Permitted Uses and Disclosures of PHI

Privacy & Compliance

Sharing Protected Health Information

The Privacy, Security and Breach notification rules under the Health Insurance Portability and Accountability Act of 1996 was intended to allow information sharing by ensuring that sensitive health data is maintained securely and shared only for appropriate purposes or with the authorization of the individual.

Permitted Uses and Disclosures


Psychotherapy Uses and Disclosures

Opportunities to Agree or Object

Public Interest and Benefit Activities

1. Permitted Uses and Disclosures

There are permitted uses and disclosures of PHI for different purposes within the healthcare sector.   All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines.   It is always permitted to use and disclose PHI for treatment, payment and health care operations.  If the reason for disclosing the PHI is not for one of these purposes an authorization must be obtained. By following these guidelines, an organization may stay in compliance with HIPAA?s rules and be able to share protected health information.

?Disclosure? refers to the transfer, release, provision of access to, or divulging in any other manner of information outside the entity holding the information.  These definitions are applicable to the sharing of electronic, paper or oral communications.  This does not include the disclosure of PHI to the Individual himself or herself.

?Use? is a sharing, employment, application, use, examination or analysis identifiable health information within the entity that maintains such information.

A major difference between ?Disclosure? and ?Use? is that use pf PHI is internal to the covered entity while disclosure focuses on external communication of PHI.

Sharing with Health Care Providers

Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI.  For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.

Doctor Providing Care
Doctor Giving Care

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination.  This has expanded the “permitted uses and disclosures of PHI.”  This activity didn?t exist when HIPAA was written and is now required by CMS and is part of a treatment plan.  A health care provider may disclose PHI to another for this treatment purposes without patient authorization.  This information must be shared with all employees of the organization.

Sharing PHI for Treatment

Keep in mind that the purpose of HIPAA is to protect PHI.  In addition, it assists treatment providers in caring for the patient without requiring patient authorization to share their PHI.  For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. As a result, PHI can be shared for treatment electronically and must be in a manner that is compliant with the Security Rule.  The disclosure of PHI may be made also for payment purposes as with a billing company.  Finally, the PHI may be shared for healthcare operation activities. One must also understand these rules may vary from state to state as in the State of Ohio.

2. Authorizations

Health care providers, health care clearinghouses and health plans are obligated to obtain authorizations prior to using or disclosing PHI for purposes other than treatment, payment or health care operations.  Psychotherapy notes cannot be disclosed to any other entity, for any purpose, without specific authorization according to the Privacy Rule.

Disclosure to an attorney?s office, and to a life or disability insurance company is an example of when an authorization is needed.

An Authorization must be obtained to disclose medical records in certain circumstances.  First, one is not required when a patient consent to participate in a research project. Secondly, it is not required when they request a transfer of medical records to another medical providers office.

A covered entity can use one authorization form for all purposes.  Of course, if the authorization is for multiple purposes, it must give a description of each purpose of the use or disclosure.

The authorization must be for a limited amount of time.  The documentations must be retained for six years from the date of its creation or the date it last was in effect.  

Writing Authorizations

Authorizations must be simply written using plain language.  It must focus on the needs of the reader.  It must contain the following items:

  • A description of the information to be used or disclosed.
  • The name of the person who will be authorized to make the requested use or disclosure.
  • The person to whom the covered entity may make the covered the requested use or disclosure
  • An expiration date that relates to the individual or purpose of the use or disclosures.
  • A description of each purpose of the use or disclosure.
  • The signature of the individual and the date

In addition to the above elements, the authorization must also contain other statements.  These must contain the following:

  • The individual has the right to revoke the authorization in writing and the exceptions to the right to revoke.  There may also be a description of how the individual may revoke the authorization.
  • A statement that treatment, payment, enrollment or eligibility for benefits is not affected by the refusal to sign the authorization.
  • The potential for the information to be redisclosed by the recipient.
  • If the authorization is signed by the personal representative of the individual, a description of such representative?s authority to act for the individual. 

Combined Authorizations

Authorizations for use or disclosure of PHI created for any research project that includes treatment may combined only with a notice of privacy practices.

Permissions authorizing the use or disclosure of psychotherapy notes may be combined only with other authorizations for such use or disclosure.

Authorizations may not be combined if treatment, payment, enrollment in a health plan or eligibility for benefits is conditioned upon a patient?s grant of one of the authorizations.

Revoking Authorization

An authorization may be revoked at any time, upon written notice, except to the extent that the authorization already has been relied upon. If an authorization is used to participate in a health plan it may not be revoked if other state or federal law provides the health plan with the right to contest a claim under the policy.

