HIPAA Health Care Operations Explained: Permitted Uses, Examples, and Compliance Guide

Definition of Health Care Operations

Under the HIPAA Privacy Rule, health care operations are the administrative, financial, legal, and quality-improvement activities a covered entity performs to run its business and support core functions of treatment and payment. These activities involve the use and disclosure of Protected Health Information (PHI) in ways that enable safe, efficient care while respecting patient privacy.

A covered entity includes health care providers that conduct standard electronic transactions, a health plan, and health care clearinghouses. Covered entities may also work with business associates that handle PHI on their behalf under a written agreement. For operations, the “minimum necessary” standard applies—you should access, use, or disclose only the PHI needed to achieve the task.

Core categories included

• Quality Assessment and improvement initiatives, patient safety activities, outcomes measurement, population-based care management, and case management.
• Reviewing the competence or qualifications of health care professionals; training and education; credentialing, privileging, accreditation, and licensing.
• Underwriting, premium rating, and related functions for a health plan (subject to limits, such as restrictions on using genetic information for underwriting).
• Medical review, legal services, auditing, compliance, and Fraud and Abuse Detection.
• Business Management Activities, including strategic planning, budgeting, customer service, data aggregation, de-identification, due diligence for mergers and affiliations, and vendor oversight.
• Fundraising for the benefit of the covered entity, within HIPAA’s specific safeguards and opt-out requirements.

Activities not considered operations

• Most marketing communications without authorization.
• Sale of PHI without authorization.
• Psychotherapy notes (which typically require separate authorization for most uses).
• Research that lacks an Institutional Review Board/Privacy Board waiver or a data use agreement for a limited data set.

Examples of Health Care Operations

Quality, safety, and population health

• Peer review and morbidity/mortality conferences to drive Quality Assessment and improvement.
• Developing clinical guidelines and care pathways based on outcomes data.
• Population health analytics to target care gaps and reduce readmissions.
• Patient safety event reporting and root-cause analysis.

Administration and Business Management Activities

• Budgeting, forecasting, strategic planning, and service-line development.
• IT operations, EHR performance tuning, backup/recovery testing, and cybersecurity monitoring.
• Due diligence for affiliations or acquisitions, including data room reviews under safeguards.
• Customer service, complaint resolution, and internal grievance handling.

Risk, compliance, and integrity

• Internal HIPAA risk analysis and risk management.
• Billing and documentation audits, coding accuracy checks, and utilization audits.
• Fraud and Abuse Detection, compliance hotlines, and investigations.
• Legal reviews, contract management, and privilege logs involving PHI.

Workforce, credentialing, and accreditation

• Onboarding and training for clinicians, students, and residents using the minimum necessary PHI.
• Credentialing, privileging, and primary source verification for health care providers.
• Preparing for and responding to accreditation surveys.

Health plan operations

• Network management, provider contracting, and performance measurement.
• Underwriting and premium rating where allowed, excluding prohibited uses of genetic information.
• Claims auditing and overpayment recovery unrelated to payment adjudication.

Data governance and analytics

• De-identifying PHI for analytics or innovation projects.
• Creating and sharing limited data sets under a data use agreement for operations-related analytics.
• Data aggregation by a business associate to support multi-entity benchmarking.

Permitted Uses and Disclosures Without Authorization

HIPAA permits certain uses and disclosures of PHI without an individual’s written authorization. Your Notice of Privacy Practices should explain these permissions, and you must apply the minimum-necessary standard where required.

Treatment, payment, and health care operations (TPO)

You may use or disclose PHI for treatment, payment, and health care operations. Disclosures for treatment are not subject to the minimum-necessary rule; disclosures for payment and operations are.

Public interest and benefit activities

• As required by law, including mandatory reporting.
• Public health activities (e.g., disease reporting, adverse event reporting).
• Health oversight (e.g., audits, inspections, licensure actions).
• Judicial and administrative proceedings, and certain law enforcement purposes.
• Decedents’ affairs (e.g., to coroners, medical examiners, funeral directors).
• Organ, eye, or tissue donation and transplantation activities.
• Averting a serious threat to health or safety.
• Workers’ compensation programs, as authorized by law.

Other limited disclosures

• To the individual patient (or personal representative) upon request.
• Incidental disclosures that occur despite reasonable safeguards.
• De-identified information (not PHI) and limited data sets under a data use agreement.
• To business associates for permitted functions, with a business associate agreement in place.
• Facility directories and involvement in care or notification, consistent with patient preferences and professional judgment.
• Within an organized health care arrangement (OHCA) for joint operations.

Separate, signed authorization is generally required for most marketing, sale of PHI, psychotherapy notes, and research that does not meet HIPAA’s waiver or limited data set pathways.

Disclosure for Treatment Activities

Treatment includes the provision, coordination, or management of health care by one or more health care providers. You may disclose PHI to another provider for consultation, referral, or care coordination without obtaining the patient’s authorization, and the minimum-necessary standard does not apply.

Who you can share with

• Referring or consulting physicians, hospitals, clinics, labs, imaging centers, pharmacies, and home health agencies.
• Care teams across settings to coordinate transitions of care and avoid duplicate testing.
• Family members or caregivers involved in the patient’s care when consistent with patient preferences or professional judgment.

