HIPAA Privacy Rule: Permitted PHI Access, Uses, and Disclosures Explained

The HIPAA Privacy Rule defines when a covered entity may access, use, and disclose protected health information (PHI) and when explicit individual authorization is required. Understanding these guardrails helps you meet compliance obligations while supporting care, payment, and operations.

This guide explains permitted pathways, required disclosures, and special cases such as public health, research, and law enforcement. It also clarifies the Minimum Necessary Standard and incidental uses so your PHI disclosure decisions are consistent and defensible.

Permitted Uses and Disclosures

Treatment, Payment, and Health Care Operations (TPO)

You may use or disclose PHI without individual authorization for treatment, payment, and health care operations. This includes care coordination, claims management, quality improvement, case management, and related administrative tasks by a covered entity and its business associates.

With Individual Authorization

When a use or disclosure is not otherwise permitted, obtain written individual authorization. A valid authorization specifies the information, purpose, recipient, expiration, and revocation rights. You must honor revocation going forward, except where you already relied on the authorization.

Opportunity to Agree or Object

Certain disclosures are permitted if the individual is informed and given an opportunity to agree or object. Examples include facility directories and sharing limited information with family, friends, or caregivers involved in care or payment when consistent with the individual’s known preferences.

Required by Law and Public Interest Categories

Disclosures “required by law” are permitted to the extent the law mandates them. The Privacy Rule also permits targeted disclosures for public health, research, law enforcement, judicial proceedings, health oversight activities, workers’ compensation, and to avert a serious threat—each with specific conditions explained below.

Required Disclosures

To the Individual

You must disclose PHI to the individual (or personal representative) upon request to exercise the right of access and, when applicable, to provide an accounting of disclosures. Generally, access should be fulfilled promptly and no later than the standard HIPAA timeframes.

To the Department of Health and Human Services (HHS)

You must disclose PHI to HHS when it requests information to investigate or determine compliance with the Privacy Rule. Maintain records and respond fully and timely during any compliance investigation or review.

Public Health Activities

Permitted Disclosures

• To a public health authority for preventing or controlling disease, injury, or disability, including reporting, surveillance, and interventions.
• To persons at risk of contracting or spreading a disease when authorized by law and necessary to carry out public health interventions.
• To the Food and Drug Administration regarding product quality, safety, adverse events, and recalls.
• To an employer regarding work-related illness or injury, when obtained during workplace surveillance and permitted by law.

Apply the Minimum Necessary Standard unless a specific exception applies, and document the legal authority for each PHI disclosure.

Health Research

Pathways for Research Use and Disclosure

• Individual authorization: Use a research-specific authorization when feasible.
• Waiver or alteration of authorization: An Institutional Review Board or Privacy Board may approve a waiver when criteria such as minimal risk to privacy are met and adequate safeguards are in place.
• Preparatory to research: Investigators may review PHI on-site to design a study or assess feasibility, without removing PHI from the covered entity.
• Research solely on decedents: Permitted with appropriate representations from the researcher.
• Limited data set with a data use agreement: Share only specified fields, excluding direct identifiers, under binding safeguards.

De-identified data are not PHI and are outside the Privacy Rule; however, verify that de-identification methodology is sound before release.

Law Enforcement

Permitted Disclosures to Law Enforcement Officials

• When required by law, such as by a court order, warrant, or subpoena that meets HIPAA conditions.
• To identify or locate a suspect, fugitive, material witness, or missing person, limited to basic identifiers.
• About a victim of a crime, when the individual agrees or is incapacitated and disclosure is necessary and not opposed by the individual’s best interests.
• When PHI is evidence of a crime that occurred on the covered entity’s premises.
• To report a crime in an emergency and the nature of the crime, location, and perpetrator.

Confirm authority, scope, and the Minimum Necessary Standard for each request, and document your response to preserve compliance.

Judicial and Administrative Proceedings

Orders, Subpoenas, and Protective Measures

You may disclose PHI in response to a court or administrative order, limited to the information expressly authorized. For subpoenas or discovery requests without an order, obtain satisfactory assurances (such as a qualified protective order) or seek the individual’s authorization or opportunity to object.

Coordinate with counsel to ensure disclosures are narrowly tailored and consistent with both HIPAA and applicable procedural rules.

Health Oversight Activities

Disclosures to a Health Oversight Agency

You may disclose PHI to a health oversight agency for audits, investigations, inspections, licensure, and disciplinary actions. These activities support oversight of the health care system and government benefit programs.

Keep records of what you disclosed, the legal authority, and the requestor’s identity to demonstrate compliance during any compliance investigation or review.

Workers' Compensation

Programs and Legal Requirements

PHI disclosures are permitted as authorized by and to the extent necessary to comply with workers’ compensation or similar laws. Share only what the law requires to process claims, coordinate benefits, or determine work-related conditions.

Document the statutory or regulatory basis for each disclosure and apply the Minimum Necessary Standard where appropriate.

Minimum Necessary Standard

Scope and Key Exceptions

When using, disclosing, or requesting PHI, limit it to the minimum necessary to accomplish the purpose. This standard does not apply to disclosures for treatment, disclosures to the individual, uses or disclosures authorized by the individual, disclosures to HHS for oversight, or uses/disclosures required by law.

Operationalizing Minimum Necessary

• Adopt role-based access and standard protocols that define who may access which data and for what purpose.
• Use data segmentation, limited data sets, and reasoned denials when requests exceed the legitimate purpose.
• Rely reasonably on representations from public officials and business associates when appropriate, while validating unfamiliar or broad requests.

Incidental Uses and Disclosures

Definition and Safeguards

Incidental uses and disclosures are unintended, secondary results of a permitted use or disclosure that occur despite reasonable safeguards. Examples include a passerby overhearing a brief conversation or minimal PHI visible on a sign-in sheet configured with safeguards.

To qualify as incidental, the underlying use or disclosure must be permitted, and you must employ reasonable administrative, physical, and technical safeguards along with the Minimum Necessary Standard.

Consistent training, privacy-sensitive workspace design, and timely mitigation reduce risk while supporting effective clinical and operational workflows.

In summary, the Privacy Rule empowers you to share PHI for care, operations, and defined public interest purposes while protecting individuals through authorization requirements, the Minimum Necessary Standard, oversight, and safeguards for incidental exposure.

FAQs

What PHI uses and disclosures are permitted without individual authorization?

Without individual authorization, you may use or disclose PHI for treatment, payment, and health care operations; to the individual; when required by law; and for specific public interest purposes such as public health, research under an IRB/Privacy Board waiver, law enforcement, judicial and administrative proceedings, health oversight activities, workers’ compensation, and to avert serious threats—each subject to conditions and the Minimum Necessary Standard where applicable.

When must PHI be disclosed to the Department of Health and Human Services?

You must disclose PHI to HHS whenever it requests information to investigate, review, or enforce HIPAA compliance. Maintain documentation, cooperate with the request, and disclose only what the request covers, consistent with applicable safeguards.

How does the Minimum Necessary Standard apply to PHI use and disclosure?

Except for key exceptions—treatment, disclosures to the individual, uses/disclosures pursuant to valid authorization, disclosures to HHS, and those required by law—you must limit PHI to the minimum necessary to achieve the purpose. Implement role-based access, standard protocols, and data minimization to satisfy this requirement.

What are incidental uses and disclosures under the HIPAA Privacy Rule?

Incidental uses and disclosures are unintended, secondary exposures that occur as a by-product of an otherwise permitted activity, despite reasonable safeguards. They are allowed only if you applied appropriate protections and the underlying use or disclosure was permitted in the first place.