In 2023, a small dental practice in Texas received an OCR investigation notice after a patient complained that the office shared medical records with a family member without authorization. The practice believed it was acting within one of the commonly cited HIPPA exceptions — the informal term many use when searching for situations where HIPAA permits disclosure of protected health information without patient consent. The practice was partially right, but its documentation failures turned a permitted disclosure into a costly compliance lesson.

Before we go further: the correct acronym is HIPAA (Health Insurance Portability and Accountability Act), not "HIPPA." But because so many healthcare professionals search for "HIPPA exceptions," this post addresses the question head-on — using the correct regulatory framework.

What People Mean When They Search for HIPPA Exceptions

When workforce members or compliance officers look up HIPPA exceptions, they are almost always asking the same question: When can we use or disclose PHI without a patient's written authorization?

The answer lives in the HIPAA Privacy Rule at 45 CFR §164.502 and §164.512. These sections outline specific categories of permitted uses and disclosures that do not require individual authorization. Understanding these categories is essential for every covered entity and business associate handling protected health information.

The Six Most Misunderstood Permitted Disclosures Under HIPAA

OCR enforcement actions reveal a pattern: organizations either over-restrict information (harming patient care) or over-disclose it (creating HIPAA violations). Here are the permitted disclosures that cause the most confusion.

1. Treatment, Payment, and Healthcare Operations (TPO)

Under §164.506, a covered entity may use and disclose PHI for its own treatment, payment, and healthcare operations without patient authorization. This is the broadest and most commonly used exception. A hospital can share a patient's records with a consulting specialist. A billing department can submit claims to an insurer.

The mistake I see most often: organizations treating TPO as a blank check. The minimum necessary standard still applies to payment and operations disclosures. Only treatment-related disclosures are exempt from the minimum necessary requirement.

2. Disclosures to the Individual

Under §164.502(a)(1)(i), a covered entity must provide individuals access to their own PHI when requested. This is not optional — it is a right guaranteed by the Privacy Rule. OCR has pursued enforcement actions against organizations that delayed or denied patient access requests, including a notable $160,000 settlement in 2023.

3. Public Health Activities

Section 164.512(b) permits disclosures to public health authorities for disease surveillance, reporting vital events, and tracking FDA-regulated products. During the COVID-19 pandemic, many organizations scrambled to understand this exception because their workforce had never been trained on it.

4. Disclosures for Law Enforcement Purposes

This exception at §164.512(f) is narrowly defined, and it is where I see the most dangerous errors. Law enforcement may request PHI under specific circumstances — such as court orders, grand jury subpoenas, or to identify a suspect — but a badge and a verbal request are not sufficient. Your organization needs clear policies on when and how to respond.

5. Disclosures to Family Members and Caregivers

Section 164.510(b) allows a covered entity to share PHI with a family member, relative, or close personal friend involved in the patient's care — if the patient has been given the opportunity to agree or object. This is exactly the provision the Texas dental practice mentioned above attempted to use, but without documenting the patient's verbal agreement.

6. Disclosures Required by Law

Under §164.512(a), covered entities must disclose PHI when required by federal, state, or local law. This includes mandatory abuse reporting, workers' compensation cases, and certain judicial proceedings. The key is that the law must compel the disclosure — not merely allow it.

The Exception That Does Not Exist: De-identification as a Loophole

Healthcare organizations consistently struggle with the belief that de-identified data is an easy workaround. Under §164.514, HIPAA provides two methods for de-identification: Expert Determination and Safe Harbor. But improperly de-identified data — where zip codes, dates, or rare diagnoses could still identify an individual — is not truly de-identified and remains PHI. OCR has been clear that sloppy de-identification does not qualify as a HIPPA exception.

Why Your Notice of Privacy Practices Must Reflect These Exceptions

Your Notice of Privacy Practices (NPP) is required under §164.520 to describe the permitted uses and disclosures your organization may make. If your NPP is a boilerplate template from 2013, it likely fails to address scenarios your workforce encounters daily.

Review your NPP against the actual disclosures your organization makes. If you rely on exceptions for research, public health reporting, or law enforcement cooperation, those categories need to be clearly described in the notice you provide to every patient.

The Workforce Training Requirement Most Organizations Underestimate

Under §164.530(b), every covered entity must train its entire workforce on HIPAA policies and procedures — including which disclosures are permitted and which require authorization. In my work with covered entities, I consistently find that front-desk staff, nurses, and even compliance officers cannot articulate the difference between a permitted disclosure and one requiring written authorization.

This gap is where HIPAA violations happen. A receptionist shares too much with a caller claiming to be a spouse. A nurse faxes complete records to an attorney who only presented a subpoena without a court order. These are preventable failures rooted in inadequate training.

Investing in structured HIPAA training and certification ensures your workforce understands precisely when PHI can be disclosed without authorization — and when it cannot. A single training session at hire is not sufficient. Annual refreshers tied to real scenarios reduce your organization's risk profile dramatically.

Build a Culture That Understands Permitted Disclosures

Knowing the HIPPA exceptions — the correct permitted uses and disclosures under HIPAA — is not just a compliance checkbox. It directly affects patient trust, operational efficiency, and your exposure to OCR enforcement actions. Organizations that embed this knowledge into daily workflows avoid both over-restriction and over-disclosure.

A thorough risk analysis under the Security Rule should evaluate how your organization handles each category of permitted disclosure. Are policies documented? Are workforce members trained on them? Can you demonstrate compliance if OCR comes knocking?

If the answer to any of those questions is uncertain, start by assessing your organization's current compliance posture through HIPAA Certify's workforce compliance platform. The cost of preparation is always less than the cost of an enforcement action.