Authorization Created for Research with Treatment

Authorization is required to use or disclose PHI related, in part or whole, as part of any research that includes treatment.  These research authorizations must also contain the following:

Description of how much the PHI created will be used to carry out treatment, payment and health care operations.

Description of PHI that will not be used for those purposes when individuals are required to have an opportunity to agree or object to the use od their PHI .

Description of PHI not to be used in situations when authorization or an opportunity to agree or object to the use of PHI is not required by the privacy standard.

State Law Requirements

The HIPAA compliant authorization permitting use of protected health information must contain certain elements.  It is important to not forget to look at state law requirements.  There are many states with laws that are more protective of PHI than the Federal HIPAA Rules.   Organizations will require additional elements added to the authorization.  It is necessary for the covered entity and/or business associate to determine which is most restrictive.

Deficient Authorizations

Authorization is not valid if it has one of the following defects:

  • Expiration date has passed
  • Authorization does not contain all required elements
  • Authorization is attached or combined with other documents in a manner to not be valid under the privacy standard
  • Authorization has false information

3. Psychotherapy Uses and Disclosures

?Psychotherapy notes? are described by the rule as notes recorded, either orally, written or otherwise, by a mental health professional who is documenting or analyzing the conversation with a counseling session.  The psychotherapy notes generally do not include medication prescriptions and monitoring; the form and frequency of treatment; clinical test results; and summaries of diagnoses, functional status, the treatment plan, symptoms, prognosis and progress to date.

Psychotherapy Notes

The disclosure of psychotherapy notes by a covered entity requires patient authorization, including when using or disclosing for another covered entity?s treatment, payment or health care operation purposes.  The entity may use and disclose psychotherapy notes without an authorization to carry out its own treatment, payment and health care operation purposes as long as the originator of the notes uses it for treatment, the entity is using or disclosing the notes for its own training purposes for its mental health professionals, students and trainees or the entity is using or disclosing the notes to defend itself in a legal action or other proceeding brought by the individual.

If the notes are PHI for research that includes treatment of individuals it must obtain an authorization for the use or disclosure of such information.

There are situations in which these notes allow limited uses or disclosure without authorization.  These are the following:

  • If required by DHHS to enforce regulations
  • If certain uses or disclosures are required by law
  • For oversight of the health care provider who created the note
  • For coroners or medical examiners to conduct their duties
  • To avert a serious and imminent threat to health or safety

An individual does not have a right to access psychotherapy notes as part of their PHI.  DHHS does encourage providers to allow patients to access these notes when appropriate.

Sharing Mental Health Information

In certain circumstances HIPAA allows sharing of mental health information by mental health providers based on professional judgment.   It can be when it is in the best interests of the patient, or to prevent or lessen a risk of harm.

There are several ways the provider may address the situation. If the patient lacks ability to make decisions or is unconscious, the provider can share information with the patient?s personal representative (if applicable).  

They can also share with family or friends involved in their care if it?s determined in the patients? best interest.

A provider may contact anyone reasonably able to lessen the risk of harm.   This is important when they believe that a patient presents a serious and imminent threat to the health or safety to themselves or another person.

If there is a risk of harm to themselves or others, or if exhibiting behavior that may threaten their health or safety, providers need to be able to use professional judgment.   As a result, they can identify the potential or likely risk and determine who can help lessen it.

The Office for Civil Rights (OCR)states it won?t second guess mental health provider?s judgement when a patient is a threat to himself or others. HIPAA allows mental health providers to share information in the appropriate circumstances.

For more detail see the OCR guidance on this vital topic.  Remember to check state law for any restrictions on sharing.  It is the responsibility of all providers of mental health treatment to know the rules before managing this information.

By following these simple guidelines organizations will be able to stay in compliance with HIPAA as they manage their PHI.  One must also realize that there are other ways that one may safely share PHI without having to obtain permission.  An example would be if there is an order from a court or for law enforcement purposes.

4. Disclosures Requiring Opportunity to Agree or Object

HIPAA allows the use and disclosure of PHI when an individual receives oral or written advance notice of the use and disclosure and is given the opportunity to object orally or agree.  (In other words they are given an opt-out opportunity.)

The Privacy Rule realizes there are times an individual and covered entity make informal, oral agreements to disclose PHI.  This can happen at a hospital when a relative calls a hospital to check on a patient?s health status.  The hospital may disclose some information regarding the presence of the patient if there are no prior agreements preventing this.  The provider must always give the patient the opportunity to opt out of such disclosures.

In most situations a covered entity may use the patient?s name, location in the facility, general condition and religious affiliation in order to maintain a directory for its facility.

