What is the Permitted Use and Disclosure of PHI? 2024 Update

Protected health information, commonly known as PHI, is a central element of patient privacy protected under the Health Insurance Portability and Accountability Act (HIPAA). Misunderstandings and missteps in the disclosure of PHI can lead to serious repercussions, including legal action and loss of patient trust. Navigating the intricacies of when and how PHI can be disclosed is crucial for healthcare entities to comply with regulations and protect individuals' privacy rights.

In this article, we will explore the definition of PHI disclosure, outline the circumstances under which it is permitted, and discuss the importance of safeguarding this sensitive information.

What Is PHI Disclosure?

Protected Health Information (PHI) disclosure occurs when PHI is shared, transferred, or made accessible to any party outside the initially authorized health-related entity. In the context of HIPAA (Health Insurance Portability and Accountability Act), PHI pertains to any information that can be used to identify an individual, including their health status, provision of health care, or payment for health care services.

HIPAA Regulations allow the usage and disclosure of PHI under certain conditions.

The release of PHI may be necessary for the following purposes:

  • Patient care
  • Payment processing
  • Health care operations

Mandatory PHI Disclosures:

  1. To the individual: When an individual requests access to their information.
  2. Legal and regulatory requirements: When it is required by law, for example, reporting certain diseases to public health authorities.

Permitted, But Not Required, PHI Disclosures:

  • To public health authorities authorized to collect information for the purpose of preventing or controlling disease, injury, or disability.
  • To entities in cases of medical emergencies.
  • To health oversight agencies for activities authorized by the law.
  • In connection with judicial and administrative proceedings.

Entities must adhere to the “minimum necessary” standard, where they must make reasonable efforts to ensure that any PHI disclosure is limited to the minimum necessary to accomplish the intended purpose.

PHI disclosure also involves situations where the information is shared within an entity from the healthcare component to non-healthcare components in a hybrid entity. The protection of PHI is a central aspect of HIPAA, ensuring that sensitive information is shared responsibly and securely to maintain individuals' privacy.

18 PHI Identifiers

Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA) to ensure that individual privacy is maintained while handling medical information. There are 18 identifiers defined by the Department of Health and Human Services (HHS) that, if removed, can de-identify the information, rendering it no longer subject to HIPAA restrictions.

These identifiers encompass a range of personal details:

  1. Names: Full names or last name with initials potentially identifying an individual.
  2. Geographic Identifiers: All geographic subdivisions smaller than a state, such as street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people.
  3. Dates: Specifically those related to an individual (except year) including birth date, admission date, discharge date, date of death, and all ages over 89.
  4. Telephone Numbers: Personal phone numbers.
  5. Fax Numbers: Personal fax numbers.
  6. Email Addresses: Electronic mailing addresses.
  7. Social Security Numbers:
  8. Medical Record Numbers:
  9. Health Plan Beneficiary Numbers:
  10. Account Numbers:
  11. Certificate/License Numbers:
  12. Vehicle Identifiers and Serial Numbers: Including license plate numbers.
  13. Device Identifiers and Serial Numbers:
  14. Web Universal Resource Locators (URLs):
  15. Internet Protocol (IP) Address Numbers:
  16. Biometric Identifiers: Including finger and voice prints.
  17. Full Face Photographic Images: and any comparable images.
  18. Other Unique Identifying Numbers, Characteristics, or Codes: Except for codes assigned by the investigator to code the data.

It is essential to handle these identifiers with the utmost protection to ensure individuals' privacy and comply with federal regulations. When PHI is stripped of these 18 identifiers, the information may be used for research, public health purposes, or healthcare operations without further protection under the HIPAA Privacy Rule.

Why Is PHI Disclosure Important for Covered Entities and Organizations?

Protected Health Information (PHI) disclosure is a critical process for covered entities and their business associates in the healthcare sector. It ensures that PHI is shared in compliance with regulations and in ways that support patient care and the health system's operations.

Care Coordination and Treatment

Covered entities may disclose PHI without authorization for treatment activities. This enables healthcare providers to deliver coordinated care, where multiple parties may be involved in a patient's treatment. For example, a primary care physician might need to share PHI with a specialist to ensure the specialist has the necessary background information to proceed with care.

Healthcare Operations

Disclosures are essential for essential functions such as quality assessments, training programs, accreditation, certification, or licensure activities. Hospitals and health systems rely on the ability to use and disclose PHI to support these operational needs, making it crucial for maintaining standards of care and healthcare delivery.

Public Health and Safety

PHI disclosures can serve broader public health needs. Covered entities are permitted to disclose PHI to public health authorities authorized by law to collect or receive the information for preventing, controlling disease, injury, or disability. Such disclosures can aid in national health emergencies or to report adverse events and product defects.

Legal and Regulatory Compliance

Organizations disclose PHI to comply with laws and legal proceedings. This may include responding to court orders or legal investigations. Clear parameters for such disclosures help entities remain compliant while respecting patient privacy.

Individual Rights

Patients have rights outlined by regulations like HIPAA, including the right to access their PHI. Covered entities must balance the disclosure of PHI in response to patients' requests with safeguarding the information from unauthorized access.

When Can PHI Be Disclosed?

Protected Health Information (PHI) is subject to strict disclosure guidelines under the Health Insurance Portability and Accountability Act (HIPAA).

This section explains the circumstances under which PHI may be disclosed without violating patient privacy.

Disclosure of PHI: What Is Permitted?

