HIPAA Privacy Rule Exceptions: When PHI Can Be Shared Without Authorization

The HIPAA Privacy Rule allows specific disclosures of Protected Health Information (PHI) without an individual’s written authorization. These HIPAA Privacy Rule exceptions are narrow, purpose‑driven, and always bounded by the minimum necessary standard, identity verification, and appropriate documentation. This overview is for general guidance and is not legal advice.

Before disclosing PHI under any exception, you should confirm the legal basis, limit the information to what is permitted, and record the disclosure for your accounting logs.

Disclosures Required by Law

You may disclose PHI when a statute, regulation, or other legal mandate compels it. “Required by law” includes laws that mandate reporting (for example, certain injuries or vital events) or that explicitly require a covered entity to release information to a government authority.

Key conditions

• Identify the specific legal authority that requires the disclosure and comply strictly with its scope and timing.
• Disclose only the PHI the law requires—no more, no less—while applying the minimum necessary standard where applicable.
• Verify the requestor’s identity and retain records that demonstrate the legal requirement and the PHI disclosed.

Public Health Activities

PHI may be disclosed to public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability. This includes Public Health Surveillance, investigations, and interventions, as well as reporting adverse events to regulated manufacturers.

Permitted purposes

• Disease or injury reporting, vital statistics, and exposure notifications to persons at risk.
• Product tracking, recalls, and adverse event reporting to manufacturers and agencies.
• Immunization reporting to schools or similar institutions as permitted by state law and applicable consent rules.

Compliance tips

• Confirm the recipient is a public health authority authorized to receive PHI for the stated purpose.
• Share only the minimum PHI necessary to accomplish the public health objective.

Health Research Conditions

HIPAA permits certain research disclosures without individual authorization when strict safeguards are met. Common pathways include an Institutional Review Board Waiver (or Privacy Board waiver), activities preparatory to research, and research solely on decedents’ information with proper representations.

Permitted pathways

• Institutional Review Board Waiver: An IRB/Privacy Board determines that privacy risks are minimal, the research cannot practicably be done without the waiver and access to PHI, and there is an adequate plan to protect identifiers.
• Preparatory to research: Review PHI on‑site to design a study or assess feasibility; no PHI leaves the covered entity.
• Decedents’ research: PHI may be used when research is solely about decedents and the researcher certifies the necessity of the information.
• Limited data set: Share PHI stripped of direct identifiers under a Data Use Agreement; de‑identified data are not PHI.

Operational safeguards

• Document IRB approvals, waivers, and researcher representations before any disclosure.
• Apply minimum necessary and store any disclosed PHI securely with access controls and retention limits.

Reporting Abuse and Neglect

You may disclose PHI to report child abuse or neglect, and in certain circumstances to report adult abuse, neglect, or domestic violence to authorities authorized by law to receive such reports.

Conditions and notifications

• Disclose when required by law or when the individual agrees, or when permitted by law and you believe the disclosure is necessary to prevent serious harm.
• When reporting adult abuse or domestic violence, inform the individual of the disclosure when it is safe to do so, unless doing so would place the individual at risk or is prohibited by law.
• Limit the PHI to what the law permits or requires for the report.

Law Enforcement Disclosures

HIPAA allows specific disclosures to law enforcement under tightly defined circumstances.

Common scenarios

• Responding to legal process or requests permitted by law (e.g., orders, warrants). See also the separate rules for court processes under Judicial and Administrative Proceedings.
• Providing limited identification and location information about a suspect, fugitive, material witness, or missing person (excluding DNA, dental records, or biometric identifiers for this purpose).
• Reporting a crime on the covered entity’s premises or in emergencies off‑site to describe the nature of the crime, the location, and the perpetrator.
• Sharing information about a victim with the victim’s agreement, or in specific circumstances without agreement when the law allows and the situation warrants.
• Reporting a death that may have resulted from criminal conduct.

Practice points

• Verify authority, record the request, and disclose only the minimum necessary information permitted for the scenario.
• When in doubt, consult counsel before releasing PHI to law enforcement outside of emergencies.

