMIA) offers stricter rules for sharing mental health records than HIPAA. Even if HIPAA would permit a disclosure for treatment, CMIA may require written consent, and California’s rule takes precedence.
HIM professionals cannot assume that a disclosure allowed under HIPAA is automatically permissible. The more restrictive rule must always apply.
What if State Law Doesn’t Address the Full Issue?
What should you do if a state statute addresses one aspect of a privacy issue in greater detail than HIPAA, while leaving other related elements unaddressed?
In these cases, the rules work together, and covered entities must comply with both HIPAA and the more protective portions of the state law.
Example: A state law may require all PHI transmitted electronically to be encrypted using specific technical standards but make no mention of the accounting of disclosures. In this case, encryption must meet the state’s higher standard, while HIPAA’s requirements for disclosure tracking and patient access still apply.
Generally speaking, apply the stricter rule where it exists, and default to HIPAA where the state law is silent. The two frameworks must be layered for full compliance.
Other HIPAA Exceptions: What HIM Professionals Can Release Without Patient Authorization (And What to Avoid)
HIPAA exceptions keep vital information moving when a disclosure is legally and ethically justified. For HIM professionals, knowing when and how to apply these exceptions is essential.
While not as common as TPO, let’s explore some of the other HIPAA exceptions you may encounter.
Remember to always seek legal counsel if you’re unsure about HIPAA exceptions or state statutes.
Judicial and Administrative Proceedings
The judicial and administrative proceedings HIPAA exception (45 CFR 164.512(e)) permits covered entities to disclose PHI during legal proceedings without patient authorization under specific conditions.
Disclosure is permitted in response to:
- A court or administrative tribunal order, which must specify the exact PHI to be released, or
- A subpoena, discovery request, or other lawful process, only if the request is accompanied by:
- Satisfactory proof that the patient was notified and had an opportunity to object, or
- Satisfactory proof that a qualified protective order has been requested or granted
HIPAA does not authorize disclosure based on a subpoena alone unless one of these safeguards is documented. A subpoena without notice to the patient or a protective order does not meet HIPAA’s requirements.
Before releasing PHI, HIM professionals must:
- Confirm the legal authority and scope of the request
- Verify the presence of either patient notice or a valid protective order
- Retain all supporting documentation to demonstrate compliance
Even when a disclosure is allowed, the information shared must be limited to the PHI explicitly permitted by the legal request.
Example of Correct Use
A court order, signed by a judge, requests emergency department records and radiology images related to a motor vehicle accident. The HIM team confirms the order’s validity and releases only the specified records. A copy of the order is retained in the compliance file, along with a disclosure log detailing the recipient, content, and transmission method.
Example of Incorrect Use
An attorney sends a subpoena from another state requesting full medical records for a personal injury case. There is no judge’s signature, no patient authorization, and no documentation that the patient was notified. To avoid delaying the legal process, the HIM team releases the entire chart, resulting in an impermissible disclosure and a potential OCR investigation.
Law Enforcement Requests
This exception allows covered entities to disclose PHI to law enforcement without patient authorization, but only when specific legal standards are met.
45 CFR §164.512(f) permits such disclosures in the following scenarios:
- Required by law, such as mandatory reporting of injuries like gunshot or stab wounds, suspected child abuse, or threats to public safety
- In response to legal process, including:
- A court order, warrant, or subpoena issued by a judge
- A grand jury subpoena
- An administrative subpoena or investigative demand, if:
- The request is relevant and material to a legitimate law enforcement inquiry
- It is specific and limited in scope
- De-identified information could not reasonably be used instead
- For identification or location of a suspect, fugitive, witness, or missing person, with strict limits on what can be disclosed
- To prevent or reduce a serious and imminent threat to health or safety, based on a provider’s professional judgment
HIM professionals must confirm the legal basis for the request before releasing any information. This includes verifying signatures, confirming the requestor’s authority, and evaluating whether the PHI requested falls within the allowed scope.
Example of Correct Use
A detective presents a court-ordered warrant requesting emergency room intake logs for a specific date related to a shooting investigation. HIM staff confirm the order, extract only the relevant data (date, time, chief complaint, and disposition), and log the disclosure along with a copy of the warrant.
Example of Incorrect Use
An officer calls the HIM department and requests all records on a suspect. No legal process is presented, and the officer provides only verbal identification. HIM staff send the full chart by email, including mental health notes and unrelated history. This results in an impermissible disclosure and a potential HIPAA violation.
Serious Threat to Health or Safety
This exception permits covered entities to disclose protected health information (PHI) without patient authorization if, in good faith, they believe the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. The disclosure must align with applicable laws and professional ethical standards.
Under 45 CFR §164.512(j), covered entities may disclose PHI when:
- The provider believes the disclosure is necessary to prevent or mitigate a serious and imminent threat to health or safety and
- The PHI is shared with a person or organization reasonably able to reduce or respond to the threat (such as law enforcement or the target of the threat)
- The disclosure is necessary for law enforcement to identify or apprehend someone who:
- Has made a credible admission of a violent crime causing serious harm, or
- Has escaped from lawful custody or a correctional facility
However, disclosures based on a patient’s admission of a violent crime during therapy, counseling, or a referral for such treatment are not permitted unless another permitted condition applies, such as an imminent threat to safety.