A covered entity may disclose to a relative, close friend or any other person identified by the individual, any PIH that is related directly to person?s involvement with the patient?s care or health care payment.  These disclosures do not include detailed information about the patient?s health history.

If a patient is present or available when PHI is to be disclosed to a relative, friend or other third party, the covered entity must give the patient the opportunity to refuse disclosure.  If the individual is not present, or the individual cannot object or agree due to circumstances, the covered entity may use professional judgement and infer the patient does not object.  An entity may also allow a third party to act on the patient?s behalf by picking up prescriptions, or other forms of PHI.

A covered entity is not required to verify the identity of relatives or other third parties involved in the individual?s treatment.  If the individual has not objected to the involvement of third parties the covered entity can infer the individual would not object to the involvement of a third party and further verification is not necessary.  All permissions must be evaluated on a case by case basis.

All disclosures must be related to a patient?s current condition but none of the specifics of the medial history.  Disclosures should be narrowed to closest relationships of the patient and only information relevant to the condition.

HIPAA and Same-sex Marriage

Same Sex Marriage

The HIPAA Privacy Rule recognizes the important role that family members, such as spouses, often play in a patient?s health care.  Most importantly HIPAA and Same Sex marriage has become an important topic to be understood. It requires covered entities to treat an individual?s personal representative, who may be a spouse, as the individual responsible under the Privacy Rule, including the right to access the individual?s health information.  In addition, the Privacy Rule provides protections against the use of genetic information about an individual, which also includes certain information about family members of the individual, for underwriting purposes. 

A Major Court Decision

On June 26, 2013, the Supreme Court held section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional in United States v. Windsor.  Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. By making this decision the federal government recognizes the rights of individuals in same-sex marriages.  This decision did not resolve the status of such rights under state law.  Two years later, on June 26, 2015, in Obergefell v. Hodges, the Court held that the Fourteenth Amendment requires a state to license a marriage between two people of the same sex and to recognize same-sex marriages lawfully performed in other States.

Effects of the Decisions

In light of the Windsor and Obergefell decisions, this guidance makes clear that the terms marriagespouse, and family member include, respectively, all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule. This guidance also updates and expands on related guidance issued in September 2014.     

Marriage, Spouse & Family Member

The definition of family member in the Privacy Rule at 45 CFR 160.103 includes the terms spouse and marriage.  The term marriage includes all lawful marriages. A lawful marriage is any marriage sanctioned by a state, territory, or a foreign jurisdiction if a U.S. jurisdiction would also recognize the marriage performed in the foreign jurisdiction. The term spouse includes all individuals who are in lawful marriages without regard to the sex of the individuals. The term family member includes lawful spouses and dependents of all lawful marriages.  In addition, the terms marriagespouse, and family member apply to all individuals who are legally married, regardless of where they live or receive health care services.

family member is relevant to the application of ?164.510(b) regarding permitted uses and disclosures of PHI related to another person?s involvement in an individual?s care, and for making notifications about the individual?s location, general condition, or death.  In addition, under certain circumstances, HIPAA permits covered entities to share an individual?s protected health information with a family member of the individual.  Legally married spouses are family members for the purposes of applying this provision.

Disaster Relief

Covered entities may use or disclose PHI to disaster relief agencies to notify family members or other caregivers of the patient?s condition or location.

Providers and business associates may provide PHI during an emergency to another party so the second party may manage health information and share it to provide health care to people affected by emergency disasters.

The Privacy Rule allows covered entities to disclose necessary PHI without the individual?s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

The OCR has previously stated it will not seek penalties for violations of business associate provisions under emergency situations.

The Office for Civil Rights (OCR) issued a bulletin November 10, 2014 on ?HIPAA Privacy in Emergency Situations.? The purpose of the bulletin was to assure that covered entities and their business associates know how protected health information.  Covered entities may share information during an emergency and that the privacy protections continue during emergencies. The OCR issued the bulletin in part due to the recent Ebola outbreak. Read the OCR bulletin Here.

Due to the outbreak this led many healthcare organizations to voice their concern regarding how best to keep their staff members safe.  In addition, there was much discussion about how to remain HIPAA compliant and not to disclose inappropriately patients? protected health information (PHI).  Since then other public catastrophes such as hurricanes and extensive flooding have also created significant concern.  They want to know how to serve the communities? healthcare needs and stay in compliance with the HIPAA rule.

