What are the permitted uses and disclosures of PHI?

Healthcare organizations today still have questions about permissible uses and disclosures of protected health information (PHI). However, understanding permissions helps healthcare practitioners achieve their PHI security goals. It also helps covered entities and business associates safeguard patients and their personal information.

The U.S. Department of Health and Human Services (HHS) enacted HIPAA to protect patient privacy and set security requirements for covered entities. The federal regulation defines how, when, and why it is appropriate to share PHI safely and securely and what is shareable.

A HIPAA summary

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is U.S. legislation that protects the rights and privacy of patients. The act sets out the rules and regulations surrounding access to and disclosure of PHI. Most referenced is Title II, which establishes the policies and procedures for safeguarding PHI and includes several rules (and addendums):

• Privacy Rule (2003) – provides guidelines on PHI use and disclosure
• Security Rule (2005) – sets necessary safeguards to protect electronic PHI
• Enforcement Rule (2006) – sets the standards of enforcing HIPAA and penalizing noncompliant healthcare providers
• HITECH Act (2009) – promotes the adoption and meaningful use of technology in healthcare
• Breach Notification Rule (2009) – requires healthcare providers to report data breaches
• Final Omnibus Rule (2013) – incorporates HITECH further by improving privacy protections

A covered entity may only use or disclose PHI if either: (1) the organization received explicit patient authorization; or (2) the Privacy Rule specifically permits or requires it. Any use or disclosure that does not meet either criterion may result in a HIPAA violation.

Permitted use and disclosure: patient authorization

Patient authorization is explicit consent obtained from an individual. It permits a healthcare organization to use and/or disclose PHI for a purpose not permitted by the Privacy Rule. For example, this includes using PHI for marketing or research purposes. Without HIPAA authorization, such use or disclosure of PHI would violate HIPAA, possibly resulting in a severe financial penalty or criminal charges.

According to HIPAA, an authorization form must contain specific, clear language to ensure patients understand what they are agreeing to. A signed and dated authorization must include:

• What PHI will be used or disclosed
• Who will use or disclose the PHI
• Who the PHI will be shared with
• An expiration date
• In some cases, the purpose for using or disclosing the PHI
• The patient's right to revoke the authorization

Permitted use and disclosure: The Privacy Rule exceptions

The Privacy Rule permits the use or disclosure of PHI without patient authorization for several purposes or situations:

1. To an individual (unless required for access or accounting of disclosures).
2. For treatment, payment, and healthcare operations.
3. With an opportunity to agree or object.
4. As an incident to an otherwise permitted use and disclosure.
5. For public interest and benefit activities.
6. As limited datasets for research, public health, or healthcare operations.

All patients have the right to access their PHI. HHS created the Right of Access Initiative in 2019 to provide better support for such requests. The other five purposes or situations guide the communication of PHI within and to others, for various reasons.

Related: What are HIPAA Right of Access provisions?

Use and disclosure for healthcare operations

Under HIPAA, healthcare organizations can use and disclose PHI for essential healthcare operations, such as administrative, financial, legal, and quality improvement activities. Examples include:

• quality assessments for patient safety or general health/healthcare costs
• in support of compliance
• the development of clinical guidelines and protocols
• the review and evaluation of healthcare providers
• employee training
• the detection of fraud

Such use and disclosures must reinforce or improve a covered entity's core functions and help to improve patient care quality.

Use and disclosure for patient treatment

Organizations can also use and disclose PHI for patient treatment, broadly defined as the coordination or management of healthcare and related services. Patient data is shareable between healthcare practitioners or within healthcare organizations to help strengthen patient care.

Examples include:

• a doctor providing PHI to a nutritionist for approved patient treatment
• a CE hiring a care planning business associate who requests access
• a hospital discharging a patient into a care facility

When required, such consultation or referral may occur without direct patient authorization.

Use and disclosure for other possible scenarios

Other possible scenarios may occur as required by law, for litigation or investigation, to report a communicable disease, for donation or research purposes, or to report abuse or neglect. In such cases, healthcare providers should be cautious and cognizant of other applicable regulations related to personally identifiable information (PII).

No matter what, covered entities must meet four conditions whenever sharing PHI:

1. The healthcare organization must have a relationship (past or present) with the patient.
2. The disclosed PHI must pertain to the relationship.
3. The discloser must still adhere to the Privacy Rule's minimum necessary requirement (i.e., limit PII in datasets).
4. A patient must have an opportunity to agree or object.

Learn more: Can healthcare providers disclose PHI to family members without patient consent?

A use and disclosure checklist

It is up to each organization to understand permitted use and disclosure under HIPAA. Use this checklist to ensure you follow the regulations' guidelines and protect patients.

1. Identify the type of PHI your organization uses and stores and how you plan to safeguard it. Use the principle of least privilege to classify PHI into three levels: restricted, internal, and public.
2. Deidentify information when possible and keep identifiers (i.e., PHI) to a minimum.
3. Ensure that the information being used and/or disclosed is pertinent and necessary to share.
4. Obtain written consent from patients as needed and when able.
5. When necessary to communicate PHI, guarantee that transmission methods (e.g., HIPAA compliant email) are safe.
6. Limit access to authorized staff. For staff that have access, guarantee that they understand the responsibilities, regulations, policies, and procedures when it comes to permitted uses and disclosures.
7. Keep accurate records of all patient authorizations as well as uses and disclosures.
8. Utilize and implement up-to-date use and disclosure policies and procedures.

Finally, and as always, stay on top of changes to HIPAA and other state/federal regulations.