Under What Circumstances Can You Disclose PHI? HIPAA Rules & Exceptions

You can disclose protected health information (PHI) without a patient’s authorization only in specific situations recognized by the HIPAA Privacy Rule. Most of these permissions live in 45 CFR § 164.512 and hinge on a few core principles: verify the requestor’s identity and authority, disclose the minimum necessary, document your rationale, and apply any more stringent state laws.

This guide walks you through each permitted pathway so you know exactly when disclosure is allowed, what conditions apply, and how to operationalize compliance in your setting.

Required By Law

What this allows

You may disclose PHI when a statute, regulation, or other legal mandate compels it. When law requires disclosure, you must limit the PHI to what the law specifically demands. Although the “minimum necessary” standard does not apply to disclosures required by law, the scope of the underlying law remains your ceiling.

Common examples

• Mandatory reports of certain injuries or illnesses, births, and deaths.
• State-mandated disease registries or vital records submissions.
• Compliance with a court order directing release of defined records.

Operational safeguards

• Cite the exact law authorizing or compelling the disclosure (for example, 45 CFR § 164.512 or a specific state statute).
• Release only the information the law requires; redact anything beyond that scope.
• Record the disclosure for your accounting log when applicable.

Public Health Activities

Permitted recipients and purposes

You may disclose PHI to a public health authority authorized by law to collect such information for preventing or controlling disease, injury, or disability. Permissible purposes include reporting diseases, exposures, vital events, and conducting public health surveillance or interventions.

Additional allowances

• To persons at risk of contracting or spreading a disease, when authorized by law.
• To the FDA for product quality, safety, or effectiveness (e.g., adverse event reporting, recalls, tracking).
• To an employer about a work-related illness or workplace medical surveillance when legal conditions and employee notice requirements are met.

Compliance tips

• Confirm the recipient is a legitimate public health authority.
• Share only the minimum necessary to achieve the public health objective.
• Document your legal basis and the specific data elements disclosed.

Health Oversight Activities

Scope and agencies

You may disclose PHI to a health oversight agency for audits, investigations, inspections, licensure, or disciplinary actions necessary for oversight of the health care system, government benefit programs, or entities subject to government regulatory programs.

Practical guardrails

• Verify the requester’s authority and tie the request to a legitimate oversight function.
• Limit disclosures to what the oversight task requires; avoid broad, open-ended releases.
• Maintain an audit trail capturing who requested what, and why.

Judicial And Administrative Proceedings

Court order vs. judicial subpoena

If a court or administrative tribunal issues an order, disclose only the PHI expressly authorized by that order. For a judicial subpoena, discovery request, or other lawful process without a court order, you may disclose PHI only after receiving satisfactory assurances of either: (1) notice to the individual with no successful objection, or (2) a qualified protective order.

Safeguards to apply

• Review scope carefully and produce only what the order or process permits.
• Seek a protective order or de-identify data when feasible to reduce sensitivity.
• Use secure transfer methods and keep a clear chain of custody.

Law Enforcement Disclosures

When disclosures are permitted

• To comply with laws requiring reports, or with a court order, warrant, or similar process.
• To help identify or locate a suspect, fugitive, witness, or missing person using limited identifiers allowed by the rule.
• About a crime victim with the individual’s agreement, or in narrowly defined exigent circumstances when the person cannot agree.
• When PHI relates to a crime that occurred on your premises or in a medical emergency offsite, to report the nature and location of the crime and perpetrators.

Boundaries and documentation

• Confirm the officer’s identity and legal authority before releasing PHI.
• Disclose only what the specific law enforcement exception permits; avoid entire record sets unless required.
• Record the legal basis, items disclosed, date, and recipient for accountability.

Serious Threats To Health Or Safety

Good-faith standard

You may disclose PHI when, in good faith, you believe it is necessary to prevent or lessen a serious and imminent threat to a person or the public. You may share with individuals or entities reasonably able to reduce the threat, including the potential target and law enforcement, consistent with applicable law and professional ethics.

How to proceed

• Limit disclosures to information directly relevant to mitigating the threat.
• Document your risk assessment, recipients, and rationale at the time of disclosure.
• Reassess ongoing need; cease further disclosures when the threat subsides.