Example of Correct Use
A psychiatrist learns that a patient has made specific, credible threats to carry out a school shooting, including identifying the school and a timeframe. Believing the threat to be imminent, the provider notifies local law enforcement and school administrators, sharing only the details necessary to prevent harm.
Example of Incorrect Use
A patient tells their therapist during anger management counseling that they sometimes “imagine hurting people.” The provider, without assessing imminence or severity, shares the patient’s full psychiatric history with law enforcement. The disclosure was not tied to a specific, imminent threat and originated during counseling, making it impermissible under HIPAA.
Other HIPAA Exceptions You May Encounter
While this article focuses on the HIPAA exceptions most relevant to routine HIM workflows, there are additional permitted disclosures under the Privacy Rule that may arise in specific circumstances.
These situations require the same diligence in documentation, legal validation, and minimum necessary disclosure.
Public Health Activities
PHI may be disclosed to public health authorities for purposes such as disease reporting, tracking adverse events, or notifying individuals of exposure to communicable diseases. The recipient must be legally authorized to collect this data. 45 CFR § 164.512(b)
Health Oversight Activities
Regulatory agencies such as the Office of Inspector General or state licensing boards may request PHI for audits, investigations, or disciplinary actions. Requests should cite a clear oversight function and be limited to the relevant scope. 45 CFR § 164.512(d)
Victims of Abuse, Neglect, or Domestic Violence
In cases where a provider believes an individual is at risk of serious harm, PHI may be disclosed to appropriate authorities. The disclosure must be required or explicitly authorized by law and must be documented thoroughly. 45 CFR § 164.512(c)
Disclosures Related to Decedents
PHI may be shared with coroners, medical examiners, and funeral directors for activities related to death certification or burial. Limited disclosures to family members involved in care may also be allowed unless otherwise restricted by the decedent. 45 CFR § 164.512(g)
Workers’ Compensation Disclosures
PHI may be disclosed without patient authorization if necessary to comply with workers’ compensation laws or similar programs that provide benefits for job-related injuries or illnesses. These disclosures must be limited to the scope of the claim and follow applicable state requirements. 45 CFR § 164.512(l)
Common Misuses of HIPAA Exceptions
Even experienced HIM professionals can make mistakes when interpreting HIPAA exceptions. These errors often occur under time pressure, vague documentation, or assumptions about what a requester is “probably” allowed to receive.
Below are some of the most frequent missteps and what you can do to avoid them.
Misclassifying Data Sharing as “Healthcare Operations”
Many organizations mistakenly label disclosures as “operations” when they actually involve marketing, research, or third-party partnerships.
Why it’s risky: The healthcare operations exception only applies to internal functions like quality improvement, auditing, accreditation, and legal services. It does not cover population outreach, commercial partnerships, or most external analysis.
Real-life scenario: A provider shares de-identified data with a health app developer for future patient engagement. The request is labeled “operations,” but it should have required patient authorization.
How to avoid it: Always confirm the recipient and purpose. If the data leaves the organization or supports non-clinical goals, it likely falls outside the operations scope.
Releasing PHI Without a Valid Legal Process
Requests from law enforcement or attorneys frequently arrive with incomplete documentation, such as a subpoena without a protective order or patient notice.
Why it’s risky: HIPAA permits disclosures for judicial and law enforcement purposes, but only under specific conditions, such as a signed court order or proper legal assurances.
Real-life scenario: A hospital releases ER visit records to police based on a verbal request and a business card. The officer mentions a case number, but there’s no warrant or legal order.
How to avoid it: Require written legal documentation. If the request is incomplete or vague, escalate to legal or privacy before releasing anything.
Over-Disclosing for Workers’ Compensation or Insurance
Just because a disclosure is permitted for payment or workers’ compensation does not mean the entire medical record should be released.
Why it’s risky: The Minimum Necessary Rule still applies. Oversharing can violate HIPAA and expose sensitive data unrelated to the claim.
Real-life scenario: An employer’s insurance carrier requests documentation for a sprained ankle, and the HIM department sends the full chart, including mental health history and unrelated lab results.
How to avoid it: Limit disclosure to records directly relevant to the claim: typically the date of service, clinical notes, and treatment plans tied to the workplace injury.
Automate Compliance With HIPAA Exceptions
The inbox is full. A subpoena from another state, a time-sensitive workers’ comp claim, a phone call from law enforcement, and a public health reporting notice all land within the same hour. You’re flipping through CFRs, escalating questionable requests, and triple-checking your logs while worrying that one missed detail could mean an OCR audit.
Every request for records is a decision on the clock. Wait too long, and critical care or litigation may be delayed. Move too fast, and you risk violating HIPAA or breaching state law. HIM professionals work in that pressure zone every day, knowing that a single misstep could trigger a patient complaint or an OCR investigation.
Our white-glove ROI specialists review every request, confirm its legal basis, and apply the correct HIPAA exception before anything is released. From subpoenas to safety threats, we handle the gray areas with clarity so your team can stay compliant, protected, and focused on the work that truly matters.
