Permitted uses and disclosures of protected health information (PHI) under HIPAA

Information is the backbone of modern healthcare. It guides clinical decisions, supports coordination among providers, and ensures patients receive safe, effective, and timely care. As the Health Insurance Portability and Accountability Act (HIPAA) puts it, “Information is essential fuel for the engine of health care. Physicians, medical professionals, hospitals and other clinical institutions generate, use and share it to provide good care to individuals, to evaluate the quality of care they are providing, and to assure they receive proper payment from health plans.”

Because of this central role, the way health information is shared and protected is tightly regulated. HIPAA establishes clear rules for how protected health information (PHI) can be used and disclosed. These rules balance two critical needs: allowing the flow of health data to support care, operations, and public health, while safeguarding patients’ privacy and trust.

Understanding when PHI can be shared without patient authorization and when consent is required is key to compliance. 

HIPAA and information sharing

HIPAA serves as a cornerstone for safeguarding individuals’ PHI. While much attention is given to what covered entities cannot do with PHI, it is equally important to understand the circumstances under which PHI may be used or disclosed without an individual’s authorization. These are known as permitted uses and disclosures, and they provide critical flexibility for healthcare operations while still respecting patient privacy.

HIPAA defines covered entities broadly as healthcare providers, health plans, and healthcare clearinghouses. These entities must comply with HIPAA rules when handling PHI. At the same time, HIPAA recognizes that sharing PHI is required for delivering quality care, coordinating treatment, managing payment, conducting research, and serving public health interests. The law balances individual privacy with these operational and societal needs.

According to the HIPAA Privacy Rule, “A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual; (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.” Covered entities may rely on professional ethics and best judgment in deciding which of these permissive uses and disclosures to make.

Disclosure to the individual

HIPAA states that “a covered entity may disclose protected health information to the individual who is the subject of the information.” Covered entities are permitted, but not required, to provide access.

For example, a patient may request copies of their medical records, lab results, or billing statements. This provision emphasizes patient-centered care and transparency, ensuring individuals can actively manage their own health.

Learn more: How to handle patient data requests

Treatment, Payment, and Health Care Operations (TPO)

Another category of permitted disclosures is Treatment, Payment, and Health Care Operations (TPO). HIPAA allows covered entities to use or disclose PHI for these purposes without patient authorization. As the rule explains, a covered entity may use and disclose PHI for its own TPO activities and also for “the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.”

• Treatment: Treatment is defined as “the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.” For example, a primary care physician may share PHI with a cardiologist for patient care coordination.
• Payment: Payment encompasses “activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.” This includes billing, claims processing, and reimbursement coordination.
• Health care operations: Health care operations are defined broadly and include activities such as: 
  • “Quality assessment and improvement activities, including case management and care coordination”
  • “Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation”
  • “Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs”
  • Certain insurance functions, business planning, and administrative activities, including “de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.”

The Privacy Rule also notes that “most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require an authorization,” and that obtaining consent is optional under HIPAA.

Uses and disclosures with opportunity to agree or object

HIPAA recognizes situations where the patient can be given an opportunity to agree or object. According to the rule, informal permission may be obtained “by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object.”

• Facility directories: Many healthcare facilities maintain a directory of patient contact information. HIPAA states that covered entities may rely on “an individual's informal permission to list in its facility directory the individual's name, general condition, religious affiliation, and location in the provider's facility.” Providers may disclose the patient’s condition and location to anyone asking by name, and religious affiliation to clergy.
• Notification and other purposes: Covered entities may also disclose PHI to family, friends, or others involved in the patient’s care or payment for care. HIPAA explains, “A covered entity also may rely on an individual's informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual's care of the individual's location, general condition, or death.” This is especially relevant in emergencies or when a patient is incapacitated.

Incidental uses and disclosures

HIPAA acknowledges that incidental disclosures may occur even when safeguards are in place. The Privacy Rule clarifies, “A use or disclosure of this information that occurs as a result of, or as 'incident to,' an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards… and the information being shared was limited to the 'minimum necessary.”

Examples include overheard conversations, visible PHI on screens, or accidental exposure in routine operations. While every risk does not need to be eliminated, reasonable safeguards and staff training are critical.

Public interest and benefit activities

HIPAA also permits disclosures for public interest and benefit purposes. These include twelve national priority purposes. HIPAA states, “The Privacy Rule permits use and disclosure of protected health information, without an individual's authorization, for 12 national priority purposes… Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information.”

Examples of Public Interest Disclosures:

• Required by law: Disclosures as mandated by statute, regulation, or court order.
• Public health activities: To public health authorities, FDA-regulated entities, individuals exposed to communicable diseases, and employers regarding workplace-related illnesses.
• Victims of abuse, neglect, or domestic violence: Shared with appropriate authorities under specific circumstances.
• Health oversight activities: Shared with agencies conducting audits, investigations, or oversight of government programs.
• Judicial and administrative proceedings: Shared in response to court orders, subpoenas, or lawful processes.
• Law enforcement purposes: Including identifying suspects, alerting authorities about deaths linked to criminal activity, or providing PHI as evidence of a crime.
• Decedents and organ/tissue donation: PHI may be used to identify the deceased, determine causes of death, or facilitate cadaveric donations.
• Research: HIPAA permits PHI to be disclosed for research purposes without authorization if approved by an IRB or Privacy Board, or if limited data sets are used.
• Serious threats to health or safety: Covered entities may disclose PHI to prevent imminent threats.
• Essential government functions: PHI may be disclosed for military, intelligence, protective, or public benefit purposes.
• Workers’ compensation: Disclosures as authorized by workers’ compensation laws.

Limited data sets

A limited data set is PHI with certain direct identifiers removed. HIPAA defines it as “protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed.” Limited data sets may be disclosed for research, public health, or healthcare operations, provided the recipient enters into a data use agreement ensuring safeguards.

Best practices for permitted uses and disclosures

While HIPAA provides flexibility, covered entities are expected to exercise professional ethics and sound judgment. As the Privacy Rule notes, “Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.” Key best practices include:

• Minimize risk: HIPAA’s standard on the Minimum Necessary requires that “covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.” This means that entities must always use the minimum necessary information for the intended purpose.
• Document decisions: HIPAA’s Security Rule requires that “a regulated entity must maintain documentation required for written policies and procedures implemented to comply with the Security Rule and actions, activities, or assessments required by the Security Rule to be documented until six years after the later of: 1) the date of the document’s creation or 2) the date the document was last in effect.” Therefore, organizations must maintain records of disclosures and rationale.
• Implement safeguards: HIPAA’s Security Rule requires the implementation of physical, technical, and administrative safeguards to prevent inappropriate access.
• Educate staff: HIPAA’s Security Rule also requires HIPAA-regulated entities to “train all workforce members on its security policies and procedures.” This training must be provided regularly.
• Use data agreements: When sharing limited data sets, formal agreements specify responsibilities and safeguards.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What is considered PHI under HIPAA?

PHI includes any health information that can identify an individual, whether it’s demographic details, medical records, billing information, or conversations about a patient’s care. If it relates to health, treatment, or payment and can identify a person, it counts as PHI.

What happens if PHI is disclosed improperly?

Improper disclosure can result in HIPAA violations, leading to civil penalties, corrective action plans, or even criminal charges, depending on the severity. It can also damage a healthcare organization’s reputation and patient trust.

Who enforces HIPAA rules about PHI disclosures?

The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA’s Privacy and Security Rules.