The Department for Health and Human Services (HHS), Office for Civil Rights (OCR) has previously outlined how healthcare organizations can still follow HIPAA.  OCR gave guidelines on treating in the midst of public crisis and ensure that appropriate uses and disclosures of health information are made.  This allows them to treat patients, protect the nation?s public health and perform other critical functions.

The OCR stated, ?The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission.?

The Privacy Rule allows covered entities to disclose necessary PHI without the individual?s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

5. Public Interest and Benefit Activities

The Privacy Rule allows the use and disclosure of PHI without authorization, and without providing and opportunity to agree or object for 12 national priority purposes.  These are permitted, though not required by the Rule due to the important uses made of health information.

Required by Law

Covered entities may use and disclose protected health information without individual authorization as required by law (this includes statute, regulation or court orders).

Public Health Activities

There are several circumstances requiring release of PHI without the need of authorization or opt-out opportunities.

  • Public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; 
  • Entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance;
  • Individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and 
  • Employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law.

Abuse, Neglect or Domestic Violence

PHI concerning victims of abuse, neglect or domestic violence may be disclosed to a government authority, including social service or protective service agencies authorized to receive such reports.  In these cases the disclosure must be required by law and limited to what the law allows.

OCR allows disclosure of information if there is imminent danger to the patient.  In addition, you may share if the information will lessen serious or imminent threat to the health and safety of the patient.

The covered entity does not have to inform the personal representative, such as the person responsible for the abuse, neglect or injury of the disclosure.

Health Oversight Activities

Covered entities may disclose PHI to a health oversight agency for such activities as audits, civil, administrative or criminal investigations or proceeding, inspections, licensure or disciplinary actions or other activities necessary to the oversight of the following:

  • Audits
  • Investigations necessary for oversight of the health care system
  • Government benefit programs

Judicial and Administrative Proceedings

According to the HIPAA regulations, covered entities may disclose PHI in the course of certain judicial or administrative proceedings such as a response to a court or administrative tribunal order provided the covered entity discloses only the PHI authorized by the order.

PHI can be disclosed in response to a subpoena, discovery or other lawful process that is not accompanied by a court order if the party seeking the PHI has made reasonable efforts to notify the individual of the request, if the time for the individual to object has elapsed and if reasonable efforts have been made to secure a protective order.

HIPAA Penalties
Judge & Court Orders

Law Enforcement

The privacy rule allows a Covered entitiy to disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, subject to specified conditions: 

  • As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests;
  • To identify or locate a suspect, fugitive, material witness, or missing person; 
  • To alert law enforcement of a person?s death, if the covered entity suspects that criminal activity caused the death; 
  • When a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and 
  • By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.

A covered entity may disclose PHI in response to a law enforcement official?s request to identify or locate a fugitive, material witness, suspect or missing person.

This must be limited to the following information:

  • Name and address
  • Date and birthplace
  • Social security number
  • Type of injury
  • ABO blood type and rh factor
  • Date and time of treatment
  • Description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color

Disclosures to Law Enforcement

Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible. For example, HIPAA permits disclosures to law enforcement in certain situations. It is reasonable to disclose if a signed authorization from the patient or their legal representative exists.

A picture of a police with a warrant
Police With Warrant

When to Respond

It may be disclosed as required by law including those that require the reporting of certain types of wounds or other physical injuries, except for laws that require special reporting to special agencies.

This may be necessary to respond to subpoena?s and court orders or court-ordered warrant, or a summons issued by a judicial officer, grand jury or administrative request provided that the information sought is relevant and material the request is reasonably specific and limited in scope and if de-identified information could not reasonably be used. requirements.  

In addition, this may be necessary to investigate a crime, to locate a missing person and to prevent serious threats to public health and safety.  State law requires reporting for reports of child and adult abuse and neglect, and to report certain injury and disease.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA. If that is the case the entity must follow state law. It is important for your organization to know what the permissible disclosures to law enforcement are.


Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.

Cadaveric Organ, Eye, or Tissue Donation

Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.


The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual?s authorization, provided the covered entity obtains either: 

  • Documentation that an alteration or waiver of individuals? authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; 
  • Representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or 
  • Representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.

Serious Threat to Health or Safety

Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.

In any emergency covered entities must continue to use reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures. In summary it is important for any covered entity to review and follow HIPAA Privacy in emergency situations.  This will allow them to continue to protect PHI even in a catastrophic situation.

Essential Government Functions

An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.

Workers? Compensation

Covered entities may disclose protected health information as authorized by, and to comply with, workers? compensation laws and other similar programs providing benefits for work-related injuries or illnesses.

HIPAA Associates – Ready to Help

We can help you get a clear picture of the HIPAA requirements. Call us to get started.