Under HIPAA, Disclosure (Not “Use”) Means the Release of PHI

HIPAA Disclosure Definition

Under the HIPAA Privacy Rule, a disclosure is the release, transfer, provision of access to, or divulging of Protected Health Information (PHI) outside the organization holding it. In other words, PHI release occurs when information leaves the covered entity or its business associate’s control.

PHI includes any individually identifiable health information—past, present, or future—relating to health status, care, or payment, in any medium (paper, verbal, electronic). Recognizing a disclosure versus a use is essential to apply the Minimum Necessary Standard and other HIPAA Privacy Rule requirements correctly.

Difference Between Use and Disclosure

Use means handling PHI inside your organization—viewing, sharing, analyzing, or applying it within the covered entity (or within a business associate acting on its behalf). Disclosure means PHI leaves that boundary and is shared externally with another person or entity.

Sending a patient summary to an outside specialist is a disclosure; routing the same summary to your in-house care team is a use. Disclosing PHI to a business associate (such as a cloud EHR vendor) is still a disclosure, but it is permitted when a Business Associate Agreement is in place and the activity is authorized.

Examples of PHI Disclosure

Permitted without patient authorization

• Treatment, payment, and healthcare operations (TPO), such as sending claims to a health plan or consulting with an external provider for continuity of care.
• Disclosures required by law, public health reporting (for example, certain infectious diseases), and health oversight activities.
• To the individual (patient right of access), which is a disclosure but not subject to the Minimum Necessary Standard.
• For certain research under an Institutional Review Board or Privacy Board waiver, or as a limited data set under a data use agreement.
• To family or others involved in the patient’s care, when allowed by the Privacy Rule and patient preferences.

Disclosures requiring Authorization for Disclosure

• Most uses or disclosures not otherwise permitted by the HIPAA Privacy Rule.
• Marketing communications in many cases, disclosures that constitute a sale of PHI, and most disclosures of psychotherapy notes.

Unauthorized or inappropriate disclosures (examples)

• Faxing PHI to the wrong recipient or emailing PHI to a personal address without safeguards.
• Sharing PHI on social media or with an employer without a valid authorization or another legal basis.
• Over-disclosing beyond the Minimum Necessary Standard when it applies.

Legal Implications of Disclosure

Covered Entities and Business Associates are directly accountable for impermissible disclosures. Violations can trigger federal civil penalties, corrective action plans, and—in egregious, intentional cases—criminal liability. State privacy laws may also apply, and the more stringent rule controls.

Patients have a right to an accounting of certain non-routine disclosures, generally for up to six years, excluding most TPO and disclosures to the individual. Maintaining accurate logs and documentation is essential to meet this obligation and to demonstrate HIPAA compliance.

HIPAA Compliance Requirements

Establish clear release-of-information (ROI) procedures that distinguish internal use from external PHI release. Verify the recipient’s identity, confirm the legal basis (authorization, TPO, required by law, or another permitted purpose), and apply the Minimum Necessary Standard when it applies.

Use a compliant Authorization for Disclosure form when needed. It should describe the PHI to be disclosed, purpose, recipient, expiration date or event, the individual’s signature and date, and the right to revoke. Keep required notices, logs, and retention records as part of your privacy program.

Train your workforce, designate a privacy official, implement sanctions for violations, and execute Business Associate Agreements before sharing PHI with vendors. Periodic risk analysis and policy updates help ensure your HIPAA Privacy Rule program remains effective.

Safeguards for PHI Disclosure

Administrative safeguards

• Role-based access and standardized ROI checklists to ensure disclosures are lawful and limited to the Minimum Necessary Standard when applicable.
• Workforce training, sanctions, and ongoing monitoring of PHI release workflows.

Technical and physical safeguards

• Secure transmission (encryption in transit), unique user IDs, audit logs, and data loss prevention where feasible.
• Verified recipient contact details, secure portals, and strong identity verification before disclosure.

Data minimization and alternatives

• Use a limited data set with a data use agreement when full identifiers are unnecessary.
• De-identify data (per the HIPAA de-identification methods) when practical so it is no longer PHI.

Reporting Unauthorized Disclosure

First, contain and mitigate: retrieve misdirected PHI if possible, disable access, and document the event. Next, perform a breach risk assessment considering the nature of the PHI, the unauthorized recipient, whether the PHI was actually viewed or acquired, and mitigation steps taken.

If a breach of unsecured PHI is confirmed, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notify the U.S. Department of Health and Human Services as required, and, for incidents affecting 500 or more individuals in a state or jurisdiction, notify prominent media. Business Associates must notify the Covered Entity so required notices can be made.

Include in notifications a brief description of what happened, the types of PHI involved, steps individuals should take, what your organization is doing to mitigate harm and prevent recurrence, and contact information for questions. Update policies, retrain staff, and track corrective actions.

Key takeaways

• Disclosure means PHI leaves your organization; use stays inside.
• Know the legal basis for every PHI release and apply the Minimum Necessary Standard when it applies.
• Document, safeguard, and monitor all external disclosures—including those to Business Associates.
• Act quickly on unauthorized disclosures with assessment, notifications, and remediation.

FAQs

What is the legal definition of disclosure under HIPAA?

Disclosure is the release, transfer, provision of access to, or divulging of PHI in any manner to a party outside the Covered Entity or Business Associate holding it. It encompasses any PHI release beyond your organization’s internal workforce.

How does disclosure differ from use?

Use is internal—viewing or sharing PHI within your organization to deliver care, get paid, or run operations. Disclosure is external—sending PHI to another person or entity, including health plans, outside providers, public health authorities, or vendors acting as Business Associates.

When is patient authorization required for PHI disclosure?

You need a valid Authorization for Disclosure when the Privacy Rule does not otherwise permit or require the disclosure—common examples include most marketing, disclosures that are a sale of PHI, and most disclosures of psychotherapy notes. An authorization must specify what PHI will be released, for what purpose, to whom, its expiration, and include the individual’s signature and date.

What are the penalties for unauthorized disclosure under HIPAA?

Penalties range from civil fines—tiered by the organization’s level of culpability and applied per violation—to criminal penalties for intentional, wrongful disclosures. Regulators may also impose corrective action plans, and more stringent state privacy laws can add additional consequences.