HIPAA Restrictions on PHI Use: What’s Allowed and What’s Not

Understanding HIPAA restrictions on PHI use helps you determine when protected health information can be used or disclosed—and when it cannot. This guide clarifies the rules, highlights permitted and prohibited uses, and explains Patient Authorization and the Minimum Necessary Standard in practical terms.

Whether you work for Covered Entities or Business Associates, the same core Privacy Rule principles apply: limit PHI to defined purposes, secure proper authorization when required, and prevent Unauthorized Disclosure.

HIPAA PHI Use Restrictions

Protected Health Information (PHI) is individually identifiable health data maintained or transmitted by a Covered Entity or Business Associate. HIPAA limits PHI use and disclosure to defined purposes or to situations where the patient (the individual) gives valid written authorization.

Who must comply

• Covered Entities: health plans, most healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses.
• Business Associates: vendors and subcontractors that create, receive, maintain, or transmit PHI on behalf of a Covered Entity (for example, billing, cloud hosting, analytics).

Key concepts

• Use vs. disclosure: “Use” is internal handling of PHI; “disclosure” is sharing PHI outside the entity holding it.
• Baseline rule: Use/disclose only as permitted by HIPAA or with Patient Authorization.
• De-identified data: Not PHI if properly de-identified; a Limited Data Set contains fewer identifiers and requires a Data Use Agreement.
• Minimum Necessary Standard: When the rule applies, access, use, and disclose only the least PHI needed for the task.

Permitted Uses of PHI

Treatment, Payment, and Healthcare Operations (TPO)

• Treatment: coordinating or managing care, consultations, referrals, medication management.
• Payment: eligibility checks, claims submission, utilization review, collection activities.
• Healthcare Operations: quality assessment, training, accreditation, auditing, population-based activities, and customer service functions that support care delivery.

Public interest and other authorized-by-law purposes

• Required by law and for public health activities (e.g., reportable conditions, adverse events).
• Health oversight (audits, inspections), judicial/administrative proceedings, and certain law enforcement purposes.
• To avert a serious and imminent threat to health or safety.
• For organ and tissue donation, decedent and coroners/medical examiners’ purposes, and workers’ compensation as authorized by law.
• Specialized government functions (e.g., military, national security) as permitted.

Research and data minimization pathways

• Research with an Institutional Review Board/Privacy Board waiver, or Patient Authorization.
• Limited Data Set under a Data Use Agreement, or de-identified data outside HIPAA scope.

Other permitted disclosures

• To the individual (patient) on request, including access and accounting rights.
• Incidental disclosures that occur despite reasonable safeguards and Minimum Necessary compliance.
• Facility directories and involvement in care or notification/disaster relief, subject to patient preferences and limitations.
• Business Associates may use/disclose PHI for services described in a Business Associate Agreement and for their own management/administration with required safeguards and assurances.

Prohibited Uses of PHI

• Any use or disclosure not expressly permitted by HIPAA or not backed by valid Patient Authorization.
• PHI Marketing Restrictions: marketing communications that promote a third party’s product or service, or that involve financial remuneration from a third party, without explicit authorization.
• Sale of PHI without authorization (exchanging PHI for direct or indirect remuneration), subject to narrow exceptions.
• Most uses/disclosures of psychotherapy notes without specific authorization.
• Using PHI for employment decisions or other non-health plan administration purposes without proper authorization and separation-of-functions safeguards.
• Using genetic information for health plan underwriting (prohibited).
• Accessing more than the Minimum Necessary PHI when the standard applies, or “snooping” in records without a job-related purpose.
• Disclosing PHI on social media, to the media, or in public spaces without a valid HIPAA basis and safeguards.
• Re-identifying de-identified data or expanding a Limited Data Set beyond its Data Use Agreement terms.

Patient Authorization Requirements

When a use or disclosure is not otherwise permitted by HIPAA, a Patient Authorization is required. The authorization must be in writing, easy to understand, and specific to the purpose and recipients.

Core elements of a valid authorization

• Description of the information to be used/disclosed (scope and dates, if applicable).
• Identification of who may disclose and who may receive the PHI.
• Purpose of the use/disclosure or a statement that disclosure is at the request of the individual.
• Expiration date or event.
• Signature and date; if signed by a personal representative, a description of their authority.
• Statements about the right to revoke in writing; the potential for re-disclosure by recipients; and whether treatment, payment, enrollment, or eligibility is conditioned on signing (and the consequences of refusal, if applicable).

When authorization is typically required

• Marketing that falls under PHI Marketing Restrictions and fundraising beyond HIPAA’s limited allowances.
• Sale of PHI.
• Most uses/disclosures of psychotherapy notes.
• Research that lacks an IRB/Privacy Board waiver and is not limited to a preparatory-to-research review.
• Disclosures to third parties (e.g., employers, life insurers, schools) for non-HIPAA purposes.

Covered Entities and Business Associates should maintain authorization logs, verify identity before disclosure, provide copies on request, and honor revocations except to the extent actions have already been taken in reliance on the authorization.

Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit PHI to the smallest amount needed to accomplish the purpose of the use, disclosure, or request—balancing utility with privacy. This standard applies to most routine operations and information exchanges.

Common exceptions (standard does not apply)

• Disclosures to or requests by a healthcare provider for treatment.
• Disclosures to the individual (patient).
• Uses/disclosures pursuant to a valid Patient Authorization.
• Disclosures required by law, and to HHS for HIPAA compliance investigations.

How to implement “minimum necessary” in practice

• Create role-based access profiles and need-to-know policies; segment sensitive data where feasible.
• Define standard protocols for routine disclosures and a review process for non-routine requests.
• Use the least-detailed records that still meet the purpose (e.g., Limited Data Sets where appropriate).
• For Business Associates, flow the requirement through contracts and technical controls; apply it to internal re-use and onward disclosures.
• Log, monitor, and audit access; promptly correct over-disclosures and apply mitigation steps.

Conclusion

In short, HIPAA restrictions on PHI use allow necessary care coordination and core operations while sharply limiting unrelated or commercial uses. When in doubt, anchor your decision to three pillars: confirm a HIPAA-permitted purpose or obtain Patient Authorization, apply the Minimum Necessary Standard, and prevent Unauthorized Disclosure through sound policies and safeguards.

FAQs.

What uses of PHI are permitted without patient authorization?

HIPAA permits PHI use and disclosure for Treatment, Payment, and Healthcare Operations; for public health, oversight, and other authorized-by-law purposes; to the individual; for certain research with an IRB/Privacy Board waiver; and for incidental disclosures when reasonable safeguards and the Minimum Necessary Standard are in place.

What is the minimum necessary standard under HIPAA?

It requires you to limit PHI to the smallest amount needed to achieve the specific purpose of a use, disclosure, or request. It does not apply to treatment by providers, disclosures to the individual, uses/disclosures based on valid Patient Authorization, or disclosures required by law or to HHS for compliance.

When is patient authorization required for PHI use?

Authorization is required when a use/disclosure is not otherwise permitted by HIPAA—commonly for marketing that triggers PHI Marketing Restrictions, sale of PHI, most psychotherapy notes, certain research activities, and disclosures to third parties for non-healthcare purposes.

What are the consequences of unauthorized PHI disclosure?

Unauthorized Disclosure can prompt investigations by HHS’s Office for Civil Rights, corrective action plans, civil monetary penalties scaled to culpability and adjusted for inflation, contractual liability for Business Associates, and in egregious cases, criminal penalties. Reputational harm and patient trust erosion often follow, making prevention and prompt mitigation essential.