Judicial and Administrative Proceedings

PHI may be disclosed in response to a court order or an administrative tribunal order. For a Court Order Subpoena or discovery request not accompanied by an order, additional safeguards apply.

What you can disclose

• Court or administrative order: Disclose only the PHI expressly authorized by the order.
• Subpoena or discovery request without an order: Obtain satisfactory assurances that the individual has been notified and had an opportunity to object, or that a qualified protective order is in place; otherwise, make reasonable efforts to provide such notice or seek the protective order yourself.

Operational safeguards

• Coordinate with legal counsel to confirm the scope and adequacy of process before disclosing PHI.
• Apply minimum necessary and keep an audit trail of what was disclosed and why.

Organ Donation and Transplant Facilitation

You may disclose PHI to organ procurement organizations or other entities engaged in procurement, banking, or transplantation of organs, eyes, or tissue to facilitate organ donation and transplant coordination.

Good practices

• Share only information necessary for assessing donor suitability and coordinating recovery and transplantation.
• Ensure timely communication with the authorized organization to avoid jeopardizing donation opportunities.

Oversight and Compliance

Disclosures to a Health Oversight Agency are permitted for activities authorized by law, including audits, investigations, inspections, licensure, or disciplinary actions related to the health care system or government benefits programs.

HIPAA enforcement

• You must disclose PHI to the U.S. Department of Health and Human Services when requested to investigate or determine the covered entity’s compliance with HIPAA.
• Maintain records and preserve documents relevant to oversight or compliance reviews, and disclose only what is necessary for the oversight purpose.

Worker's Compensation Disclosures

HIPAA permits disclosures of PHI as necessary to comply with workers’ compensation or similar laws. You may share PHI related to a work‑related injury or illness with insurers, employers, or programs as authorized by the applicable statute or regulation.

Scope and limits

• Follow the specific requirements of the Workers' Compensation Program and applicable state law regarding what PHI may be disclosed.
• Release only the minimum PHI necessary to obtain benefits or fulfill program obligations, and document each disclosure.

Serious Threat to Health or Safety

You may disclose PHI when, in good faith, you believe it is necessary to prevent or lessen a Serious Imminent Threat to the health or safety of a person or the public. Disclosures should be made to those reasonably able to prevent or mitigate the threat, including law enforcement.

Clinical and ethical guardrails

• Ensure the threat is serious and imminent, the disclosure is consistent with applicable law and ethical standards, and the recipient is positioned to act.
• Limit the PHI to what is needed to address the threat, and record your rationale and the disclosure in the medical record or compliance log.

Conclusion

HIPAA permits targeted disclosures of PHI without authorization only for well‑defined purposes—legal mandates, public health, research under safeguards, safety threats, oversight, justice system needs, organ donation, and workers’ compensation. Apply minimum necessary, verify authority, document decisions, and involve counsel when requests are complex or overlapping.

FAQs.

What Are the Main Exceptions to HIPAA Privacy Rule?

The principal exceptions allow PHI disclosures without authorization for: disclosures required by law; public health activities; research under IRB/Privacy Board waivers or similar conditions; reporting abuse, neglect, or domestic violence; law enforcement purposes; judicial and administrative proceedings; organ and tissue donation coordination; health oversight and HIPAA compliance; workers’ compensation programs; and to avert a serious and imminent threat to health or safety.

When Can PHI Be Disclosed Without Authorization?

You may disclose PHI without authorization only when a specific HIPAA provision permits it—such as complying with a legal mandate, fulfilling a public health or oversight function, responding to legitimate court processes, assisting law enforcement in defined scenarios, supporting an organ donation workflow, meeting Workers' Compensation Program requirements, enabling research under a valid waiver, or preventing a serious imminent threat. In all cases, verify the legal basis, apply the minimum necessary standard, and document the disclosure.

How Does HIPAA Regulate Disclosures for Research?

Research disclosures generally require an authorization unless an Institutional Review Board Waiver (or Privacy Board waiver) is granted, the activity is preparatory to research, or the research involves only decedents’ information with proper representations. Alternatively, you may share a limited data set under a Data Use Agreement, while fully de‑identified data fall outside HIPAA. Each pathway demands safeguards, justification of necessity, and documentation before PHI is accessed or disclosed.