Permitted Uses and Disclosures of HIPAA

All healthcare providers have a responsibility to keep their staff trained and informed regarding Health Insurance Portability and Accountability Act (HIPAA) compliance. Whether intentional or accidental, unauthorized disclosure of protected health information (PHI) is considered a violation of HIPAA. Remind your staff each meeting about the importance of avoiding disclosure of information through routine conversation; discussing patient information in waiting areas, hallways or elevators; proper disposal of PHI; and access to information be strictly limited to employees whose jobs require that information.

A covered entity may use or disclose PHI without authorization under certain conditions.


PHI Can Be Disclosed to the Individual

Patient and doctor speaking in an office

Maodesign / Getty Images

Providers or other covered entities are allowed to disclose PHI to the individual patient without authorization. Since the patient is the subject of the information being shared, information can be freely given to them.


Disclosure for Treatment, Payment, and Healthcare Operations

doctor speaking with patient

Ariel Skelley / Getty Images

 A covered entity may use or disclose protected health information without authorization for treatment, payment, and healthcare operations reasons.

  1. Treatment: Providers can share PHI ​between each other for the purpose of treating the patient including consultations and referrals.
  2. Payment:  Health plans and providers are allowed to share PHI with each other so the health plan can fulfill benefit obligations and providers can receive reimbursement for services.
  3. Health care operations: Includes activities such as case management, care coordination, medical reviews and audits, and others.

Uses and Disclosures With Opportunity to Agree or Object

person filling out electronic medical chart

BSIP / UIG / Getty Images

This covers a provider's right to obtain informal permission in certain circumstances. Informal permission allows the provider to contact ​the third party on the patient's behalf or list the patient in its facility directory.


Incidental Use and Disclosure

doctor and patient talking in office

Jim Craigmyle / Getty Images

Reasonable safeguards must be taken to minimize the risk of an incidental use or disclosure of PHI. This means that information may be used or disclosed as a result of another use or disclosure.​


Public Interest and Benefit Activities

physicians and nurses at a medical office

Kristian Sekulic / Getty Images

 Specific conditions may require that PHI is shared for the purpose of public interest. The public interest may outweigh the need for a patient's personal privacy. These conditions include situations:

  1. As required by law such as in a court order
  2. To government authorities regarding victims of abuse, neglect or domestic violence
  3. Health care oversight activities such as audits and investigations
  4. Judicial and administrative proceedings
  5. Law enforcement purposes such as information about a suspect or victim of a crime
  6. Information about a deceased person
  7. Information about the donation and transplantation of a cadaveric organ, eye, or tissue
  8. The purpose of research
  9. To prevent a serious threat to health or safety
  10. To assist with certain essential government functions
  11. To comply with worker's compensation laws

Limited Data Set

doctor making notes on a chart

Reza Estakhrian / Getty Images

 A limited data set of PHI can be shared as long as certain identifiers are removed from the information. PHI can be broken down into 18 identifiers.

  1. Names
  2. Address
  3. Elements of dates including birth date, admission date, discharge date, and date of death
  4. Telephone numbers
  5. Fax numbers
  6. E-mail address
  7. Social security numbers
  8. Medical record numbers
  9. Insurance policy numbers
  10. Account numbers
  11. Certificate/license numbers
  12. License plate numbers
  13. Device identifiers and serial numbers
  14. URLs
  15. IP addresses and numbers
  16. Finger Prints
  17. Photos
  18. Any other unique identifying number, characteristic, or code

Releasing Protected Health Information With an Authorization

Nurse checking patient's pulse

Christopher Furlong / Getty Images

The individual can authorize a release of their PHI. This is often done for purposes such as qualifying for health insurance or life insurance. A valid authorization to release protected health information includes:

  • Identity verification such as a driver's license.
  • A description of the information to be used or disclosed.
  • The name of the person or organization authorized to disclose the information.
  • The name of the person or organization that the information is to disclose.
  • Signature of the person authorized to release the information.


As a health care provider, it is your responsibility to be informed about the standards involving PHI under the HIPAA Privacy Rule. The HIPAA Privacy Rule details information on how protected information can be used and disclosed and what information is considered PHI. It also identifies the role providers have in informing patients of their privacy rights.

Was this page helpful?