Specialized Government Functions

Examples covered

• Military and veterans activities, consistent with lawful orders and mission needs.
• National security and intelligence operations.
• Protective services for the President and other authorized officials.
• Correctional institutions and law enforcement custodial settings for safety, security, or inmate health.
• Certain government benefit programs where disclosure is necessary to coordinate eligibility or benefits as permitted by law.

Controls to apply

• Verify the specific authority and purpose asserted by the government entity.
• Tailor disclosures to the minimum necessary for that function.
• Keep detailed records supporting your decision.

Workers' Compensation Disclosures

Purpose and limits

You may disclose PHI as authorized by and to the extent necessary to comply with workers' compensation laws and similar programs that provide benefits for work-related injuries or illnesses. Disclosures typically go to insurers, state agencies, or employers when those laws permit.

Execution tips

• Confirm the specific workers' compensation laws that apply and follow their scope.
• Share only information pertinent to the claim; avoid unrelated clinical details.
• Provide employee notices required by state or federal rules.

Research Uses And Disclosures

Pathways to use PHI

• Authorization: Obtain the individual’s written HIPAA-compliant authorization describing the research use.
• Institutional Review Board waiver: Use or disclose PHI without authorization when an IRB or Privacy Board documents that waiver criteria are met (minimal risk to privacy, impracticability, and adequate privacy safeguards).
• Preparatory to research: Review PHI on-site to design a study or assess feasibility, without removing PHI from the covered entity.
• Decedents research: Access PHI solely about decedents with required representations and documentation.
• Limited data set: Share a limited data set under a data use agreement; fully de-identified data are not PHI.

What to document

• IRB/Privacy Board waiver documentation or the signed authorization, as applicable.
• Research protocol, data minimization plan, and safeguards for storage, access, and retention.
• An accounting of disclosures when required.

Reporting Victims Of Abuse Neglect Or Domestic Violence

When you may disclose

You may disclose PHI to a government authority (such as a protective services or social services agency) authorized by law to receive such reports if: disclosure is required by law; the individual agrees; or the law expressly allows reporting and, in your professional judgment, it is needed to prevent serious harm. Additional, narrow allowances apply when the individual cannot agree and immediate enforcement needs exist.

Notice and safety

• Inform the individual about the report unless you reasonably believe doing so would place them at risk of serious harm or would notify the alleged abuser, or if law enforcement asks you not to inform to avoid impeding an investigation.
• Disclose only information relevant to the suspected abuse, neglect, or domestic violence.
• Record the basis for your belief, the authority notified, and any decision not to inform the individual.

Key takeaways

• Anchor decisions in 45 CFR § 164.512 and applicable state laws.
• Verify authority, apply minimum necessary, and document every step.
• When in doubt, pause and seek a lawful process (e.g., court order or qualified protective order).

FAQs

What are the legal requirements for disclosing PHI without authorization?

HIPAA allows disclosures without authorization only in defined circumstances—such as those required by law, for public health or health oversight, pursuant to court orders or qualified processes, for specific law enforcement needs, to avert serious threats, for specialized government functions, for workers’ compensation, for certain research pathways, and to report abuse, neglect, or domestic violence. In every case, verify authority, limit the information to what the rule or law permits, and document your rationale.

When can PHI be disclosed for public health purposes?

You may disclose PHI to a public health authority authorized by law to collect it for preventing or controlling disease, injury, or disability. Typical uses include disease reporting, contact notifications, vital records, FDA safety reporting, and, in limited cases, employer notifications for workplace medical surveillance or work-related illness when legal conditions and employee notice requirements are met.

How does HIPAA regulate disclosures to law enforcement?

HIPAA permits disclosures to law enforcement in narrow, enumerated scenarios—such as complying with a court order or warrant, meeting a legal reporting mandate, helping identify or locate a suspect with limited identifiers, addressing crimes on your premises, or reporting certain emergencies. Always confirm authority, release only what the exception allows, and keep an accounting where required.

What are the conditions for using PHI in research under HIPAA?

Research uses require either a valid patient authorization or an alternative pathway: an Institutional Review Board waiver (or Privacy Board waiver) with documented criteria, on-site reviews preparatory to research without removing PHI, research solely on decedents with required assurances, or a limited data set under a data use agreement. De-identified data fall outside HIPAA because they are not PHI.