Avoid HIPAA Violations: What You Can Share Internally and Externally

Kevin Henry

HIPAA

September 12, 2024

6 minutes read

Share this article

Knowing what you can share—and when—helps you avoid HIPAA violations while keeping care moving. Protected Health Information (PHI) may be used or disclosed in specific situations, especially for treatment, payment, and healthcare operations. Apply the Minimum Necessary Standard wherever it applies, document decisions, and train staff to act with sound professional judgment.

This guide clarifies when disclosures are allowed internally and externally, how to handle Emergency Disclosure, and what to capture in Patient Authorization or consent so you can support care, protect privacy, and stay compliant.

If the patient is present and agrees verbally or in writing, or you reasonably infer agreement, you may share relevant PHI with family, friends, or others involved in the patient’s care or payment.
If the patient is not present or is incapacitated, you may disclose relevant PHI based on professional judgment when it is in the patient’s best interests.
Personal representatives (such as a legal guardian or someone with healthcare power of attorney) generally have the same access as the patient, unless restricted by applicable law.

Practical safeguards

Limit discussions to the person’s role in care or payment and follow the Minimum Necessary Standard.
Verify identity before sharing; avoid detailed voicemail or public-area conversations.
Be cautious with sensitive topics; if unsure, obtain explicit permission from the patient first.

What is permitted

Treatment Purpose Disclosure allows you to share PHI with other providers and care team members for diagnosis, treatment, coordination, and referrals across different organizations.
Multidisciplinary rounds, e-prescribing, consultations, and care transitions are included.

Key considerations

The Minimum Necessary Standard generally does not apply to disclosures to or requests by a healthcare provider for treatment; still disclose only what is relevant to the clinical task.
Use secure channels (EHR exchanges, secure messaging) and document clinical rationale when appropriate.

Permissible Emergency Disclosure

You may share PHI to treat the patient during an emergency or disaster, including with EMS and other first responders.
When the patient is incapacitated, you may disclose relevant PHI to family or others involved in care based on professional judgment and the patient’s best interests.
You may disclose PHI to prevent or lessen a serious and imminent threat to health or safety, consistent with applicable law and ethical standards.

Operational tips

Use “break-glass” access only when needed and log the reason.
Share only what is required for the emergency at hand and reassess once the patient can participate.

Payment

Permitted disclosures include eligibility checks, prior authorizations, billing, claims management, and collections.
Share the minimum necessary to accomplish the payment activity.

Healthcare operations

Permissible uses include quality assessment, utilization review, auditing, compliance, training, credentialing, and business planning.
Whenever possible, use de-identified or limited data sets to reduce risk while supporting operations.

Ensuring Compliance with Minimum Necessary Standard

How to operationalize

Implement role-based access so workforce members see only what they need for their duties.
Create standard request templates that pre-limit data elements for routine disclosures.
Adopt a “need-to-know” culture: justify non-routine requests, document approvals, and maintain audit trails.
Prefer de-identified data or limited data sets with data use agreements when full PHI is unnecessary.

Recognize exceptions

The Minimum Necessary Standard generally does not apply to disclosures to or requests by providers for treatment, disclosures to the individual, or uses/disclosures required by law.

Consent is typically used for routine care interactions and may be verbal or written, depending on policy.
Patient Authorization is a specific, written permission required for uses and disclosures not otherwise permitted by HIPAA (for example, many marketing or non-care purposes).

Elements to include in an authorization

Description of the PHI to be disclosed, purpose, recipient, and an expiration date or event.
Statements about the right to revoke, potential for re-disclosure, and whether treatment/payment is conditioned on the authorization (if applicable).
Patient signature and date; retain documentation per policy.

Good practices

Use plain language forms and confirm the patient understands what will be shared.
Match disclosures precisely to what the authorization permits; when in doubt, obtain a new authorization.

Who are business associates

Vendors that create, receive, maintain, or transmit PHI on your behalf—such as billing services, cloud hosting, analytics providers, and certain consultants—are business associates.

Business Associate Agreement essentials

Execute a Business Associate Agreement before sharing PHI. It should define permitted uses/disclosures, require safeguards, mandate breach reporting, and flow down obligations to subcontractors.
Apply the Minimum Necessary Standard and share only what the vendor needs. Consider de-identified data when feasible.
Perform due diligence: evaluate security controls, data locations, and incident response capabilities.

By aligning disclosures to treatment, payment, and healthcare operations, applying the Minimum Necessary Standard, and using Patient Authorization when required, you can avoid HIPAA violations while supporting safe, efficient care.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

FAQs

What information can be shared without patient authorization?

You may use or disclose PHI for treatment, payment, and healthcare operations without patient authorization, and for certain other permitted or required purposes (such as public health or as required by law). Outside these allowances, obtain a valid Patient Authorization before sharing.

For most non-treatment uses and disclosures, share only the minimum amount of PHI needed to accomplish the purpose. The standard generally does not apply to disclosures to or requests by providers for treatment, disclosures to the individual, or uses/disclosures required by law.

Can PHI be shared in emergencies?

Yes. You may make an Emergency Disclosure to treat the patient, inform family or others involved in care when the patient cannot participate, or to prevent a serious and imminent threat, using professional judgment and limiting the information to what is necessary.

For routine care interactions, follow your policy for obtaining consent (often verbal or general written consent). For disclosures not otherwise permitted by HIPAA, obtain a specific Patient Authorization that clearly states what PHI will be shared, with whom, for what purpose, and for how long, and retain the signed document.

Table of Contents

Sharing PHI with Family and Friends
- When you may share
- Practical safeguards
Sharing PHI for Treatment Purposes
- What is permitted
- Key considerations
Sharing PHI in Emergency Situations
- Permissible Emergency Disclosure
- Operational tips
Sharing PHI for Payment and Healthcare Operations
- Payment
- Healthcare operations
Ensuring Compliance with Minimum Necessary Standard
- How to operationalize
- Recognize exceptions
Obtaining Patient Consent
Sharing PHI with Business Associates
- Who are business associates
- Business Associate Agreement essentials
FAQs

Share this article