HIPAA Disclosure Rule Summary: When You Can Share PHI (and When You Can’t)

Permitted Uses and Disclosures

The HIPAA Privacy Rule sets when Covered Entities (healthcare providers, health plans, and clearinghouses) and their business associates may use or disclose protected health information (PHI). You can share PHI without PHI Authorization for specific purposes, provided you follow the Minimum Necessary Standard and implement reasonable safeguards.

• Treatment, Payment, and Healthcare Operations (TPO) activities are generally allowed without authorization. The details for each appear in the sections below.
• Incidental Disclosures are permissible when they occur as a byproduct of an otherwise permitted use, and you apply appropriate administrative, technical, and physical safeguards.
• Public interest and benefit activities (for example, Public Health Reporting, law enforcement under defined conditions, and health oversight) are permitted if you meet the rule’s prerequisites.
• Disclosures to family, friends, or others involved in a patient’s care or payment can occur with the patient’s agreement, or when the patient is incapacitated and you exercise professional judgment.
• Limited data sets may be used or disclosed for research, public health, or Healthcare Operations with a data use agreement; fully de-identified data is not PHI.

Required Disclosures are limited to two situations: providing individuals access to their own PHI and furnishing PHI to the U.S. Department of Health and Human Services for compliance investigations. For other purposes, obtain a valid PHI Authorization unless a specific permission applies. Document your decisions and maintain Healthcare Operations Compliance through policies, training, and audit trails.

Treatment Purposes

You may use and disclose PHI for a patient’s treatment, including coordination and management of care with other providers, referrals, prescriptions, laboratory orders and results, and e-consults. This covers exchanges between different organizations when necessary for clinical decision-making.

What you may share without authorization

• Information relevant to diagnosis, care coordination, and follow-up among treating providers, pharmacists, labs, and hospitals.
• Emergency disclosures to facilitate immediate care, including to first responders or receiving facilities.
• Telehealth workflows using business associates (for example, EHR or video platforms) under executed business associate agreements.

Limits and safeguards

• The Minimum Necessary Standard does not apply to disclosures to another provider for treatment; still limit sharing to what is clinically pertinent.
• Psychotherapy notes require patient authorization unless a narrow exception applies. More protective federal or state laws (for example, 42 CFR Part 2 for certain substance use disorder records) may impose additional consent requirements.
• Honor patient-requested restrictions when a patient pays in full out-of-pocket and asks you not to disclose that service to a health plan.
• Verify recipient identity, use secure transmission methods, and document your rationale when judgment-based disclosures are made.

Payment Purposes

Payment includes activities to obtain reimbursement or determine coverage: claims submission, eligibility checks, prior authorization, utilization review, adjudication, and medical necessity review. You may disclose PHI to health plans, clearinghouses, and business associates involved in these functions.

• Apply the Minimum Necessary Standard: share only the data elements needed for the payment task (for example, diagnosis and procedure codes, dates of service).
• If a patient pays in full and requests a restriction, do not disclose that service to the health plan, unless another law requires it.
• Using PHI for marketing or selling PHI is not a payment purpose and generally requires authorization.
• Disclosures to plan sponsors must follow plan documentation requirements and avoid mixing employment records with PHI.

Healthcare Operations

Healthcare operations cover internal activities that support running your organization and improving care. Examples include quality assessment, peer review, workforce training, auditing, accreditation, risk management, business planning, due diligence, and customer service. These uses help you maintain Healthcare Operations Compliance.

• Quality improvement and patient safety studies, peer review conferences, and clinical guideline development.
• Credentialing and privileging professionals, training students and residents, and evaluating provider performance.
• Compliance audits, privacy and security investigations, incident response, and breach risk assessments.
• Population-based management and case management that are not direct treatment activities.

The Minimum Necessary Standard applies to operations. Prefer a limited data set and execute data use agreements when appropriate. Disclose PHI to business associates only under written business associate agreements and monitor their safeguards.

De-identification and limited data sets

De-identified data is not PHI and may be used freely if identifiers are removed per HIPAA methods. A limited data set excludes direct identifiers and may be used for research, public health, or operations with a data use agreement that restricts re-identification and limits use to defined purposes.

Family and Friends Involvement

You may share relevant PHI with family members, friends, or others identified by the patient as involved in care or payment. Obtain the patient’s agreement or give the patient an opportunity to agree or object. If the patient is incapacitated or in an emergency, disclose what is necessary in the patient’s best interests using professional judgment.

