HIPAA Privacy Rule: Understanding Permitted Use & Disclosure of PHI

The HIPAA Privacy Rule lays special emphasis on clearly defining and clarifying the various circumstances under which an individual’s Personal Health Information can be shared or disclosed by a covered entity. In fact, this is often regarded as the core functionality of the Rule. This is also the most argued and misunderstood part of the PHI since many healthcare providers are unable to understand the stipulations that have been laid by the HIPAA Privacy Rule.


To make this simpler, it is better to begin by listing the exceptions and the requirements under which the covered entity can disclose Protected Health Information.

The Requirement Includes:

The covered entity has to disclose PHI to the HHS when a legal investigation, review or an enforcement action is being undertaken or is supported by the jurisdiction of the HHS.

The Exceptions Include:

• Certain special provisions when the HIPAA Privacy Rule itself either permits or requires the sharing of PHI
• Either the individual whose information is in question or his legal, personal representative authorizes the disclosure in writing

Permitted Use/Disclosure of Protected Health Information (Without Authorization)

A covered entity is permitted but not compelled to use or share PHI without the concerned individual’s or his legal representative’s authorization for:

1. Sharing information with the individual — this seems an obvious and simple regulation but the information should be not sought for accessing or accounting the history of PHI-related disclosures.

2. Special Circumstances when Disclosure of PHI without Individual Consent is Permissible

Emergencies — there is a provision wherein informal permission can be sought from the individual by outrightly asking him about his willingness to share his personal information. This permits the covered entity to use the PHI as per his own judgment.

Sometimes such an approval is assumed to be liquidated due to the development of certain circumstances that clearly do not allow the individual to define the privacy settings for the disclosure of his personal information. The most common example of such a scenario is seen in medical emergencies when the covered entities have to make decisions regardless of the preferences of the concerned individual since not doing so may lead to compromising the immediate well-being of the individual. In these cases, disclosures made by the covered entity, if it is clearly illustrated that doing so was needed for in the interest of the individual, are permitted.

Facility Directories — nearly every healthcare facility, including hospitals and private clinics, has a practice of maintaining a directory that records a patient’s contact information. A healthcare practitioner may seek the informal, often verbal, consent of a patient for listing information like name, phone number, general medical conditions, emergency contacts and religious affiliations in this directory. The details listed as a part of the directory are often sought and shared when someone is casually enquiring about the patient.
For example, the religious faiths of a regional population are often probed by the local clergy and they collect such data by seeking details from healthcare facilities.

Notification and Other Such Purposes — a covered entity is allowed to disclose an individual’s personal information through an informal permission to the individual’s immediate family, relatives or with persons that have been identified by the individual. This provision is applicable when the sharing of PHI with such people is directly responsible for constructively contributing towards the concerned individual’s healthcare needs and related payment issues.

One common example of this provision being put to practice is a pharmacist who might be approached to dispense prescriptions to a person who is buying the medications on behalf of the actual patient. Since, the purchase of medicines and the related sharing of information between the pharmacist and the informally-applied representative of the patient will only aid towards the immediate or long-term healthcare requirements of the individual (the patient), such sharing of PHI is acceptable.

A similar example arises wherein the covered entity may have to rely on a verbal allowance for sharing PHI with the individual’s family members or casually-disclosed friends, if the individual shows a susceptibility to harm himself, i.e. suicidal tendencies.

PHI can also be revealed for formal, notification requirements wherein notifications made by public and private entities have been mandated by the law or in extreme circumstances such as disaster rescue measures.

Medical Treatment, Paying Bills and Healthcare Operations
Incidental Use, Public Benefit and Research