HIPAA Privacy Rule: Protections and Restrictions for PHI Use and Disclosure

Permitted Uses and Disclosures

Treatment, Payment, and Health Care Operations (TPO)

Under the HIPAA Privacy Rule, covered entities may use or disclose Protected Health Information (PHI) for treatment, payment, and health care operations without your prior written permission. This includes care coordination, billing, quality assessment, training, accreditation, and legal or auditing functions that support routine operations.

The Minimum Necessary Standard does not apply to disclosures for treatment, but covered entities should still use role-based access and good judgment to avoid unnecessary sharing.

Public Interest and Benefit Activities

HIPAA allows certain disclosures in the public interest when specific conditions are met. These include:

• Activities required by law or to comply with a court order or subpoena.
• Public health reporting (for example, disease reporting, adverse events, product recalls).
• Reporting abuse, neglect, or domestic violence to authorized agencies.
• Health oversight activities (audits, inspections, licensure).
• Judicial and law enforcement purposes under defined standards.
• Coroners, medical examiners, funeral directors, and organ procurement organizations.
• Research with institutional approvals or waivers, and limited data sets with data use agreements.
• To avert serious threats to health or safety and for specialized government functions.
• Workers’ compensation programs, as authorized by law.

Incidental Disclosures

Incidental disclosures that occur as a byproduct of an otherwise permitted use or disclosure are allowed if reasonable safeguards are in place and the Minimum Necessary Standard is applied where required.

Disclosures Requiring Individual Authorization

Uses or disclosures outside the permitted categories generally require your written Individual Authorization. This includes many types of marketing, most fundraising beyond basic communications, and any sale of PHI unless an exception applies.

Individual Rights Concerning PHI

Right of Access

You have the right to access, inspect, and obtain a copy of your PHI in a designated record set, including electronic records when readily producible. Covered entities must generally respond within 30 days and may charge only a reasonable, cost-based fee. You may direct a copy to a chosen third party in writing.

Right to Amend

You may request an amendment if you believe your PHI is inaccurate or incomplete. The entity must act within set timeframes, explain any denial (for example, when records are accurate, not created by the entity, or not part of the designated record set), and allow you to submit a statement of disagreement that becomes part of the record.

Right to Request Restrictions

You can ask a covered entity to limit uses or disclosures for TPO. While entities are not required to agree to most requests, they must agree to restrict disclosure to a health plan for payment or operations if you pay in full out of pocket for the item or service and request the restriction.

Right to Confidential Communications

You may request communications by alternative means or at alternative locations (for example, a different mailing address). Covered entities must accommodate reasonable requests to protect your privacy.

Accounting of Disclosures

You may request an accounting of certain disclosures made in the prior six years, excluding most disclosures for treatment, payment, operations, and those made with your authorization.

Notice of Privacy Practices

You have the right to receive a Notice of Privacy Practices explaining how your PHI may be used or disclosed, your rights, and whom to contact with questions or complaints.

Implementation of Safeguards

Administrative Safeguards

Covered entities must adopt Administrative Safeguards such as risk analysis, policies and procedures, workforce training and sanctions, contingency planning, and business associate agreements. Clear role-based access controls and the Minimum Necessary Standard should be embedded in daily workflows.

Physical Safeguards

Physical Safeguards include facility access controls, workstation and device security, media re-use/disposal procedures, and visitor management. You should expect locked areas for records, secure storage, and procedures to prevent unauthorized viewing of PHI.

Technical Safeguards

Technical Safeguards protect electronic PHI and include unique user IDs, automatic logoff, audit controls, integrity protections, encryption in transit and at rest where reasonable and appropriate, and transmission security. Multi-factor authentication and monitored access logs are common controls.

Privacy Rule and Security Rule Interplay

The Privacy Rule requires reasonable administrative, physical, and technical safeguards to prevent impermissible uses and disclosures. The Security Rule specifies detailed standards for electronic PHI; together, they guide how covered entities protect your information end to end.

Minimum Necessary Standard

Core Principle

When using, disclosing, or requesting PHI, covered entities must limit it to the Minimum Necessary to accomplish the intended purpose. Policies should define the least amount of information needed for routine tasks and require elevated approvals for atypical requests.