Practical safeguards

• Verify recipient identity and share only information relevant to the treatment purpose.
• Use secure exchange methods (e.g., encrypted messaging, EHR interoperability) whenever feasible.
• Honor patient requests to limit disclosures when HIPAA permits, and be mindful of stricter laws (e.g., certain substance use disorder records).

Disclosure for Payment Activities

Payment encompasses activities needed to obtain reimbursement and determine benefits. The minimum-necessary standard applies, so disclose only the PHI required to substantiate the claim or payment function.

Common payment disclosures

• Submitting claims and encounter data, including supporting documentation.
• Eligibility and coverage verification, coordination of benefits, and subrogation.
• Prior authorization, pre-certification, and medical necessity review.
• Utilization review, claim adjudication, and appeals.
• Engaging billing services or clearinghouses as business associates.

Special considerations

• If a patient pays a provider in full out-of-pocket and requests nondisclosure to a health plan, you must honor that restriction unless another law requires disclosure.
• Disclosures to collection agencies must be limited to the minimum necessary and governed by a business associate agreement when applicable.

Disclosure for Health Care Operations Activities

For operations, you may use PHI internally and disclose externally under defined conditions. Always apply the minimum-necessary standard and role-based access controls.

When you can disclose to another covered entity

• For Quality Assessment and improvement or population-based activities, if both covered entities have or had a relationship with the individual and the PHI pertains to that relationship.
• For reviewing the competence or qualifications of health care providers, including credentialing and peer review, under the same relationship conditions.
• For Fraud and Abuse Detection or compliance activities, again when both entities have or had a relationship with the individual.

Working with business associates

• Execute a business associate agreement that defines permissible uses/disclosures, safeguards, and breach reporting.
• Permit data aggregation to help benchmark performance across multiple covered entities.
• Conduct due diligence and ongoing oversight; require appropriate technical, administrative, and physical safeguards.

What remains off-limits without authorization

• Marketing that is not a permissible health care operation or treatment communication.
• Sale of PHI, except for limited cost-based exceptions.
• Most research uses that lack a waiver or data use agreement.

Compliance Requirements and Best Practices

Governance and documentation

• Designate privacy and security officials; adopt written policies and procedures for uses/disclosures, safeguards, and complaint handling.
• Maintain an up-to-date Notice of Privacy Practices that explains TPO and other permitted disclosures.
• Perform an enterprise-wide risk analysis and implement risk management plans; review them regularly.
• Document decisions, training, business associate agreements, data use agreements, and incident response actions.

Access controls and minimum necessary

• Implement role-based access, identity verification, and audit logging across systems that store PHI.
• Apply the minimum-necessary standard to payment and operations; establish job aids that define typical data elements for each task.
• Segment especially sensitive information where feasible and legally required.

Vendor and data-sharing management

• Use business associate agreements with all vendors that create, receive, maintain, or transmit PHI.
• Require encryption in transit and at rest, secure software development practices, and third-party security assessments.
• Use de-identification or limited data sets with a data use agreement when full PHI is not necessary.

Workforce readiness

• Provide initial and periodic HIPAA training tailored to roles, including real-world scenarios.
• Adopt a sanctions policy and reinforce good security habits (e.g., phishing awareness, device safeguards).

Incident response and patient rights

• Maintain a documented incident response plan, perform prompt risk assessments, and deliver breach notifications when required.
• Respect patient rights to access, amendments, and certain restrictions; verify identity before fulfilling requests.

Continuous improvement

• Monitor key privacy and security metrics, conduct internal audits, and remediate findings quickly.
• Reassess operations data flows when processes or technologies change.

In practice, you can confidently use and disclose PHI for treatment, payment, and health care operations when you apply the minimum-necessary standard, document your rationale, and maintain strong safeguards. Clear policies, vigilant vendor oversight, and ongoing Quality Assessment keep operations compliant and patient-centered.

FAQs.

What activities qualify as health care operations under HIPAA?

They include Quality Assessment and improvement, patient safety activities, case management, credentialing and privileging, training and education, accreditation and licensing, medical review, legal services, auditing and compliance, Fraud and Abuse Detection, underwriting and premium rating for a health plan (with limits), and Business Management Activities such as planning, budgeting, de-identification, data aggregation, and vendor oversight.

How can protected health information be disclosed without patient authorization?

You may disclose PHI for treatment, payment, and health care operations; for certain public interest purposes (e.g., public health reporting, health oversight, required-by-law disclosures); to the individual; incidentally with safeguards; as de-identified data; as a limited data set under a data use agreement; to business associates under a contract; and within an organized health care arrangement. Authorization is generally required for most marketing, sale of PHI, psychotherapy notes, and research that lacks a waiver or data use agreement.

What are the compliance requirements for sharing PHI in health care operations?

Apply the minimum-necessary standard, maintain role-based access, and document policies and decisions. Issue a clear Notice of Privacy Practices, execute business associate agreements, and use de-identification or limited data sets when full PHI is unnecessary. Train your workforce, log and audit access, secure systems with administrative, physical, and technical safeguards, and follow incident response and breach notification procedures when needed.