Guide to Permitted PHI Access, Use, and Disclosure Under HIPAA

This guide explains when Covered Entities and their business associates may access, use, or share Protected Health Information (PHI) under the HIPAA Privacy Rule. You’ll learn what is permitted, what is required, when Individual Authorization is needed, how the Minimum Necessary Standard works, and the narrow allowances for incidental disclosures.

Use this as a practical reference to design compliant workflows. Always confirm whether stricter state or other federal laws apply to a particular record set or scenario before disclosing PHI.

Permitted Uses and Disclosures

Treatment (T)

You may use and disclose PHI to provide, coordinate, or manage health care. This includes consultations between providers, referrals, care transitions, and emergency treatment. Disclosures for treatment can occur across organizations when necessary to deliver care.

Payment (P)

PHI may be used or disclosed to obtain reimbursement or determine eligibility and coverage—claims submission, prior authorization, utilization review, billing, and collections. Limit such disclosures to what is reasonably necessary for the payment activity.

Health Care Operations (O)

Operations include quality assessment and improvement, case management, accreditation, auditing, legal and compliance functions, training, and business planning. Share only what is needed for the specific operation, and apply role-based access controls.

Business Associates

You may disclose PHI to a business associate that performs services for you (for example, claims processing, IT hosting, analytics), provided you have a written business associate agreement defining permitted uses and safeguards. Business associates must also follow the Minimum Necessary Standard.

De-identified Data and Limited Data Sets

Data that are de-identified are not PHI and may be used or shared without restriction. A limited data set (which excludes direct identifiers) may be used for research, public health, or operations with a data use agreement that restricts re-identification and onward sharing.

Disclosures to the Individual

You may always disclose PHI to the individual who is the subject of the information or to a personal representative. The right of access is discussed in the next section because certain disclosures are not only permitted, but required.

Required Disclosures

To the Individual (Right of Access)

Upon request, you must provide individuals access to PHI in their designated record set and, when requested, send a copy to a designated third party. Provide access in the requested form and format if readily producible, within required time frames, and charge only reasonable, cost-based fees for copies.

To the U.S. Department of Health and Human Services (HHS)

You must disclose PHI to HHS when it is requested to investigate or determine your compliance with HIPAA. Maintain records and cooperation procedures so you can respond promptly and securely.

HIPAA does not require other disclosures. If another law compels a disclosure (for example, a mandatory reporting statute), that disclosure is treated as a permitted disclosure “required by law,” described below.

Disclosures Without Authorization

Required by Law

You may disclose PHI when a statute, regulation, or court order specifically requires it. Disclose only what the law compels and verify the request’s legal authority before releasing information.

Public Health Reporting

Share PHI with public health authorities for disease surveillance, reporting communicable conditions, adverse events to FDA-regulated products, and workplace-related illness reporting permitted by law. Certain abuse or neglect reports (such as child abuse) may also be made to appropriate authorities.

Health Oversight Activities

Disclose PHI to oversight agencies for audits, inspections, investigations, licensure, or disciplinary actions related to the health care system or government benefits for health.

Judicial and Administrative Proceedings

PHI may be disclosed in response to a court or administrative order. For subpoenas or similar requests without a court order, additional conditions apply (for example, notice to the individual or a qualified protective order) before disclosure.

Law Enforcement Disclosures

Limited PHI may be shared for specific law enforcement purposes, such as complying with a court order or warrant, locating a suspect or missing person (restricted identifiers), reporting certain crimes on your premises, or responding to a medical emergency when a crime is suspected. Disclose the minimum necessary and ensure the request meets HIPAA’s conditions.

Research

PHI may be used or disclosed for research without Individual Authorization if an Institutional Review Board or privacy board grants a waiver, for activities preparatory to research (without removing PHI), for research solely on decedents, or by using a limited data set with a data use agreement.

Averting a Serious Threat

You may disclose PHI in good-faith judgment to prevent or lessen a serious and imminent threat to a person or the public, consistent with applicable law and ethical standards.

Specialized Government Functions

Certain disclosures are permitted for military command authorities, national security and intelligence, protective services for officials, and lawful custodial situations involving inmates, when specific conditions are met.

Workers’ Compensation

PHI may be disclosed as authorized by and to the extent necessary to comply with workers’ compensation or similar laws.

Decedents and Organ Donation

Disclose PHI to coroners, medical examiners, and funeral directors, and to organ procurement organizations to facilitate organ, eye, or tissue donation and transplantation.

Proof of Immunization to Schools

You may disclose proof of a student’s immunization to a school that is required by law to have it, with the agreement of a parent, guardian, or the adult student; written authorization is not required for this narrow purpose.

Always document your legal basis, apply the Minimum Necessary Standard when applicable, and check for stricter state confidentiality rules before disclosing.

Incidental Uses and Disclosures

Incidental disclosures are unintended by-products of an otherwise permitted use or disclosure—such as a name briefly overheard at a nurses’ station—allowed only when you apply reasonable safeguards and the Minimum Necessary Standard. They cannot result from a lack of safeguards or from unnecessary exposure of PHI.