Under HIPAA, the use and disclosure of PHI are permissible if they fall within one of the three primary categories:

  1. Treatment: PHI can be shared among healthcare providers to treat the individual or a different individual.
  2. Payment: PHI may be disclosed to insurance companies, billing departments, and other entities responsible for processing healthcare payments.
  3. Healthcare Operations: This includes activities such as quality assessments, training programs, accreditation, certification, licensing, or credentialing activities.

In addition, PHI may be disclosed in response to certain legal processes or as required by law, and when necessary to avert a serious threat to the health and safety of a person or the public.

Requirements for the Disclosure of PHI

The HIPAA Privacy Rule requires covered entities to make necessary strides to ensure that only the minimum PHI necessary to fulfill the purpose of the request is disclosed. Additionally, disclosures are:

  • Restricted to what is necessary for the recipient to carry out the intended purpose.
  • Expected to comply with any conditions for disclosure as defined by the Privacy Rule or other related regulations.

Before any PHI is shared, covered entities must consider their professional judgment and whether the disclosure aligns with privacy rights and best practices.

Which Situation Would Require a Written Authorization from a Patient to Disclose the PHI?

A written authorization from the patient is necessary for disclosures that do not fall under the permitted uses of treatment, payment, or healthcare operations, such as:

  • Disclosures for marketing purposes.
  • Sales of PHI.
  • Most sharing of psychotherapy notes.

In addition, sharing information with individuals or services not directly involved in the individual's care or payment, like disclosing health information to an employer, often requires express authorization from the patient.

What Is the Difference Between Use and Disclosure of PHI?

Protected Health Information (PHI) is any information in a medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.

The Health Insurance Portability and Accountability Act (HIPAA) differentiates between the use and disclosure of PHI:

  • Use of PHI refers to activities within a covered entity—such as a hospital, health plan, or healthcare clearinghouse—or by its business associates when handling medical information internally. Examples include nurses accessing patient records to provide care or billing departments managing medical data for claims processing.

  • Disclosure of PHI involves sharing information outside the entity holding it. When PHI is disclosed, it is provided to individuals or entities not affiliated internally with the covered entity. Disclosure might occur when a health care provider shares patient information with another health care provider for referral purposes or when PHI is released to an insurance company for billing.

Strict penalties can apply for unauthorized use or disclosure of PHI. As such, it's crucial for healthcare providers and their associates to understand and adhere to HIPAA's provisions regarding the use and disclosure of PHI to protect patient privacy.

5 Examples of Ways in Which PHI Can Be Disclosed

Protected Health Information (PHI) refers to any information about health status, healthcare services, or payment for healthcare that can be linked to an individual. Under HIPAA, PHI can be used and disclosed for specific purposes without the patient’s authorization in some circumstances.

1. Treatment

Healthcare providers may share PHI with each other to coordinate a patient's care. This includes consultations, referrals, and prescriptions.

2. Payment

Health insurers and billing departments use PHI to handle claims, reimbursement, and pre-approval of services.

3. Health Operations

PHI is utilized for essential healthcare operations, such as quality assessments, comparative effectiveness research, accreditation, and certification.

4. Public Interest and Benefit Activities

  • Public Health Activities: Instances include reporting diseases, participating in disease prevention programs, or alerting a person who may have been exposed to a communicable disease.
  • Health Oversight: Agencies overseeing the healthcare system, government benefits programs, and compliance with civil rights laws can access PHI.
  • Judicial and Legal Proceedings: Courts or administrative bodies may require PHI disclosures.

5. Specialized Government Functions

  • Military and Veterans: Military command authorities receive necessary PHI for armed forces personnel.
  • National Security: PHI can be disclosed to authorized federal officials for national security reasons.

These disclosures are generally subject to the Minimum Necessary Standard, meaning only the information required to accomplish the intended purpose is shared.

Key Takeaways About the Use and Disclosure of PHI

Protected Health Information (PHI) refers to any health information that can be tied to an individual, and is regulated under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA mandates how and when PHI may be used or disclosed, ensuring the privacy and security of an individual's medical details.

Entities are encouraged to provide transparent communication about their use of PHI to maintain trust and compliance with federal regulations.


What Are Some Examples Where PHI Can Be Used and Disclosed Without a Patient’s Authorization?

Entities may use or disclose PHI without the patient’s consent in several circumstances critical to the healthcare system’s functioning. Examples include:

  • Emergency situations where the patient is incapacitated
  • Reporting PHI to public health authorities for preventing disease control
  • Healthcare oversight activities like audits or investigations
  • Judicial or administrative proceedings in response to a lawful court order

Each of these uses or disclosures is subject to strict regulatory conditions to ensure the utmost confidentiality and minimum necessary usage.

Can You Disclose PHI for Payment Purposes?

Yes, entities can disclose PHI for payment purposes without patient authorization. Payment operations include activities such as:

  • Determining insurance eligibility and coverage
  • Billing and reimbursement of healthcare
  • Claims management
  • Medical necessity determinations
  • Utilization reviews

These disclosures are limited to the minimum information necessary to accomplish the payment purpose.

What Is an Impermissible Disclosure of PHI?

An impermissible disclosure of PHI refers to any release of patient information that violates the rules set by the Health Insurance Portability and Accountability Act (HIPAA). Instances of impermissible disclosures include, but are not limited to:

  • Sharing PHI with unauthorized parties
  • Unintentional exposure of patient records
  • Loss or theft of unencrypted electronic PHI

Such incidents are considered breaches and must be reported to the affected individuals and the Department of Health & Human Services (HHS), with potential legal and financial repercussions for the violating entity.

Start automating your
healthcare workflows

Free trial account
Cancel anytime
Get started free