A frequent point of confusion in HIPAA is when an organization may share protected health information (PHI) without first getting the patient's written authorization. The Privacy Rule maps this out carefully. Knowing the categories helps staff share information appropriately for care while respecting privacy.
Disclosures to the individual
A covered entity is required to disclose PHI to the individual (or their personal representative) when they request access to their own records. This is one of the few mandatory disclosures and underpins the patient right of access.
Treatment, payment, and health care operations
The most common category is TPO. Covered entities may use and disclose PHI without authorization for:
- Treatment - providing, coordinating, or managing care, including consultations and referrals.
- Payment - obtaining reimbursement, billing, claims management, and eligibility checks.
- Health care operations - quality improvement, training, accreditation, business management, and similar functions.
TPO disclosures keep the health system functioning. Note that the minimum necessary standard applies to payment and operations, but generally not to treatment.
Disclosures with an opportunity to object
For certain purposes, the rule allows disclosure if the individual is informed and does not object, such as including a patient in a facility directory or sharing relevant information with family members involved in the patient's care. When the patient is incapacitated or it is an emergency, providers may use professional judgment to act in the patient's best interest.
Public-interest and benefit activities
The Privacy Rule permits disclosures, often without authorization and sometimes subject to conditions, for twelve national priority purposes. These include:
| Purpose | Examples |
|---|---|
| Required by law | Court orders, statutes, regulations |
| Public health | Disease reporting, vital statistics |
| Victims of abuse/neglect | Reporting to appropriate authorities |
| Health oversight | Audits, investigations of the health system |
| Judicial/administrative | Subpoenas with required safeguards |
| Law enforcement | Specific, limited circumstances |
| Serious threat to safety | To prevent or lessen a serious, imminent threat |
Uses and disclosures that require authorization
Some activities always require a valid, written authorization from the individual:
- Most uses and disclosures for marketing.
- The sale of PHI.
- Most uses and disclosures of psychotherapy notes.
A valid authorization must contain specific elements, including a description of the information, who may disclose and receive it, an expiration, and the right to revoke.
Putting it into practice
Train staff to recognize which category a request falls into before sharing PHI. Build workflows that apply minimum necessary where required, verify the identity and authority of requesters, and document disclosures that must be accounted for. When a request does not fit a permitted category, the default is to obtain authorization or decline.
Verifying identity and authority
Before disclosing PHI, the Privacy Rule expects covered entities to take reasonable steps to verify the identity of a person requesting it and their authority to receive it, unless the requester's identity or authority is already known. For a public official, this might mean confirming a badge, written request on agency letterhead, or a court order; for a personal representative, it might mean confirming the legal basis for that status. Verification is easy to overlook under time pressure, yet disclosing to the wrong person, even with good intentions, can constitute an impermissible disclosure. Building simple verification checkpoints into intake and release-of-information workflows reduces this risk.
Personal representatives and minors
The Privacy Rule generally requires a covered entity to treat an individual's personal representative as the individual for purposes of access and disclosure, but it sets limits, including where there are safety concerns such as abuse or neglect. The treatment of minors is particularly nuanced: in many cases a parent is the minor's personal representative, but state law and the specific circumstances, such as care a minor may legally consent to on their own, can change who controls the information. Because these situations turn heavily on state law, organizations should pair the federal rule with applicable Washington requirements and clear internal guidance for staff.