45 CFR 164.502 Explained: HIPAA’s General Rules for Uses and Disclosures of PHI

45 CFR 164.502 sets the baseline for how you may use and disclose Protected Health Information (PHI). It tells Covered Entities and their Business Associates when sharing PHI is permitted, when it is required, and when it is prohibited, while anchoring everything to the Minimum Necessary Standard and sound safeguards.

General Rule for Use and Disclosure of PHI

The general rule is simple: you may not use or disclose PHI except as 45 CFR 164.502 permits or requires, or when the individual authorizes it in writing. If a use or disclosure is allowed, you must still apply the Minimum Necessary Standard unless an exception applies.

Who must follow the rule

Covered Entities—health plans, most health care providers, and health care clearinghouses—and their Business Associates must follow 45 CFR 164.502. Business Associates may create, receive, maintain, or transmit PHI only as allowed by a written agreement and the Privacy Rule.

What counts as PHI

PHI is individually identifiable health information in any form or medium that relates to a person’s health, care, or payment for care. De-identified information is not PHI and is outside these restrictions.

How the rule operates

Under 45 CFR 164.502, uses and disclosures fall into three buckets: permitted (no Authorization required), required (you must disclose), and those that need a valid Authorization. Authorization Requirements apply to many non-routine uses, such as certain marketing or sale of PHI.

Permitted Uses and Disclosures

Treatment, payment, and health care operations (TPO)

You may use and disclose PHI for treatment (care coordination and consultations), payment (billing, claims management), and health care operations (quality review, auditing). Authorizations are not required for TPO, and the Minimum Necessary Standard applies to payment and operations.

Public interest and benefit purposes

• Public health activities (e.g., reporting certain diseases or adverse events).
• Health oversight (audits, inspections, and HIPAA Compliance Investigations by authorities).
• Judicial and administrative proceedings and certain law enforcement purposes as allowed by the rule.
• Organ, eye, or tissue donation; decedent and cadaveric research contexts.
• Averting a serious threat to health or safety.
• Specialized government functions (e.g., military, national security) and workers’ compensation programs.

With the individual’s opportunity to agree or object

You may disclose limited PHI for facility directories and to family, friends, or others involved in care when the individual agrees, does not object, or you can reasonably infer permission.

With a valid Authorization

When a use or disclosure is not otherwise permitted, you must obtain a valid, written Authorization that specifically describes the information, purpose, recipient, expiration, and the individual’s right to revoke. This is central to the Authorization Requirements under HIPAA.

De-identified information and limited data sets

You may freely use or disclose de-identified data. Limited data sets (with certain direct identifiers removed) may be shared for research, public health, or health care operations under a data use agreement.

Required Disclosures

45 CFR 164.502 requires only two disclosures: (1) to the individual (or personal representative) when they request access to their own PHI or an accounting of disclosures, and (2) to the U.S. Department of Health and Human Services for HIPAA Compliance Investigations, reviews, or enforcement actions.

Other disclosures “required by law” may be mandated by separate statutes or regulations, but under HIPAA they are treated as permitted rather than required by 164.502 itself.

Minimum Necessary Standard

The Minimum Necessary Standard requires you to make reasonable efforts to limit PHI to the least amount needed to accomplish the purpose. It applies to most uses, disclosures, and requests you initiate.

How to meet the standard

• Adopt role-based access so workforce members see only what their jobs require.
• Use policies for routine, recurring disclosures and case-by-case review for non-routine ones.
• Prefer de-identified data or a limited data set when feasible.
• Apply technical, physical, and administrative safeguards that reinforce least-necessary access.

Key exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual who is the subject of the PHI.
• Uses or disclosures made pursuant to a valid Authorization.
• Disclosures required by law.
• Disclosures to HHS for compliance and enforcement.

Incidental Uses and Disclosures

Incidental disclosures are allowed when they occur as a byproduct of an otherwise permitted or required use or disclosure, provided you implement reasonable safeguards and follow the Minimum Necessary Standard.

Examples

• A visitor overhears a provider quietly speaking with a patient in a semi-private area.
• Names called in a waiting room or a limited sign-in sheet visible at check-in.
• Another patient glimpses a screen with minimal information before a privacy filter is adjusted.

Safeguards to keep disclosures incidental

• Speak softly in public settings and avoid discussing sensitive details where others can hear.
• Use screen privacy filters and position monitors away from public view.
• Secure paper records, shred promptly, and use secure messaging for PHI.
• Train workforce members to recognize and minimize incidental exposure.

Prohibited Uses and Disclosures

45 CFR 164.502 prohibits using or disclosing PHI beyond what the Privacy Rule permits or what a valid Authorization allows. Key prohibitions include:

• Marketing communications that require Authorization (e.g., most paid promotions).
• Sale of PHI without a specific Authorization.
• Most uses and disclosures of psychotherapy notes without a separate Authorization.
• Genetic Information Underwriting Restrictions: health plans may not use or disclose genetic information for underwriting purposes.
• Using PHI for employment decisions or other non-health care purposes without Authorization.
• Ignoring agreed-upon restrictions or exceeding the Minimum Necessary Standard.

Conclusion

In practice, 45 CFR 164.502 asks you to start with “no disclosure,” then move to “permit, require, or authorize” based on purpose. If you confirm a permitted path, disclose only the minimum necessary, apply safeguards, and document decisions—especially when relying on Authorization Requirements—you will stay aligned with HIPAA’s core privacy protections for PHI.

FAQs

What is the general rule for disclosing PHI under 45 CFR 164.502?

The rule states you may not use or disclose PHI unless the Privacy Rule permits or requires it, or the individual provides a valid written Authorization. Even when permitted, you generally must follow the Minimum Necessary Standard and apply reasonable safeguards.

When are covered entities required to disclose PHI?

Only in two situations: to the individual (or personal representative) upon request for access or an accounting, and to the U.S. Department of Health and Human Services for HIPAA Compliance Investigations, reviews, or enforcement.

What is the minimum necessary standard in PHI disclosures?

It requires you to limit PHI to the least amount reasonably necessary to achieve the purpose of the use, disclosure, or request. It has narrow exceptions, including treatment, disclosures to the individual, uses or disclosures with Authorization, those required by law, and those to HHS for enforcement.

What uses and disclosures of PHI are prohibited under 45 CFR 164.502?

Prohibited activities include disclosing PHI for purposes not permitted by the Privacy Rule or an Authorization, marketing or sale of PHI without Authorization, most disclosures of psychotherapy notes without a specific Authorization, and using genetic information for underwriting by health plans. Exceeding the Minimum Necessary Standard or violating agreed restrictions is also prohibited.