HIPAA-Compliant Patient Disclosures: What You Can Say, What You Can’t

If you handle patient information, you face daily judgment calls about what you can share, with whom, and how. This guide translates HIPAA-compliant patient disclosures into practical steps so you can communicate clearly while protecting privacy and minimizing risk.

Protected Health Information and Identification

Protected Health Information (PHI) is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of care, or payment for care—and that can identify the person. PHI exists when this information is created, received, maintained, or transmitted by a covered entity or business associate.

Not all health data is PHI. Employment records held by an employer, education records covered by FERPA, and de-identified data fall outside HIPAA. Context matters: the same data may be PHI in a medical record but not PHI in a consumer app that is not acting for a covered entity.

Direct and indirect identifiers

Identification risk hinges on identifiers. Under the safe harbor approach, the following 18 identifiers make data identifiable unless properly removed:

• Names
• Geographic data smaller than a state (addresses, city, ZIP—subject to aggregation rules)
• All elements of dates (except year) tied to an individual; ages over 89
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (finger/voice prints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

You should treat combinations of data with caution; even if a direct identifier is absent, unique combinations can re-identify someone. Build workflows that assume PHI unless you have verified otherwise.

Routine Uses and Permitted Disclosures

HIPAA permits disclosures without written authorization for treatment, payment, and healthcare operations (often called TPO). A Healthcare Operations Disclosure covers activities such as quality assessment, case management, accreditation, auditing, and training—so long as you apply the Minimum Necessary Standard when required.

Common permitted disclosures beyond TPO

• Public health reporting (e.g., certain infections, immunizations, adverse events)
• Health oversight activities (audits, inspections, licensure)
• Judicial and administrative proceedings (in response to valid process)
• Law enforcement purposes (specific, limited circumstances)
• Coroners, medical examiners, and funeral directors
• Organ procurement organizations and tissue banks
• Averting a serious threat to health or safety using professional judgment
• Workers’ compensation and similar programs
• Research with an IRB/privacy board waiver of authorization or limited data sets under a data use agreement

Disclosures to the individual, for HHS compliance investigations, and for certain facility directories also are allowed. Apply role-based access, verify requestor authority, and document disclosures when policies require it.

Authorization Requirements and Exceptions

You need Written Authorization for most uses and disclosures that are not TPO or otherwise specifically permitted. Authorizations must be specific and time-bound, describe what will be disclosed and to whom, include an expiration date or event, inform the patient of the right to revoke, and be signed by the patient or personal representative.

When Written Authorization is typically required

• Marketing that is not face-to-face or that involves financial remuneration
• Sale of PHI
• Most disclosures to third parties for their own purposes
• Psychotherapy notes (with narrow exceptions)
• Research that does not qualify for a waiver or limited data set
• Media access, filming, or photography involving identifiable patients

Patient consent exceptions are built into HIPAA for TPO, certain public health and safety purposes, and as required by law. Even when an exception applies, disclose only what is necessary, verify identity, and record the rationale consistent with your policy.

Disclosures to Family, Friends, and Media

You may share relevant PHI with a patient’s family members, friends, or others involved in care if the patient agrees or does not object when given the opportunity. If the patient is incapacitated or unavailable, you may use professional judgment to share information in the patient’s best interests, limited to what the person needs to know.

Practical boundaries

• Confirm identity and relationship before speaking; avoid open areas when possible.
• Speak in general terms when appropriate (e.g., “stable,” “resting comfortably”).
• Honor any patient-imposed restrictions or confidential communications requests.
• For minors, follow applicable state consent and guardianship rules.
• For deceased patients, HIPAA protects PHI for 50 years; share with the personal representative unless state law says otherwise.

Media requests and facility directories

You can include a patient in a facility directory with limited information if the patient has not objected. For specific media inquiries or filming, you generally need Written Authorization before any recording or disclosure. When in doubt, provide “no information” rather than confirm or deny someone’s presence.

