What You Can Share About Patients Under HIPAA: Guidelines and Examples

Knowing what you can share about a patient under HIPAA starts with understanding Protected Health Information (PHI) and who must follow the rules. Covered Entities—health plans, health care clearinghouses, and health care providers that handle electronic transactions—and their business associates must protect PHI while enabling necessary information flow for care and safety.

This guide explains common, real‑world disclosures you may make without Patient Authorization, when consent or agreement is needed, and how the Minimum Necessary Standard shapes your day‑to‑day decisions. Use the examples to make confident, compliant choices.

Treatment Purpose Disclosures

You may disclose PHI for treatment without Patient Authorization. “Treatment” includes coordination and management of care among providers, referrals, consultations, and medication management. Sharing is permitted with another provider, within your organization, or with a pharmacy or lab when the purpose is to diagnose or treat the patient.

The Minimum Necessary Standard does not apply to disclosures for treatment; still, you should share only what the receiving clinician needs. Psychotherapy notes receive special protection and generally require authorization for most uses outside the originator’s treatment activities.

Examples

• Sending a current medication list and allergies to a specialist before a consult.
• Discussing recent imaging findings with the radiologist to plan next steps.
• Calling the prescriber to clarify a potential drug interaction before dispensing.

Sharing With Family and Friends

You may disclose relevant PHI to a family member, friend, or other person involved in the patient’s care or payment if the patient agrees, is given the chance to object and does not, or if the patient is incapacitated and you use professional judgment to determine disclosure is in the patient’s best interests. Limit your disclosure to information directly related to the person’s involvement.

Personal Representative Disclosure follows state law on who is the patient’s legal representative (for example, a parent of an unemancipated minor, an appointed guardian, or a health care agent). Treat a personal representative as the patient for access to PHI unless an exception applies, such as concerns about abuse or endangerment.

Examples

• Providing post‑operative care instructions to a spouse when the patient consents.
• Discussing home wound care with an adult child who is picking up the patient at discharge.
• Informing a caregiver about a new mobility restriction after the patient verbally agrees in the room.

Disclosures for Serious Threats

The Imminent Threat Exception permits you to disclose PHI, consistent with law and ethical standards, to prevent or lessen a serious and imminent threat to health or safety. Share with those reasonably able to reduce the threat, which can include the target, a caregiver, or law enforcement.

Use professional judgment, document your rationale, and disclose only the information necessary to mitigate the risk.

Examples

• Alerting law enforcement and the threatened individual when a patient makes a credible, immediate threat of violence.
• Notifying a campus safety office if a student‑patient expresses a plan and means to harm others imminently.

Notification of Family Members

You may disclose a patient’s location, general condition, or death to family, a personal representative, or others responsible for the patient’s care. You may also share with disaster relief organizations to coordinate notice to loved ones. If the patient is present and has the capacity, provide an opportunity to agree or object.

For facility directories, you may share a patient’s location and general condition with people who ask for the patient by name, unless the patient has opted out. Clergy may receive directory information (including religious affiliation) unless the patient objects.

Examples

• Providing a room number and “stable” condition to a spouse who asks for the patient by name.
• Confirming to a disaster relief team that a missing person has been admitted and is “in fair condition.”

Public Health Reporting

Public Health Reporting allows disclosures of PHI to public health authorities for prevention or control of disease, injury, or disability. Share only what is required or reasonably necessary for the public health purpose and follow applicable reporting laws.

Typical reportable events

• Communicable disease reports (for example, tuberculosis or measles) to a public health department.
• Adverse events or product problems to agencies that oversee product safety.
• Child abuse or neglect reports to the proper authority.
• Workplace medical surveillance results to an employer when the law permits and the services are provided at the employer’s request.
• Immunization status to a school with a parent’s or guardian’s documented agreement where required.

Law Enforcement Disclosures

HIPAA permits or requires certain disclosures to law enforcement. Always verify the legal authority for the request and disclose only what is appropriate for the stated purpose.

Permitted scenarios

• Compliance with a court order, warrant, or subpoena that meets HIPAA requirements.
• Reporting certain wounds or injuries (such as gunshot wounds) when state law requires it.
• Limited information to identify or locate a suspect, fugitive, material witness, or missing person.
• Information about a victim of a crime with the individual’s agreement, or when the individual is incapacitated and other conditions are met.
• Crimes on the premises, or in emergencies when the crime occurred elsewhere and disclosure is necessary to report the crime.
• Suspicious death or criminal conduct related to a death to a medical examiner or appropriate authority.

Limited identifiers allowed for identification requests

You may share basic identifiers such as name, address, date and place of birth, Social Security number, blood type/Rh, type of injury, dates/times of treatment or death, and distinguishing physical characteristics. Do not disclose DNA profiles, dental records, or body fluid/tissue analysis under this specific identification provision.

Adhering to Minimum Necessary Standard

The Minimum Necessary Standard requires you to make reasonable efforts to use, disclose, and request only the PHI needed to accomplish the purpose. Build role‑based access, standard protocols, and approval workflows to support consistent application.

The standard does not apply to disclosures to or requests by a health care provider for treatment, disclosures to the individual (or Personal Representative Disclosure), uses or disclosures made pursuant to a valid Patient Authorization, disclosures required by law, or disclosures to the Department of Health and Human Services for compliance investigations.

Practice tips

• Share summaries, not entire charts, when a limited data set meets the purpose.
• Verify requestors’ identities and legal authority before disclosing PHI.
• Document your rationale when judgment calls are necessary, especially in emergencies.

Conclusion

Under HIPAA, you can share PHI when it advances treatment, safeguards people from serious harm, or fulfills public health and legal duties—while limiting what you disclose to the Minimum Necessary Standard. When a use is not expressly permitted or required, obtain Patient Authorization before sharing.

FAQs

When can PHI be shared without patient consent?

You may share PHI without consent for treatment, payment, and health care operations; when required by law; for Public Health Reporting; to avert a serious and imminent threat; for certain facility directory and notification purposes; with family or friends involved in care when the patient agrees or you use best judgment; with a personal representative; with law enforcement under defined circumstances; and with HHS for compliance. Disclosures outside these purposes generally require Patient Authorization.

How does the minimum necessary rule apply?

Apply the Minimum Necessary Standard to most uses, disclosures, and requests by limiting PHI to what is reasonably needed. It does not apply to disclosures to a provider for treatment, to the individual (or Personal Representative Disclosure), those made with a valid Patient Authorization, those required by law, or disclosures to HHS. Use role‑based access and standardized workflows to implement the rule consistently.

What information can be disclosed to family members?

With the patient’s agreement (or using professional judgment when the patient is unavailable or incapacitated), you may share only the PHI directly relevant to the person’s involvement in care or payment—such as discharge instructions or medication changes. A personal representative may receive broader access consistent with their authority, subject to exceptions to protect the patient from harm and any applicable state‑law limits (for example, certain sensitive services for minors).

When is PHI reportable to law enforcement?

PHI is reportable to law enforcement when required by a lawful order or specific state reporting law; to identify or locate a suspect or missing person (limited identifiers only); to report crimes on the premises or in certain emergencies; for victims of crime with appropriate agreement or conditions; and for deaths or injuries suspected to involve criminal conduct. Outside these defined paths, obtain Patient Authorization or direct the requestor to secure the proper legal process.