HIPAA Release of Information under the Privacy Rule: A Practical Guide

This practical guide explains how the HIPAA Privacy Rule governs release of information (ROI) and protected health information (PHI). You will learn when written authorization is required, which authorization exceptions apply, and how to handle public health, research, and law enforcement disclosures. It is designed for ROI staff, clinicians, researchers, and individuals seeking their records.

HIPAA Privacy Rule Overview

What the Privacy Rule covers

The Privacy Rule sets national standards for the use and disclosure of protected health information (PHI) held by covered entities—health care providers, health plans, and clearinghouses—and their business associates. PHI includes individually identifiable health information in any format that relates to a person’s health, care, or payment for care.

Core principles you must apply

Use or disclose only the minimum necessary PHI to achieve the purpose, except for treatment disclosures and other defined exceptions. Provide a clear notice of privacy practices so individuals understand how their information is used, their choices, and how to exercise their rights.

Authorization versus permitted uses

Written authorization is generally required for uses and disclosures outside treatment, payment, and health care operations (TPO). The Rule lists specific permitted uses and disclosures that do not require authorization; these are often referred to as authorization exceptions.

Permitted Disclosures without Authorization

Treatment, payment, and operations

You may disclose PHI for treatment activities among providers, for payment activities such as billing and claims management, and for health care operations like quality improvement and auditing. The minimum necessary standard does not apply to disclosures for treatment.

Common authorization exceptions

• To individuals involved in the patient’s care or payment, when the patient agrees or has the opportunity to object, or when professional judgment supports it in emergencies.
• Incidental disclosures that occur as a byproduct of an otherwise permitted use, when reasonable safeguards are in place.
• Required by law, including mandatory reporting and compliance with certain court orders.
• Public health activities, health oversight activities, and certain law enforcement disclosures, each subject to specific conditions.
• Organ and tissue donation, medical examiner and coroner purposes, and limited disclosures about decedents.
• Workers’ compensation and other specialized government functions as authorized by applicable law.

Operational safeguards

Verify the identity and authority of the requester, document the basis for the disclosure, and apply role-based access to PHI. Limit the data shared to what is reasonably necessary for the stated purpose whenever the minimum necessary rule applies.

Individual Rights Regarding Health Information

Right of access

You may inspect or obtain copies of your health records in the format requested if readily producible. Covered entities must respond within a reasonable time, generally within 30 days, with a single permitted extension when documented.

Right to request restrictions and confidential communications

You can ask a covered entity to restrict certain disclosures and to communicate with you in a specific way or at an alternative location. Providers must accommodate reasonable requests for confidential communications.

Right to amend

If you believe your record is inaccurate or incomplete, you may request an amendment. Approved amendments become part of the designated record set; denials must explain the reason and your right to submit a statement of disagreement that travels with future disclosures.

Right to an accounting of disclosures and to a notice of privacy practices

You may request an accounting of certain disclosures made without authorization and must receive a notice of privacy practices that explains uses, disclosures, and how to exercise your rights.

Disclosure for Public Health and Law Enforcement

Public health authorities

Covered entities may disclose PHI to public health authorities authorized by law to collect or receive such information for preventing or controlling disease, reporting adverse events, or conducting public health surveillance. Disclosures should follow the minimum necessary principle when applicable.

Health oversight agencies

Disclosures are permitted to health oversight agencies for audits, investigations, inspections, licensure, or other oversight activities necessary for the health care system. Document the authority and scope of each request before releasing PHI.

Law enforcement disclosures

PHI may be disclosed to law enforcement in limited situations, such as to comply with a court order, warrant, or certain subpoenas; to locate or identify a suspect, fugitive, material witness, or missing person; to report crimes on the premises; or in emergencies consistent with the Rule. Ensure requests are lawful, specific, and limited in scope.

Serious threat and judicial proceedings

Disclosures may occur to avert a serious and imminent threat to health or safety and in judicial or administrative proceedings under defined conditions. Always verify legal authority and consider de-identification or partial disclosure when feasible.

