The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality
Improvement

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

When must a covered entity obtain a patient's authorization to use or disclose PHI?

A covered entity must obtain written authorization from the patient for any use or disclosure that is not permitted or required under the HIPAA Privacy Rule.  However, the Privacy Rule prohibits providers from conditioning treatment or payment upon providing written authorization.  According to the U.S. Department of Health and Human Services, "examples of disclosures that would require an individual's authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes."

Resources:
Summary of the HIPAA Privacy Rule: Authorized Uses and Disclosures - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003).  This site provides a summary of the HIPAA Privacy Rule.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
About
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed