HIPAA: Privacy rule exclusions

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”). The Privacy Rule established a set of national standards for the protection of certain health information. The Privacy Rule addresses the use and disclosure of individuals’ health information (“protected health information”, PHI) and the standards for individuals’ privacy rights to understand and control how their health information is used. The Privacy Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form (“covered entities”).

PHI is all “individually identifiable health information” in any form or media including demographic data of the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. This includes common identifiers (name, address, birthdate, social security number, etc.).

The Privacy Rule permits covered entities to disclose protected health information, without authorization, to persons or entities activities including:

  • Required by Law or Judicial and Administrative Proceedings
  • Prevention or control of disease, injury, or disability
  • Child or adult abuse, neglect, or domestic Violence
  • Quality, safety or effectiveness of a product or activity regulated by the FDA
  • Persons at risk of contracting or spreading a disease
  • Workplace medical surveillance (e.g., Workers’ compensation systems, OSHA compliance, etc.)
  • Specific law enforcement purposes
  • Cadaveric organ, eye, or tissue donations
  • Research purposes with IRB or privacy board approval
  • Historical purposes regarding decedents after 50 years following the date of death
  • Serious threat to health or safety to a person or public

There is no restriction on disclosure of de-identified health information.


Keyword history



  1. Summary of the HIPAA Privacy Rule. US Department of Health and Human Services, Office of Civil Rights. Last Revised 05/2003.  Accessed 5/28/15.

Defined by:  Eric Lin, MD