45 CFR 164.506 Explained: When HIPAA Allows Use and Disclosure of PHI for Treatment, Payment, and Health Care Operations

Permitted Uses and Disclosures

What 45 CFR 164.506 allows

Under 45 CFR 164.506, a covered entity may use or disclose protected health information (PHI) for its own treatment, payment, and health care operations—often called “TPO”—without patient authorization. This provision is the core HIPAA pathway that lets care teams coordinate services, submit claims, and run essential administrative functions.

Sharing PHI across organizations

The rule also permits targeted disclosures to other organizations for TPO. You may disclose PHI to another health care provider for that provider’s treatment activities, to another covered entity or provider for payment activities, and—under specific conditions—for certain health care operations of another covered entity when both parties have or had a relationship with the patient and the information relates to that relationship.

Minimum necessary and practical safeguards

The minimum necessary standard applies to payment and operations, but not to treatment disclosure. Even so, you should apply role-based access, need-to-know decisions, and reasonable safeguards (for example, speaking quietly in public areas and using secure transmission methods). Incidental disclosures that occur despite safeguards are permitted.

Common, permitted examples

• Coordinating care, referrals, consultations, and e-prescribing between providers.
• Payment activities such as eligibility checks, claims submission, utilization review, medical necessity review, and collections.
• Health care operations like quality improvement, accreditation, auditing, compliance, training, and credentialing.
• Disclosures to business associates that perform TPO services under a business associate agreement.

Consent Requirements

Consent vs. authorization vs. acknowledgment

HIPAA does not require patient consent to use or disclose PHI for TPO under 45 CFR 164.506. By contrast, patient authorization is a specific, detailed permission that is required for many uses or disclosures outside TPO. Separately, you must provide a Notice of Privacy Practices and make a good-faith effort to obtain written acknowledgment of receipt.

When authorization is required

You need patient authorization for uses or disclosures not covered by TPO, including most marketing communications, the sale of PHI, psychotherapy notes (with narrow exceptions), and many research purposes unless an IRB or privacy board has approved a waiver. If your intended use is not TPO or another HIPAA permission, obtain authorization first.

Patient-requested limits

Patients may request restrictions on certain uses or disclosures. You must honor a request not to disclose PHI to a health plan about a specific item or service when the patient pays for that item or service in full out of pocket, as long as the disclosure is for payment or health plan operations and not otherwise required by law.

Policy and state-law overlays

Organizations may choose to ask for consent as a policy choice, and some state laws impose stricter consent rules for sensitive information. Your HIPAA compliance program should align federal rules, state requirements, and internal policies before you rely on TPO.

Treatment Activities

What counts as treatment

Treatment includes the provision, coordination, or management of health care and related services. That covers consultations among providers, referrals, care planning, and sharing clinical data needed to deliver care. A treatment disclosure to another provider does not require patient authorization.

Operational examples in care delivery

• Sending consult notes, imaging, labs, or discharge summaries to a receiving specialist.
• Medication history checks and e-prescribing with pharmacies.
• Care coordination across hospitals, clinics, and post-acute facilities, including via a health information exchange.
• Using EHR vendors, e-prescribing networks, or secure messaging platforms acting as business associates.

Right-sizing the information shared

Although minimum necessary does not apply to treatment, you should still share information that is relevant and appropriate for the clinical purpose. Good documentation and access controls help ensure disclosures remain aligned with patient care needs.

Health Care Operations

Definition and scope

Health care operations are activities that support running your organization. Examples include quality assessment and improvement, patient safety activities, case management that is not part of active treatment, training, accreditation, credentialing, underwriting, legal services, auditing, and compliance monitoring.

Disclosing for another entity’s operations

You may disclose PHI for certain health care operations of another covered entity when both entities have or had a relationship with the patient, the PHI pertains to that relationship, and the purpose fits within permitted operations (such as quality improvement, accreditation, or fraud and abuse detection). The minimum necessary standard applies.

Boundaries and special data sets

Operations does not include impermissible marketing and does not override rules requiring authorization. When possible, use de-identified data or a limited data set with a data use agreement to reduce privacy risk while supporting operational analytics.

Organized Health Care Arrangements

What an OHCA is

An organized health care arrangement (OHCA) is a formal grouping—such as a hospital and its medical staff, a clinically integrated network, or a group health plan with an insurer—whose participants present themselves as a single organized system for care or share activities. Within an OHCA, participants may share PHI for the arrangement’s treatment, payment, and health care operations consistent with a joint Notice of Privacy Practices.

How PHI flows inside an OHCA

• Shared treatment workflows across participating providers, including cross-coverage and care transitions.
• Centralized payment activities, such as preauthorization and claims support handled by a joint service center.
• Unified health care operations like quality improvement, credentialing, compliance, and risk management, subject to minimum necessary.

Governance and safeguards

Each participant remains a covered entity with its own compliance obligations. Role-based access, audit logging, and business associate agreements for supporting vendors still apply. The joint NPP should clearly describe how PHI is shared within the organized health care arrangement.

Key takeaways

• 45 CFR 164.506 authorizes TPO uses and disclosures without patient authorization.
• Treatment disclosures can be more expansive; payment and operations must satisfy minimum necessary.
• OHCAs enable efficient sharing for collective treatment, payment activities, and operations under a joint framework.

FAQs.

When can PHI be disclosed without patient authorization?

You may disclose PHI without patient authorization for treatment, payment, and health care operations under 45 CFR 164.506. HIPAA also permits certain other disclosures without authorization, such as those required by law, for public health reporting, health oversight, judicial and administrative proceedings, law enforcement in defined circumstances, organ and tissue donation, averting serious threats to health or safety, and workers’ compensation programs. Always confirm whether the disclosure fits a specific HIPAA permission and apply minimum necessary where required.

What are the requirements for patient consent under HIPAA?

HIPAA does not require consent to use or disclose PHI for TPO. You must provide a Notice of Privacy Practices and make a good-faith effort to obtain acknowledgment of receipt. If a use or disclosure is outside TPO and no other HIPAA permission applies, obtain a valid patient authorization. Organizations may adopt stricter consent policies, and some state laws impose additional consent requirements.

How do organized health care arrangements affect PHI disclosure?

In an OHCA, participating covered entities may share PHI for the arrangement’s treatment, payment activities, and health care operations as described in the joint NPP. The participants still apply minimum necessary to operations disclosures, maintain role-based access, and use business associate agreements for vendors supporting the OHCA.

When is PHI disclosure allowed for health care operations?

Disclosures for operations are allowed when they support functions like quality improvement, accreditation, auditing, compliance, training, and business planning. You may also disclose PHI for certain operations of another covered entity if both entities have or had a relationship with the patient, the PHI pertains to that relationship, and the purpose fits permitted operations. Apply the minimum necessary standard and verify that the activity is not marketing or another use that requires authorization.