• Limit disclosures to what the person needs to know for involvement in care or payment, and apply the Minimum Necessary Standard.
• Verify identity and the relationship when reasonable, and respect any patient-designated personal representative.
• For minors, follow state law on parental access and any applicable protections for sensitive services.
• If discussing in semi-public areas, use privacy safeguards; incidental disclosures are allowed only when safeguards are in place.

Public Interest and Benefit Activities

HIPAA permits PHI disclosures without authorization for defined public interest purposes, subject to conditions. Confirm the legal authority, disclose only the minimum necessary, and document your decision.

Common categories

• Required by law: disclosures mandated by statutes, regulations, or court orders.
• Public Health Reporting: reporting certain diseases, injuries, exposures, immunizations, and adverse events to authorized public health authorities.
• Health oversight: audits, investigations, inspections, or licensing by oversight agencies.
• Judicial and administrative proceedings: in response to a court order or, with additional safeguards, certain subpoenas.
• Law enforcement: limited circumstances such as locating a suspect or reporting certain wounds, or in emergencies with required documentation.
• Averting a serious and imminent threat: disclosures to prevent or lessen a serious threat to health or safety.
• Research: with an Institutional Review Board or privacy board waiver, or using a limited data set with a data use agreement.
• Organ and tissue donation, coroners and medical examiners, and funeral directors.
• Workers’ compensation programs as authorized by law, and certain military or national security activities.

Conditions and documentation

• Confirm the recipient’s legal authority (for example, public health jurisdiction, valid court order) before disclosing.
• Apply the Minimum Necessary Standard and maintain an accounting of disclosures when required.
• For subpoenas or administrative requests, ensure required assurances (notice to the individual or protective order) are in place.
• Follow specific rules for reporting abuse, neglect, or domestic violence, including any duty to inform the individual when safe to do so.

Prohibited Disclosures

Unless a HIPAA permission applies or you have a valid PHI Authorization, do not use or disclose PHI. The following are common prohibitions and pitfalls to avoid.

• No marketing communications or sale of PHI without explicit authorization, subject to narrow exceptions.
• No disclosure of psychotherapy notes without authorization, except for a few limited purposes defined by HIPAA.
• No sharing beyond the Minimum Necessary Standard for non-treatment purposes; tailor datasets and role-based access.
• No posting, texting, or discussing PHI on social media or in public spaces.
• No disclosure to employers from your clinical records, except as allowed by law and separate from employment records.
• No use of genetic information for health plan underwriting; comply with GINA and related HIPAA provisions.
• No disclosure to law enforcement or others without proper legal authority or applicable HIPAA permission.
• Honor patient-requested restrictions when legally required (for example, self-pay restrictions to health plans).

Conclusion

Use or disclose PHI only when a HIPAA permission applies, honor Required Disclosures, and lean on the Minimum Necessary Standard for most non-treatment activities. Build privacy by design through policies, workforce training, and business associate oversight so compliant sharing supports care, payment, operations, and public health while protecting patient trust.

FAQs

When can PHI be disclosed without patient authorization?

You may disclose PHI without authorization for treatment, payment, and healthcare operations; to individuals involved in care or payment (with the patient’s agreement or professional judgment when the patient is incapacitated); for public interest and benefit activities such as Public Health Reporting, health oversight, certain law enforcement purposes, court orders, and to avert a serious threat; for research under an IRB/privacy board waiver or via a limited data set; and for Required Disclosures to the individual and to HHS. Incidental Disclosures are permitted when safeguards and the Minimum Necessary Standard are applied.

What are the limits of sharing PHI for treatment purposes?

You can share PHI with other treating providers without applying the Minimum Necessary Standard, but limit information to what is clinically relevant and verify recipients. Psychotherapy notes still require authorization, and other laws (for example, 42 CFR Part 2 and certain state laws) may require additional consent for sensitive information. Use secure channels, maintain business associate agreements for platforms you rely on, and respect any patient-imposed restrictions that legally apply.

Are there exceptions to the minimum necessary standard?

Yes. The Minimum Necessary Standard does not apply to disclosures to or requests by a healthcare provider for treatment; uses or disclosures made to the individual; uses or disclosures made pursuant to a valid authorization; disclosures required by law; disclosures to HHS for compliance investigations; and uses or disclosures required for HIPAA standard transactions. For most other purposes, you must limit PHI to the minimum necessary.

When is PHI disclosure required by law?

HIPAA requires disclosures in two situations: providing individuals access to their own PHI and supplying PHI to HHS for compliance reviews. Separately, other laws may mandate disclosures, such as reporting certain injuries, child abuse or neglect, specific infectious diseases, or responding to a court order. When the law compels disclosure, follow the scope of the mandate, apply minimum necessary where applicable, and document your actions, including meeting the HIPAA right-of-access timeline.