When Can You Disclose PHI Under HIPAA? Permitted Uses and Exceptions

Treatment Payment and Health Care Operations

What counts as TPO

HIPAA allows covered entities to use or disclose protected health information (PHI) without patient authorization for treatment, payment, and health care operations (TPO). Treatment covers care coordination, referrals, and consultations. Payment includes billing, eligibility checks, claims management, and utilization review. Health care operations span quality assessment, peer review, accreditation, training, and fraud prevention.

Applying the Minimum Necessary Standard

For payment and operations, you must limit PHI to the Minimum Necessary Standard—only what is reasonably needed to achieve the purpose. This involves role-based access, policies that define the least data required, and routine data minimization. The Minimum Necessary Standard does not apply to disclosures for treatment, to the individual, required-by-law disclosures, or disclosures to HHS for Privacy Rule Compliance activities.

Covered entities, business associates, and safeguards

Covered entities (health plans, most providers, and clearinghouses) and their business associates may share PHI for TPO if a business associate agreement is in place. Maintain audit trails, workforce training, and access controls to demonstrate compliance and to prevent uses beyond TPO.

Public Health Activities and Reporting

Public health authorities and surveillance

You may disclose PHI to a public health authority for public health surveillance, investigations, and interventions. Examples include reporting notifiable diseases, exposures, and vital events; notifying people at risk of contracting or spreading a disease; and reporting adverse events or product issues to the FDA.

Employer and school-related reporting

Disclosures are permitted to an employer regarding work-related illnesses or workplace medical surveillance when required by law. You may also disclose proof of a student’s immunization to a school if you document the parent’s or guardian’s agreement (or the student’s, when applicable).

Abuse, neglect, or domestic violence

HIPAA permits disclosures to appropriate government authorities about suspected abuse, neglect, or domestic violence, consistent with state law and patient safety considerations. Limit the disclosure to what is necessary and document the basis for your good-faith belief.

Health Oversight Agency activities

Disclosures are also allowed to a Health Oversight Agency for audits, investigations, inspections, licensure or disciplinary actions, and oversight of government health programs. Provide only what the oversight activity requires and track non-routine disclosures.

Judicial and Law Enforcement Disclosures

Court orders, warrants, and a judicial subpoena

With a court order or warrant, you may disclose only the PHI expressly authorized by the order. When responding to a judicial subpoena or discovery request not accompanied by a court order, you must receive satisfactory assurances (such as a qualified protective order) or make reasonable efforts to notify the individual or seek a protective order before disclosing. Administrative requests must be specific, limited in scope, and relevant to a legitimate inquiry.

Disclosures to law enforcement

HIPAA permits limited disclosures to law enforcement to: identify or locate a suspect, fugitive, witness, or missing person; report certain injuries (for example, gunshot or stab wounds) required by law; respond to crimes on the premises; report a crime in a medical emergency; or share information about a decedent when death may have resulted from criminal conduct. Disclose the minimum necessary and verify the requester’s authority.

Decedent and Organ Donation Information

Coroners, medical examiners, and funeral directors

You may disclose PHI to coroners and medical examiners to identify a deceased person, determine cause of death, or perform other authorized duties, and to funeral directors as needed to carry out their responsibilities. PHI of a person deceased for more than 50 years is no longer PHI under HIPAA.

Organ donation coordination

Disclosures to an Organ Procurement Organization are permitted to facilitate organ, eye, or tissue donation and transplantation. You may also share relevant PHI with family members or others involved in the decedent’s care prior to death, unless doing so is inconsistent with known prior preferences.

Research Use of PHI

Pathways to use or disclose PHI for research

Research access to PHI can occur without individual authorization only when specific conditions are met. Common pathways include: an Institutional Review Board (IRB) or Privacy Board waiver of authorization; use of a limited data set under a data use agreement; reviews preparatory to research (no PHI leaves your organization); and research solely on decedents’ information with documentation of necessity. De-identified data fall outside HIPAA and may be used freely.