Conditions for Research Disclosures

Authorization or waiver

Research use or disclosure of PHI generally requires an individual’s authorization. An Institutional Review Board or Privacy Board may waive authorization if criteria are met, including minimal risk to privacy, impracticability of obtaining authorization, and adequate plans to safeguard and destroy identifiers.

Limited data sets and data use agreements

Covered entities may disclose a limited data set—PHI stripped of direct identifiers—for research, public health, or health care operations under a data use agreement. The agreement must outline permitted uses, who may use the data, safeguards, reporting of breaches, and research use limitations such as prohibitions on re-identification or contact.

Preparatory activities, decedents’ information, and de-identification

Researchers may review PHI on-site to prepare protocols if no PHI leaves the entity and the review is necessary. PHI of decedents may be used for research with representations that the information is solely for research on decedents. De-identified data—via expert determination or removal of specified identifiers—is not PHI and may be used freely.

Compliance Requirements and Enforcement

Program basics

Designate a privacy official, adopt written policies and procedures, train your workforce, and apply sanctions for violations. Execute business associate agreements, maintain documentation for required periods, and implement processes for complaints and requests.

Notice of privacy practices and minimum necessary

Maintain an accurate notice of privacy practices and make it readily available. Use role-based access and protocols to apply the minimum necessary standard to routine disclosures and requests.

Enforcement and penalties

The HHS Office for Civil Rights investigates complaints and breaches, and may require corrective action plans, monitoring, or impose civil monetary penalties based on culpability and other factors. The Department of Justice may pursue criminal cases for knowing wrongful disclosures. State attorneys general can also enforce HIPAA-related provisions.

Obtaining and Amending Health Records

How to request your records

Submit a written request to the provider or health plan that maintains your designated record set. Specify dates, type of records, and preferred format. You may be asked to verify your identity, and you can direct records to yourself or to a third party as permitted by law.

Format, delivery, and fees

If readily producible, records must be provided in the requested electronic or paper format and delivered by your chosen reasonable method. Fees must be reasonable and cost-based for copying, supplies, and postage; retrieval fees are not allowed for the HIPAA right of access.

Timelines and denials

Covered entities generally have up to 30 days to respond, with one documented extension when necessary. If access is denied, you must receive a written explanation and, when applicable, a review by a licensed professional not involved in the initial denial.

Requesting an amendment

Write to the privacy office describing what is inaccurate or incomplete and why. If accepted, the entity appends the amendment and informs relevant recipients. If denied, you may submit a statement of disagreement and request that it accompany future disclosures.

Summary and key takeaways

Effective ROI under HIPAA balances patient rights with legitimate operational, public health, and research needs. Apply minimum necessary, document decisions, use data-sharing tools like limited data sets, and keep your notice of privacy practices current. When in doubt, verify authority and narrow the scope of PHI disclosed.

FAQs.

What information can be released without patient consent under HIPAA?

HIPAA permits disclosures without authorization for treatment, payment, and health care operations; certain public health and health oversight activities; specific law enforcement disclosures; when required by law; for organ donation and medical examiner needs; and to persons involved in care with patient agreement or opportunity to object. Each category has conditions and often requires applying the minimum necessary rule.

How can individuals request amendments to their health records?

Send a written request to the covered entity’s privacy office explaining what you believe is inaccurate or incomplete and why. The entity must review, act within set timelines, and either append the amendment or provide a written denial with your right to submit a statement of disagreement that will accompany future disclosures.

What are the penalties for non-compliance with the HIPAA Privacy Rule?

HHS’s Office for Civil Rights can require corrective actions and assess civil monetary penalties using a tiered framework that considers culpability, harm, and remediation. The Department of Justice may pursue criminal penalties for knowing wrongful disclosures. Enforcement can also involve resolution agreements, monitoring, and actions by state attorneys general.

When is disclosure for research purposes allowed without authorization?

Disclosure without authorization is allowed when an Institutional Review Board or Privacy Board grants a waiver meeting HIPAA criteria; when sharing a limited data set under a data use agreement; for on-site reviews preparatory to research where no PHI leaves the entity; or for research solely on decedents’ information with required representations.