HIPAA Privacy Rule Requirements for PHI Access, Use, and Disclosure
Product Pricing Demo Video Free HIPAA Training
LATEST
video thumbnail
Admin Dashboard Walkthrough Jake guides you step-by-step through the process of achieving HIPAA compliance
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA HIPAA Privacy Rule Requirements for PHI Access, Use, and Disclosure

HIPAA Privacy Rule Requirements for PHI Access, Use, and Disclosure

Kevin Henry

HIPAA

February 19, 2025

8 minutes read
Share this article
HIPAA Privacy Rule Requirements for PHI Access, Use, and Disclosure

General Prohibition on Use and Disclosure

The HIPAA Privacy Rule establishes a default rule: do not use or disclose protected health information (PHI) unless a specific permission applies or the individual authorizes it. PHI is a subset of individually identifiable health information that relates to a person’s health, care, or payment and can identify the individual.

Covered Entities must apply this prohibition across all settings and media, including paper, verbal, and electronic records. Business associates are held to the same standard through contracts and may use or disclose protected health information (PHI) only as the Privacy Rule allows or as the contract permits.

Who is covered

  • Covered Entities: health plans, health care clearinghouses, and providers that conduct standard electronic transactions.
  • Business associates: vendors and partners that create, receive, maintain, or transmit PHI for a covered entity (for example, billing services, cloud hosts, and analytics firms).

Permitted Uses and Disclosures

Treatment, payment, and health care operations (TPO)

You may use and disclose PHI without authorization for treatment (care coordination and consultations), payment (billing and eligibility), and health care operations (quality improvement, auditing, and compliance). These core activities are foundational to care delivery.

To the individual and as authorized by the individual

PHI may be used or disclosed to the individual and as specifically permitted by a valid, written authorization. Authorizations must describe the information, recipient, purpose, expiration, and the individual’s right to revoke.

Incidental disclosures

Incidental disclosures that occur as a byproduct of an otherwise permitted use or disclosure are allowed if you apply reasonable safeguards and the minimum necessary standard.

Situational permissions

HIPAA also permits disclosures in limited circumstances such as to family or friends involved in care (with the individual’s agreement or opportunity to object), for facility directories, and during disaster relief efforts. Additional public interest permissions are detailed later in this article.

Required Disclosures

HIPAA requires two disclosures: (1) to the individual (or personal representative) upon request for access to PHI in the designated record set, and (2) to the Department of Health and Human Services (HHS) when it requests information to investigate or determine compliance.

All other disclosures are permitted or prohibited based on the Rule; they are not mandated by HIPAA, though other laws may independently require disclosure.

Minimum Necessary Standard

The minimum necessary standard limits uses, disclosures, and requests for PHI to the least amount needed to accomplish the purpose. Apply role-based access, standard protocols for routine disclosures, and documented criteria for non-routine ones.

When the standard does not apply

  • Disclosures to or requests by a health care provider for treatment.
  • Disclosures to the individual who is the subject of the PHI.
  • Uses or disclosures made pursuant to a valid authorization.
  • Disclosures to HHS for compliance investigations.
  • Disclosures required by law or as otherwise specifically exempted by the Rule.

For all other situations, restrict PHI to what is reasonably necessary, rely on professional judgment, and document policies to guide workforce decisions.

Safeguards Requirement

Covered Entities and business associates must implement appropriate safeguards to protect PHI against impermissible uses and disclosures. These safeguards also support the minimum necessary standard in daily operations.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

  • Administrative Safeguards: policies and procedures, risk analyses, workforce training, sanctions, and contingency planning.
  • Technical Safeguards: unique user identification, access controls, audit logs, integrity and transmission security (such as encryption), and authentication.
  • Physical Safeguards: facility access controls, workstation security, device and media controls (including secure disposal and reuse).

Individual Rights

Individuals have the right to access, inspect, and obtain a copy of PHI in the designated record set. You must provide access in the form and format requested if readily producible (including electronic copies) and within established time frames; reasonable, cost-based fees may apply for copies.

Individuals may request amendments to PHI, receive an accounting of certain disclosures, request restrictions on certain uses and disclosures (including a mandatory restriction for services paid in full out-of-pocket with respect to the health plan), and request confidential communications by alternative means or locations. Individuals also have the right to receive a Notice of Privacy Practices that explains these rights and your duties.

Business Associates

Business associates perform functions involving PHI on behalf of Covered Entities. Before sharing PHI, you must execute Business Associate Agreements that bind the associate to safeguard PHI and limit its use and disclosure to contract purposes and HIPAA requirements.