De-Identification and Minimum Necessary Standard

HIPAA allows two De-Identification Process pathways: safe harbor (remove all 18 identifiers and ensure no actual knowledge of re-identification) and expert determination (a qualified expert documents a very small risk of re-identification). Properly de-identified data is not PHI and can be used more freely.

Limited data sets

A limited data set removes direct identifiers but can retain some dates and certain geography. You may use or disclose it only under a data use agreement that restricts recipients and purposes.

Applying the Minimum Necessary Standard

• Default to the smallest data elements needed for the task; use role-based access and standardized request forms.
• For routine disclosures, create standing protocols that predefine minimum fields.
• For non-routine disclosures, perform case-by-case reviews and document the rationale.
• Remember: minimum necessary does not apply to treatment disclosures or to disclosures to the individual, but it does apply broadly to payment, operations, and most others.

Incidental Disclosures and Safeguards

An Incidental Disclosure is a secondary, unavoidable exposure that occurs despite reasonable safeguards and compliance with the Minimum Necessary Standard (for example, a passerby overhearing a name at a nursing station). Incidental disclosures are permitted only when they are truly incidental to an otherwise allowed use or disclosure.

Reasonable safeguards you can put in place

• Use low voices, privacy curtains, and private rooms for sensitive conversations.
• Configure screens with privacy filters; log off or lock devices when unattended.
• Limit sign-in sheets and waiting-room calls to first name/initial when feasible.
• Transmit PHI via secure messaging or encrypted email whenever possible.
• Adopt clean desk policies and secure bins for documents pending shredding.
• Train your workforce to recognize and promptly mitigate risk scenarios.

If an exposure is more than incidental (e.g., misdirected records), trigger your breach assessment, follow notification rules, and document corrective actions.

State Laws Impacting HIPAA Compliance

HIPAA sets a floor, not a ceiling. If a state law is more stringent—offering greater privacy protections or more access rights—it generally controls. This often affects minors’ consent rules and specially protected categories like HIV/AIDS status, genetic data, mental health, reproductive health, and substance use disorder information.

Map your locations and services to a state-law matrix covering authorization content, retention and access timelines, mandated reporting, and telehealth. Align policies to the strictest applicable rule, update your forms, and train staff on state-specific nuances that alter disclosure decisions.

Conclusion

HIPAA-compliant patient disclosures hinge on three habits: verify a permissible purpose, apply the Minimum Necessary Standard, and document your judgment. Build consistent protocols for routine requests, require Written Authorization when needed, and use de-identification whenever possible to minimize risk while enabling appropriate information flow.

FAQs.

What information is considered protected health information under HIPAA?

PHI is any individually identifiable health information held or transmitted by a covered entity or business associate that relates to a person’s health, care, or payment. It includes data elements that can identify the person (names, detailed addresses, contact numbers, Social Security and medical record numbers, photos, device IDs, IP addresses, full dates, and similar identifiers) as well as clinical details when those details are linkable to an individual.

When can PHI be disclosed without patient authorization?

Disclosures without authorization are allowed for treatment, payment, and healthcare operations; certain public health and safety activities; health oversight; limited law enforcement and court processes; organ donation, coroners/medical examiners, and workers’ compensation; research with a waiver or limited data set; and disclosures to the individual or HHS. Always apply verification and the Minimum Necessary Standard where required.

How can incidental disclosures be handled compliantly?

First ensure the underlying use or disclosure is permitted. Then implement reasonable safeguards—lower voices, privacy screens, secure messaging, clean desk practices—and limit PHI to the minimum necessary. If an exposure exceeds “incidental,” treat it as a potential breach, investigate, mitigate, and follow your notification policy.

What are the limitations on sharing patient information on social media?

Do not post, comment, or respond with any PHI—even to “confirm” someone is a patient—without valid Written Authorization. Avoid photos, videos, or anecdotes that could identify a person, including unique situations or timestamps. Route patient-specific issues to secure channels, use de-identified educational content when needed, and maintain a clear social media policy and staff training.