HIPAA Privacy Rule Exceptions: When You May Use or Disclose PHI

The HIPAA Privacy Rule generally requires an authorization before you use or disclose Protected Health Information (PHI). It also recognizes limited exceptions that support public interests and legal obligations. This guide explains those exceptions and how to apply safeguards like the minimum necessary standard, verification, and documentation.

Core principles that apply to all exceptions

• Minimum necessary: unless a law requires specific information, disclose only what is reasonably necessary for the purpose.
• Verification: confirm the requestor’s identity and authority before releasing PHI.
• Documentation: record the legal basis, recipient, date, and scope; include in your accounting of disclosures when required.
• Stricter laws: if state or other federal laws are more protective, follow the stricter rule.
• Security: transmit and store PHI securely and limit workforce access.

Required by Law Disclosures

You may disclose PHI when a law requires it. This includes statutes, regulations, or court mandates that compel disclosure. Your role is to meet the requirement precisely—no more, no less—while observing Legal Process Compliance and your organization’s policies.

What this allows

Mandatory reports (for example, specific injuries or abuse when required by law), compliance with court orders, and disclosures that a statute explicitly compels. If a request exceeds what the law requires, narrow the disclosure to the required elements.

Safeguards

• Identify the exact legal authority and retain it in your records.
• Disclose only what the law demands; apply minimum necessary where discretion exists.
• Track the disclosure if an accounting is applicable.

Public Health Activities

Disclosures for public health are permitted to public health authorities authorized by law to collect or receive information for Public Health Surveillance, investigation, or intervention. You may also disclose to persons at risk of contracting or spreading a disease, and to entities overseeing product safety.

Common scenarios

• Disease and vital event reporting to public health authorities.
• Notifying individuals or employers about workplace-related medical surveillance when required by law and with appropriate employee notice.
• Reporting adverse events to regulators for product safety and quality.

Safeguards

Verify the authority of the recipient, limit disclosures to the minimum necessary, and document your public health purpose and recipient. Apply additional protections required by state law where applicable.

Health Oversight Activities

You may disclose PHI to Health Oversight Agencies for activities authorized by law, such as audits, inspections, licensure, and investigations. These functions enable government or professional bodies to monitor the health care system and enforce standards.

Practical guidance

• Respond to oversight requests (e.g., audits or licensure reviews) with the information they lawfully require.
• Ensure the request relates to oversight—not for unrelated civil, criminal, or administrative actions unless permitted by law.
• Retain the request and your response details for your compliance file.

Judicial and Administrative Proceedings

PHI may be disclosed in response to a court or administrative order. Without an order, disclosures in litigation generally require either the individual’s authorization or assurances (such as notice to the individual or a protective order) that satisfy Legal Process Compliance.

How to proceed

• Carefully review orders, subpoenas, or discovery demands and disclose only what they authorize.
• Seek protective orders or redact where appropriate to prevent unnecessary exposure of PHI.
• Document the process and scope of the disclosure.

Law Enforcement Purposes

Limited disclosures to law enforcement are permitted in defined circumstances. Examples include responding to legal process or requests required by law, locating or identifying a suspect or missing person, reporting crimes on the premises, or responding to emergencies.

Key limits

• Provide only the minimum information necessary for the stated purpose.
• When assisting identification or location, share limited identifying details; avoid clinical content unless specifically authorized by law.
• Record the basis for the disclosure and the officer or agency involved.

Decedents' Information Disclosures

HIPAA protects a decedent’s PHI for 50 years after death. You may disclose PHI to coroners, medical examiners, and funeral directors as needed to carry out their duties, and to family members involved in care unless inconsistent with known preferences.

Research on decedents

PHI may be disclosed for research solely on decedents when the researcher documents the necessity of PHI and that the subjects are deceased. Keep copies of researcher representations and maintain appropriate access controls.

Organ Donation and Research Purposes

You may disclose PHI to organ procurement organizations to facilitate organ, eye, or tissue donation and transplantation. These disclosures support time-sensitive matching and recovery processes.

Research pathways

• Authorization from the individual; or an Institutional Review Board Waiver (or Privacy Board waiver) when criteria are met.
• Use of a limited data set under a data use agreement, or de-identified information that is not PHI.
• Preparatory-to-research reviews and research on decedents under the rule’s conditions.

Safeguards

Confirm the research basis, apply minimum necessary, and maintain agreements or waivers in your records. Include disclosures in your accounting when required.

Averting Serious Threats

You may disclose PHI to prevent or lessen a serious and imminent threat to health or safety when you believe in good faith that the disclosure is needed. You should disclose to persons or entities reasonably able to mitigate the harm, such as law enforcement or a potential victim—this is a carefully scoped Serious Threat Disclosure.

Practice tips

• Rely on professional judgment and document your rationale and the recipient.
• Disclose only what is necessary for the recipient to act.
• Follow applicable state “duty to warn” or similar requirements where they exist.

Specialized Government Functions

Certain government activities have tailored rules. These include military and veterans’ activities, national security and intelligence functions, protective services for officials, and disclosures to correctional institutions or law enforcement officials regarding inmates.

Operational guidance

• Confirm the request falls within a recognized specialized function and that the requestor is authorized.
• Limit disclosures to what the function requires and document your decision-making.

Workers' Compensation Disclosures

PHI may be disclosed as necessary to comply with workers’ compensation or similar programs that provide benefits for work-related injuries or illness. Disclosures typically go to insurers, program administrators, or state agencies.

Scope and safeguards

• Disclose only what the applicable law or program needs; keep employment and group health plan records separate.
• When broader information is requested, obtain an appropriate Workers' Compensation Authorization or the individual’s HIPAA authorization.
• Record the request, legal basis, and information released for your compliance log.

Summary

HIPAA allows narrowly tailored uses and disclosures of PHI without authorization when law or strong public interests require it. Apply minimum necessary, verify authority, document your rationale, and honor stricter laws. With these safeguards, you can meet legal duties while protecting privacy.

FAQs

What are the key circumstances that allow disclosure of PHI without authorization?

Disclosures without authorization are allowed when required by law; for public health activities (including Public Health Surveillance and product safety); to Health Oversight Agencies; for judicial or administrative proceedings with proper process; for defined law enforcement purposes; for decedents (e.g., to coroners and funeral directors); to facilitate organ donation; for research under an authorization, limited data set, or Institutional Review Board Waiver; to avert serious and imminent threats; for specialized government functions; and to comply with workers’ compensation programs.

How does the HIPAA Privacy Rule regulate research use of PHI?

Researchers may access PHI with the individual’s authorization or, when criteria are met, under an Institutional Review Board Waiver (or Privacy Board waiver). The rule also permits limited data sets under a data use agreement, reviews preparatory to research, and research solely on decedents with required assurances. De-identified data fall outside HIPAA. Minimum necessary, verification, and documentation requirements still apply.

When can law enforcement access PHI under HIPAA?

Law enforcement may receive PHI in specific situations: compliance with legal process or mandatory reporting laws; to locate or identify a suspect, fugitive, material witness, or missing person; for crimes on the premises; in certain emergencies; regarding a crime victim under defined conditions; or about a decedent. Each disclosure must be narrowly tailored, documented, and limited to the minimum necessary for the stated purpose.

What protections exist for PHI disclosed for public health activities?

Public health disclosures go only to authorized recipients for legitimate purposes like Public Health Surveillance, investigation, or intervention. You must verify authority, apply minimum necessary, use secure transmission, and maintain records of the disclosure. Where state law imposes stricter rules, follow the stricter standard to further safeguard PHI.