Business Associate Agreements

  • Specify permitted and required uses and disclosures of PHI.
  • Require administrative, technical, and physical safeguards and breach notification.
  • Flow down obligations to subcontractors that handle PHI.
  • Provide for access, amendment, and accounting support, return or destruction of PHI at contract end, and HHS oversight cooperation.

De-Identification of PHI

Once health information is de-identified, it is no longer PHI and may be used or disclosed without HIPAA restrictions. De-identification must remove the ability to identify an individual, directly or indirectly, with a very small risk of re-identification.

Accepted methods

  • Expert determination: a qualified expert applies accepted principles and documents that the risk of re-identification is very small.
  • Safe harbor: remove specified direct identifiers of the individual and relatives, employers, or household members and ensure no actual knowledge remains that could identify the person.

Limited data sets

For some activities (such as research and public health), you may disclose a limited data set—PHI that excludes specified direct identifiers—under a Data Use Agreement. A limited data set is not de-identified and remains subject to safeguards and permitted-purpose limits.

Psychotherapy Notes

Psychotherapy notes are the personal notes of a mental health professional analyzing a counseling session. They are kept separate from the medical record and exclude medication information, session times, modalities, test results, and summaries of diagnosis or treatment plan.

Use or disclosure of psychotherapy notes generally requires the individual’s specific authorization. Limited exceptions allow: use by the originator for treatment, use or disclosure for training mental health practitioners, use or disclosure to defend a legal action or other proceeding brought by the individual, and disclosures required by law. Most other permissions that apply to PHI do not extend to psychotherapy notes.

Public Interest and Benefit Activities

HIPAA permits—without authorization—certain disclosures that serve broader public interests, provided conditions are met and the minimum necessary standard applies where required. Common categories include:

  • Disclosures required by law.
  • Public health activities, including disease reporting and certain disclosures about victims of abuse, neglect, or domestic violence.
  • Health oversight activities (audits, inspections, licensure).
  • Judicial and administrative proceedings (in response to valid court orders and processes).
  • Law enforcement purposes (specific, limited situations).
  • Disclosures about decedents to coroners, medical examiners, and funeral directors.
  • Cadaveric organ, eye, and tissue donation.
  • Research under appropriate safeguards (for example, IRB or Privacy Board waiver).
  • Averting a serious threat to health or safety.
  • Specialized government functions (such as national security and protective services).
  • Workers’ compensation and similar programs.

Conclusion

The HIPAA Privacy Rule centers on a clear default—do not use or disclose PHI unless permitted or required—and reinforces it with the minimum necessary standard and robust safeguards. By honoring individual rights, managing business associates through strong agreements, and using de-identification where appropriate, you can enable care, operations, and public interests while protecting privacy.

FAQs

What uses and disclosures of PHI are permitted without individual authorization?

HIPAA permits uses and disclosures for treatment, payment, and health care operations; to the individual; incidental disclosures with safeguards; certain care-involvement and directory purposes; and specific public interest and benefit activities (for example, public health reporting, health oversight, judicial proceedings under valid process, limited law enforcement purposes, decedent-related needs, organ donation, qualifying research, serious threat mitigation, specialized government functions, and workers’ compensation). All applicable conditions and the minimum necessary standard must be satisfied.

How does the minimum necessary standard affect PHI disclosures?

You must limit PHI to the least amount reasonably necessary to achieve the purpose and use role-based access, standard protocols, and criteria for non-routine requests. The standard does not apply to treatment disclosures, disclosures to the individual, disclosures made under a valid authorization, disclosures to HHS for compliance, and disclosures required by law; for everything else, disclose only what is needed.

Individuals have the right to access, inspect, and obtain a copy of PHI in the designated record set in the requested form and format if readily producible (including electronic copies). They may direct a copy to a third party, request amendments, receive an accounting of certain disclosures, request restrictions (including a required restriction for services paid in full out-of-pocket with respect to the health plan), and request confidential communications.

When must covered entities disclose PHI to the Department of Health and Human Services?

Covered entities must disclose PHI to HHS upon request when HHS investigates or determines compliance with HIPAA. This is a required disclosure under the Privacy Rule; it is not a routine, ongoing reporting obligation absent an HHS request.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple
HIPAA Jul 31, 2025

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple

Strong dental compliance training protects patients, your team, and your practice. This guide tur...

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...