Permitted Uses and Disclosures

A Covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations:

  • To the individual - A covered entity may disclose protected information to the individual who is the subject of the information (unless required for access or accounting of disclosures). If the individual requests a copy of their records or an accounting of disclosures, an authorization is required.
  • Treatment, Payment, Health Care Operations - A covered entity may use and disclose protected health information for its own treatment, payment, and health care operation activities. A covered entity also may disclose protected health information for the treatment activities of another health care provider if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship. See additional guidance on Treatment, Payment, and Health Care Operations.
  • Uses and Disclosures with Opportunity to Agree or Object - Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree or object. Where the individual is incapacitated, in an emergency situation, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or discloser is determined to be in the best interests of the individual.
  • For Notification and Other Purposes - A covered entity may rely on an individuals informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual;s care , of the individuals location, general condition, or death. In addition protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts.
  • Incidental Use and Disclosures - The Privacy Rule dose not require that every risk of an incidental use or disclosure of private health information be eliminated. A use or disclosure of this information that occurs as a result of, or as "incident to", an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the "minimum necessary" as required by the Privacy Rule.
  • Public Interest and Benefit Activities - The Privacy Rule permits use and disclosure of protected health information without an individual's authorization or permission, for 12 National Priority Purposes. These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this inforamtion.
  • Limited Data Set - A limited data set is PHI from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used for research, health care operations, and public health purposes, provided the recipient enters into a  data use agreement promising specified safeguards for the PHI within the limited data set.
For all other uses and disclosures, a written authorization must be obtained.