Key Exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to you (the individual) or pursuant to your Individual Authorization.
• Uses or disclosures required by law.
• Disclosures to the U.S. Department of Health and Human Services for compliance investigations.

Applying the Standard in Practice

Implement role-based access, standardized request forms, and audit checks to right-size data sharing. When full identifiers are unnecessary, use de-identified data or limited data sets with data use agreements to reduce privacy risk.

Prohibition on Sale of PHI

General Rule

Covered entities and business associates may not receive direct or indirect remuneration in exchange for PHI without your explicit Individual Authorization that states the sale. “Sale” includes licensing or other exchanges for value, not just cash payments.

Limited Exceptions

• Public health activities and certain research where only reasonable, cost-based fees are received.
• Disclosures for treatment, payment, or health care operations, including those performed by business associates.
• Disclosures to you, those required by law, and those incident to the sale or transfer of a covered entity.

Even when an exception exists, entities must still apply the Minimum Necessary Standard and document the rationale.

Requesting Restrictions on PHI

How to Make the Request

Submit a written request to the covered entity’s privacy office specifying the records, people, and purposes you want restricted. Be clear whether the restriction applies to internal use, external disclosures, or both, and for how long.

When Agreement Is Required

If you pay in full out of pocket and request that a specific item or service not be disclosed to your health plan for payment or operations, the covered entity must honor the restriction for that item or service unless disclosure is otherwise required by law.

Emergencies and Practical Limits

Restrictions may be overridden in bona fide emergencies if needed to provide treatment. Covered entities should document the restriction and communicate it across relevant systems to reduce accidental disclosures.

Documenting and Ending Restrictions

Agreed restrictions must be documented and followed. A covered entity may terminate a restriction in limited circumstances, such as with your written agreement or by informing you in advance that future uses/disclosures will not be restricted.

Accessing and Amending PHI

How to Access Your Records

Ask to inspect or obtain a copy of your PHI in the form and format you prefer if readily producible (for example, portal download, PDF, or paper). The entity must act within 30 days or provide a written reason for delay and the expected completion date; only reasonable, cost-based fees may apply.

Grounds for Denial and Review

Access may be denied in limited cases, such as psychotherapy notes or information prepared for litigation. Certain denials are reviewable by another licensed professional; you also have the right to a written explanation and instructions for filing a complaint.

How Amendments Work

If your amendment is accepted, the entity must append the change and make reasonable efforts to inform others who rely on the information. If denied, you can submit a statement of disagreement, and your request, the denial, and your statement will accompany future disclosures as required.

Conclusion

The HIPAA Privacy Rule balances your control over PHI with the clinical, operational, and public health needs of the health system. Know your rights, use targeted requests, and expect covered entities to apply the Minimum Necessary Standard and strong safeguards to protect your information.

FAQs.

What are the permitted uses of PHI under the HIPAA Privacy Rule?

PHI may be used or disclosed without authorization for treatment, payment, and health care operations; for specified public interest purposes (such as public health, health oversight, law enforcement under defined limits, and organ donation); and as required by law. Incidental disclosures are allowed when reasonable safeguards are in place. Other uses generally require Individual Authorization.

How can individuals request restrictions on their PHI?

Submit a written request identifying the information, recipients, and purposes to be restricted. While covered entities may decline most requests, they must restrict disclosures to a health plan for payment or operations when you pay in full out of pocket for the item or service and ask for the restriction, unless disclosure is otherwise required by law.

What safeguards must covered entities implement to protect PHI?

Covered entities must deploy Administrative Safeguards (policies, training, risk analysis, BAAs), Physical Safeguards (facility, device, and workstation controls), and Technical Safeguards (access controls, encryption, audit logs, transmission security). Together these measures limit access to the Minimum Necessary and help prevent impermissible uses or disclosures.

Can covered entities sell PHI without authorization?

No. The Privacy Rule prohibits the sale of PHI without explicit Individual Authorization stating the sale. Narrow exceptions exist, including certain public health activities, research with only cost-based remuneration, disclosures to you, those for TPO, and those required by law.