What HIPAA Information Can Be Shared? Permitted Disclosures and Requirements Explained

HIPAA allows sharing of Protected Health Information (PHI) without patient authorization only for clearly defined purposes. Across these situations, you must apply the Minimum Necessary Standard—disclose the least amount of PHI needed to achieve the purpose—except in specific, noted exceptions. Incidental Disclosures may occur, but only when you have reasonable safeguards in place and the primary use or disclosure is otherwise permitted.

Treatment Payment and Health Care Operations

PHI can be shared to deliver care, get paid, and run your practice. For treatment, clinicians may exchange PHI to coordinate care without patient authorization, and the Minimum Necessary Standard does not apply to these treatment disclosures. For payment and operations, it does apply, so limit access to what staff needs for their role.

Examples you can disclose

• Treatment: consultations, referrals, care coordination, e-prescribing, and sharing records between providers.
• Payment: eligibility checks, prior authorizations, claims submission and adjudication, and medical necessity reviews.
• Health care operations: quality assessment, peer review, utilization management, accreditation, auditing, and population-based activities.

Key requirements and limits

• Business associates may receive PHI for contracted services (for example, an EHR vendor) if you have a signed agreement and safeguards.
• Apply role-based access, verify requestors, log disclosures where required, and follow data minimization for payment and operations.
• If a patient pays in full out of pocket and requests it, do not disclose that item or service to a health plan.
• Incidental Disclosures (such as names overheard at a nurse station) are permissible only when reasonable safeguards and minimum necessary are in place.

Public Health Activities

You may share PHI with public health authorities for disease control and prevention. These disclosures support Public Health Surveillance, investigations, and interventions, and often are required by state or federal law.

Examples you can disclose

• Report diseases, injuries, vital events, and immunizations to a public health authority.
• Notify people who may have been exposed to a communicable disease or are at risk of spreading it.
• Report adverse events, product problems, or biologic/device tracking information to applicable agencies.
• Provide limited PHI to schools for proof of immunization, consistent with applicable law.

Key requirements and limits

• Confirm the requestor is a public health authority and disclose only the Minimum Necessary information.
• When a disclosure is “required by law,” share what the law mandates—no more.
• Document disclosures consistent with your policy, and use de-identified or limited data sets when full identifiers are not needed.

Health Oversight Activities

PHI may be disclosed to a Health Oversight Agency for audits, investigations, inspections, licensure, or disciplinary actions related to the health care system or government benefits.

Examples you can disclose

• Records requested for Medicare or Medicaid audits, program integrity reviews, or quality inspections.
• Information to state medical boards or other oversight bodies conducting licensure or disciplinary proceedings.

Key requirements and limits

• Verify the agency’s authority and share only what is necessary for the stated oversight purpose.
• Do not repurpose oversight disclosures for unrelated law enforcement unless another HIPAA permission applies.

Judicial and Administrative Proceedings

Courts and tribunals may require PHI, but the route matters. Subpoenas and Court Orders trigger different duties, and you must ensure appropriate legal process or patient authorization before disclosing.

Examples you can disclose

• PHI expressly authorized by a court order or administrative tribunal order.
• PHI in response to a subpoena, discovery request, or other lawful process, but only with satisfactory assurances (for example, reasonable efforts to notify the individual or a qualified protective order).

Key requirements and limits

• A court order authorizes only the PHI it specifies—do not disclose more.
• For subpoenas without a court order, obtain proof of notice to the individual or a protective order, or secure the individual’s written authorization.
• Redact or limit data fields to the Minimum Necessary when the full record is not required.

Law Enforcement Disclosures

HIPAA permits certain disclosures to law enforcement without authorization, subject to tight limits. Always confirm legal authority and disclose the least information necessary.

Examples you can disclose

• PHI required by a warrant, court order, or specific law (such as reporting certain injuries or deaths).
• Limited identifiers to locate or identify a suspect, fugitive, material witness, or missing person (for example, name, address, date of birth, type of injury, date and time of treatment, and distinguishing physical characteristics).
• Information about a crime on the premises or in emergencies to report a crime, the location, or the perpetrator.
• PHI to correctional institutions or law enforcement when an individual is in lawful custody, if needed for care, safety, or security.

Key requirements and limits

• Do not disclose DNA, dental records, or detailed analyses for identification without appropriate legal process.
• Apply the Minimum Necessary Standard unless a specific exception or legal process dictates otherwise.

Research Use and Disclosures

Research disclosures balance scientific value with privacy. You may disclose PHI with the individual’s authorization, or without authorization if specific protections are in place and approved by an Institutional Review Board or Privacy Board.

Pathways to share PHI

• Individual authorization that clearly describes the study, scope, and expiration.
• IRB/Privacy Board waiver of authorization when privacy risks are minimal, there is a plan to protect and destroy identifiers, and the research could not practicably proceed otherwise.
• De-identified data (no direct identifiers) or a limited data set under a Data Use Agreement.
• Reviews preparatory to research and research solely on decedents’ information, with required representations.

Key requirements and limits

• Disclose only the Minimum Necessary for research activities unless the data are de-identified.
• Track and account for certain disclosures, and enforce data use or confidentiality agreements as applicable.

Disaster Relief and Workers' Compensation

During emergencies and workplace injuries, HIPAA permits targeted disclosures to keep people safe and to comply with specialized programs.

Disaster relief

• Share PHI with public or private disaster relief organizations to coordinate care and notify family or others involved in a patient’s care.
• Use professional judgment when the patient is incapacitated, honoring known preferences whenever possible.

Workers’ compensation

• Disclose PHI as authorized by and to the extent necessary to comply with workers’ compensation or similar laws.
• Limit disclosures to what the program, insurer, or employer is legally entitled to receive under applicable state rules.

Conclusion

In practice, share PHI only when a HIPAA permission applies, verify the requestor and legal basis, and default to the Minimum Necessary Standard. When in doubt, seek patient authorization or provide de-identified data, and document your decision-making to maintain compliance.

FAQs.

What types of PHI can be shared without authorization?

You may share PHI for treatment, payment, and health care operations; certain public health and health oversight activities; specific law enforcement purposes; judicial and administrative proceedings with proper process; defined research scenarios; disaster relief; and workers’ compensation. Apply the Minimum Necessary Standard where required.

When is PHI disclosure allowed for public health activities?

Disclosures are allowed to public health authorities for Public Health Surveillance, investigations, and interventions, including disease reporting, vital records, immunizations, and adverse event reporting. If a law requires the report, disclose only what the law mandates and nothing more.

How does the minimum necessary standard affect information sharing?

The Minimum Necessary Standard requires you to limit PHI to the least amount needed for the purpose. It generally applies to payment, operations, public health, oversight, and many law enforcement or research disclosures, but not to disclosures for treatment or those made directly to the individual.

What are incidental disclosures under HIPAA?

Incidental Disclosures are minor, unintended exposures that occur as a byproduct of a permitted use or disclosure—such as a name overheard despite reasonable safeguards. They are allowed only when you have implemented appropriate administrative, physical, and technical protections and are not the result of negligence.