HIPAA-Compliant Uses and Disclosures: What the Privacy Rule Allows

Permitted Uses and Disclosures

The HIPAA Privacy Rule governs how Covered Entities and their business associates handle Protected Health Information (PHI). It allows certain uses and disclosures without an Authorization Requirement, provided you follow the rule’s conditions and apply reasonable safeguards.

Most day-to-day sharing of PHI occurs for treatment, payment, and health care operations (often called TPO). These are core activities that keep care moving without needing written permission from the individual.

Treatment

You may use and disclose PHI to coordinate, manage, or provide care—within your organization and with other providers. Examples include referrals, care coordination, consultations, and prescriptions.

Payment

Disclosures to obtain reimbursement or determine eligibility are permitted. Typical examples include prior authorizations, claims submission, billing reviews, and utilization management.

Health Care Operations

Operations cover quality assessment, improvement activities, case management, accreditation, auditing, credentialing, and limited fundraising using only permitted data elements with an opt-out. These uses support safe and efficient delivery of care.

Opportunity to Agree or Object

You may include a patient in a facility directory or share limited PHI with family, friends, or others involved in care when the patient agrees, is given an opportunity to object, or when professional judgment supports it (for example, in emergencies).

Business Associates, Limited Data Sets, and De-identified Information

Disclosures to business associates are allowed when a written agreement requires appropriate safeguards. A limited data set may be shared for research, public health, or health care operations under a data use agreement. De-identified information is not PHI and may be used or disclosed freely.

Required Disclosures

HIPAA requires two types of disclosures: (1) to individuals, when they exercise their right of access to their PHI in a designated record set, and (2) to the U.S. Department of Health and Human Services (HHS) for compliance investigations or reviews. These are non-optional obligations for Covered Entities.

When responding to a patient’s access request, provide PHI in the requested form and format if readily producible, charge only reasonable, cost-based fees, and verify identity before release. Maintain documentation of requests and responses to demonstrate compliance.

Public Interest and Benefit Activities

The Privacy Rule permits specific disclosures without authorization to serve important societal goals. Each allowance has defined conditions and limits, and many require you to apply the Minimum Necessary Standard.

• Required by law: Disclose PHI when another law compels it and the disclosure meets that law’s terms.
• Public Health Disclosure: Share PHI with public health authorities for disease reporting, surveillance, adverse event reporting, or to prevent or control injury or disability.
• Victims of abuse, neglect, or domestic violence: Disclose to appropriate authorities when permitted and consistent with patient safety and state law.
• Health oversight activities: Provide PHI to oversight agencies for audits, investigations, inspections, and licensure.
• Judicial and administrative proceedings: Disclose in response to a court order or certain subpoenas that meet HIPAA conditions.
• Law enforcement purposes: Share in limited situations such as locating a suspect, reporting certain injuries, or complying with a court order or warrant.
• Decedents: Disclose to coroners, medical examiners, funeral directors, or for research on decedents, subject to rule conditions.
• Cadaveric organ, eye, or tissue donation: Share with procurement organizations to facilitate donation and transplantation.
• Research: Use or disclose PHI with an Institutional Review Board/Privacy Board waiver, a limited data set with a data use agreement, or other permitted pathways.
• Averting a serious threat: Disclose to prevent or lessen a serious and imminent threat to health or safety, consistent with applicable law and ethical standards.
• Specialized government functions: Disclose for military and veterans activities, national security, protective services, or correctional institutions, within defined limits.
• Workers’ compensation: Disclose as authorized by and to the extent necessary to comply with workers’ compensation or similar programs.

Incidental Uses and Disclosures

An Incidental Disclosure is a secondary disclosure that occurs as a byproduct of a permitted use or disclosure—such as a name overheard at a nursing station. These are allowed only when you have applied reasonable safeguards and the Minimum Necessary Standard to the underlying activity.

Put practical protections in place. Administrative Safeguards—like policies, workforce training, and access controls—help prevent inappropriate exposure. Additional measures include speaking quietly in public areas, positioning computer screens away from public view, using privacy curtains, and double-checking recipient information before faxing or emailing.

Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the least amount reasonably necessary to accomplish the purpose. Implement role-based access, need-to-know policies, and default queries that return only relevant data.

This standard does not apply to certain situations, including disclosures to or requests by a health care provider for treatment, disclosures to the individual, uses or disclosures made pursuant to a valid authorization, disclosures required by law, and disclosures to HHS for compliance. Requests for an entire medical record must be specifically justified as necessary.

Authorization Requirements

When a use or disclosure is not otherwise permitted or required by HIPAA, a valid patient authorization is needed. A proper Authorization Requirement includes core elements and statements that inform the individual and limit downstream use.

Core Elements of a Valid Authorization

• Description of the PHI to be used or disclosed.
• Who may disclose and who may receive the PHI.
• Purpose of the use or disclosure.
• Expiration date or event.
• Signature and date of the individual (or personal representative).
• Required statements about the right to revoke, the potential for re-disclosure, and any conditions (for example, if authorization is a condition of research-related treatment).

Common Situations Requiring Authorization

• Marketing communications that are not within HIPAA’s narrow exceptions.
• Sale of PHI.
• Most uses and disclosures of psychotherapy notes (with limited exceptions).
• Any disclosure not otherwise permitted by the Privacy Rule.

Exceptions to Authorization

No authorization is required for the following, provided you meet all HIPAA conditions and apply safeguards:

• Treatment, payment, and health care operations.
• Disclosures to the individual and to HHS for compliance.
• Disclosures required by law.
• Public interest and benefit activities (for example, public health, oversight, law enforcement, court orders, serious threat, and workers’ compensation).
• Facility directories and disclosures to those involved in the individual’s care, with opportunity to agree or object or when professional judgment permits.
• Incidental disclosures, when reasonable safeguards and the Minimum Necessary Standard are in place for the underlying activity.
• Research with an IRB/Privacy Board waiver or a limited data set with a data use agreement.
• Disclosures of de-identified information or a limited data set.

Taken together, these allowances enable appropriate information flow for care and safety while protecting privacy through clear limits, accountability, and the Minimum Necessary Standard.

FAQs.

When can PHI be disclosed without authorization?

PHI may be disclosed without authorization for treatment, payment, and health care operations; to the individual; to HHS for compliance; when required by law; and for defined public interest and benefit activities (such as public health reporting, health oversight, certain law enforcement needs, court orders, research with a waiver, and averting a serious threat). Incidental disclosures are permitted when safeguards are in place.

What are the minimum necessary requirements?

Use, disclose, and request only the PHI reasonably necessary for the task. Establish role-based access, need-to-know policies, and procedures that default to the smallest data set (for example, abstracts or limited data sets). The Minimum Necessary Standard does not apply to treatment, disclosures to the individual, uses/disclosures made under a valid authorization, disclosures required by law, or disclosures to HHS.

How does the Privacy Rule regulate incidental disclosures?

Incidental Disclosure is permitted only when it is a byproduct of a permitted use or disclosure and you have applied reasonable safeguards and the Minimum Necessary Standard. Examples include names overheard in a waiting room or a pager announcement, provided policies, training, and other Administrative Safeguards minimize the risk.

When must covered entities provide PHI to individuals?

Covered Entities must provide access to an individual’s PHI in a designated record set when the individual requests it, subject to narrow exceptions. Access should be in the form and format requested if readily producible, within HIPAA’s timeframes, and at a reasonable, cost-based fee—supporting transparency and patient control over Protected Health Information.