Examples and Practical Safeguards

• Use low voices in public areas; avoid discussing PHI in hallways or elevators; and position workstations to reduce screen visibility.
• Use privacy curtains, queue-management that avoids full names when possible, and secure fax/email settings with verification steps.
• Configure role-based EHR access; mask extraneous data in routine workflows; and train staff to avoid leaving PHI unattended.

Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to what is reasonably necessary to achieve the purpose. Build processes that default to data minimization for routine and non-routine activities.

Key Exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual (or personal representative).
• Uses or disclosures made pursuant to an Individual Authorization.
• Disclosures to HHS for compliance review, and disclosures required by law.

Implementing Minimum Necessary

• Adopt role-based access and “need-to-know” permissions for workforce and business associates.
• Define standard data elements for routine disclosures; require higher-level approval for non-routine requests.
• Prefer de-identified data or a limited data set with a data use agreement when full PHI is not needed.
• Use EHR features (filters, masking, break-the-glass) to reduce over-disclosure and log access.

Authorization Requirements

When a use or disclosure is not otherwise permitted, a valid Individual Authorization is required. Common examples include most third‑party requests unrelated to treatment, payment, or operations; marketing; sale of PHI; and most uses of psychotherapy notes.

Elements of a Valid Authorization

• Specific description of the PHI to be used or disclosed and the purpose.
• Who may disclose and who may receive the PHI.
• Expiration date or event, signature, and date.
• Statements about the right to revoke, potential for re-disclosure by the recipient, and any applicable conditions (for example, remuneration for marketing or sale of PHI).

Operational Tips

• Verify the requestor’s identity, ensure scope matches the authorization, and disclose only authorized data.
• Track expirations and revocations; retain authorization records; and train staff to recognize invalid or incomplete forms.
• Apply additional protections required by stricter state laws or other federal rules before releasing sensitive categories of information.

Opportunity to Agree or Object

In limited situations, you may use or disclose PHI after giving the individual a chance to agree or object, or based on professional judgment when the individual is not present or incapacitated.

Facility Directory

Unless the patient objects, you may include name, location in the facility, general condition, and religious affiliation in a directory. Religious affiliation may be disclosed to clergy; other directory elements may be provided to those who ask for the patient by name.

Involvement in Care and Notification

You may share relevant PHI with family members, friends, or others identified by the patient who are involved in care or payment, and use PHI to notify or assist in notifying such persons of a patient’s location, condition, or death.

Disaster Relief

PHI may be shared with disaster relief organizations to coordinate notification efforts, consistent with the individual’s known preferences and safety considerations.

If the Individual Is Unavailable or Incapacitated

When the patient cannot agree or object, you may use professional judgment to determine whether a disclosure is in the patient’s best interests and disclose only what is relevant to that person’s involvement.

Summary: HIPAA permits broad sharing for treatment, targeted sharing for payment and operations, and specific public-interest disclosures without authorization. Apply the Minimum Necessary Standard, obtain Individual Authorization when required, and offer opportunities to agree or object where the rule allows. Consistent safeguards and documentation keep your uses and disclosures both compliant and patient-centered.

FAQs

What PHI uses are allowed without individual authorization?

Without Individual Authorization, you may use and disclose PHI for treatment, payment, and health care operations; to the individual; to HHS for compliance; and for defined public-interest purposes, including Public Health Reporting, Health Oversight Activities, certain Law Enforcement Disclosures, judicial or administrative proceedings, research with IRB/privacy board waiver or a limited data set, specialized government functions, workers’ compensation, organ and tissue donation, and limited disaster relief and notification activities. Incidental disclosures are allowed only when safeguards and the Minimum Necessary Standard are in place.

When must PHI be disclosed to individuals or HHS?

You must disclose PHI to individuals who request access to their designated record set (and to a designee at their direction) and to HHS when requested for a HIPAA compliance investigation or review. Provide access in the requested form and format if readily producible, within required time frames, and charge only reasonable, cost-based fees.

What disclosures of PHI are permitted without prior authorization?

Disclosures without prior authorization include those required by law; Public Health Reporting; Health Oversight Activities; certain Law Enforcement Disclosures that meet HIPAA’s conditions; judicial or administrative proceedings; research with an IRB/privacy board waiver or using a limited data set; disclosures to avert a serious threat; specialized government functions; workers’ compensation programs; disclosures to coroners, medical examiners, funeral directors, and organ procurement organizations; and proof of immunization to schools with the required agreement.

What protections apply to incidental disclosures of PHI?

Incidental disclosures are permissible only when they occur as a by-product of an otherwise permitted use or disclosure, you have implemented reasonable administrative, physical, and technical safeguards, and you limit PHI to the minimum necessary. If a disclosure stems from inadequate safeguards or unnecessary exposure, it is not incidental and must be treated as a potential breach.