Minimum necessary and accountability

When a waiver or other exception applies, disclose only the minimum necessary PHI and document the basis for the disclosure. For research disclosures without authorization, include them in your accounting of disclosures as required and ensure data security measures match the sensitivity of the dataset.

Serious Threats and Government Functions

Averting a serious threat to health or safety

You may disclose PHI, in good faith, to prevent or lessen a serious and imminent threat to a person or the public when the disclosure is made to someone reasonably able to prevent or mitigate the threat (such as law enforcement or a targeted individual). Limit disclosure to information pertinent to the threat.

Specialized government and correctional functions

HIPAA permits certain disclosures for specialized government functions, including to military command authorities, national security and intelligence activities, and to provide protective services for public officials. Correctional institutions and law enforcement officials may receive PHI about inmates or individuals in lawful custody when necessary for health, safety, or institutional security.

Disclosures for compliance and workers’ compensation

You may disclose PHI to the U.S. Department of Health and Human Services to demonstrate Privacy Rule Compliance, and as required by workers’ compensation or similar laws. In all cases, confirm the legal authority and disclose only what the law requires.

Incidental Uses and Safeguards

What is an incidental disclosure

Incidental disclosures are unintended, secondary disclosures that occur as a by-product of an otherwise permitted use or disclosure—for example, a patient name overheard at a nursing station or a limited sign-in sheet visible at check-in. These are permissible only when you have applied reasonable safeguards and the Minimum Necessary Standard to the underlying activity.

Practical safeguards to stay compliant

• Use privacy screens, speak quietly in public areas, and position workstations away from public view.
• Confirm fax and email recipients; include a confidentiality notice and verify addresses before sending.
• Adopt role-based access and routinely review who can see what.
• Train staff to redirect sensitive conversations to private settings and to verify requesters’ identities.

Conclusion

HIPAA permits PHI disclosures without authorization in defined circumstances: TPO; public health and oversight; judicial and law enforcement; decedent and donation; research under strict conditions; serious threats and specialized government functions; and limited incidental disclosures with safeguards. Anchor every decision in verification, necessity, and documented Privacy Rule Compliance to protect patients while meeting legal and operational needs.

FAQs.

What are the permitted uses of PHI without authorization?

HIPAA permits PHI uses and disclosures without authorization for treatment, payment, and health care operations; public health reporting and surveillance; disclosures to a Health Oversight Agency; judicial and administrative proceedings with proper process; certain law enforcement purposes; decedent-related needs and to an Organ Procurement Organization; research under an IRB/Privacy Board waiver or other allowed pathways; averting serious threats; specialized government functions; workers’ compensation; and disclosures to HHS for Privacy Rule Compliance. If a situation is not covered, obtain a valid authorization.

When can PHI be disclosed for law enforcement purposes?

You may disclose PHI to law enforcement to comply with a court order, warrant, or judicial subpoena with required assurances; to identify or locate a suspect, fugitive, witness, or missing person (limited identifiers only); to report certain injuries required by law; regarding crimes on the premises or in medical emergencies; and about a decedent when death may involve criminal conduct. Always verify authority and disclose the minimum necessary.

How does the Minimum Necessary Standard apply to PHI disclosures?

For most uses, disclosures, and requests, you must limit PHI to the least amount needed to achieve the purpose using role-based access, policies, and documentation. The Minimum Necessary Standard does not apply to disclosures for treatment, to the individual, required-by-law disclosures, or disclosures to HHS for Privacy Rule Compliance. When it does apply, tailor data elements to the task and maintain evidence of your determinations.

What are incidental disclosures under HIPAA?

Incidental disclosures are unintended, secondary exposures that occur despite reasonable safeguards—for example, a name overheard or a limited sign-in sheet. They are permissible only when the underlying activity is allowed, you applied appropriate safeguards, and you limited PHI consistent with the Minimum Necessary Standard. Repeated or preventable exposures indicate inadequate safeguards and must be corrected.