When and what information can a covered entity use or disclose PHI without a patient's authorization?

Health IT Adoption Toolbox

When and what information can a covered entity use or disclose PHI without a patient's authorization?

A covered entity, such as a health care provider may not use or disclose PHI without an individual's written authorization, except if permitted or required by the Privacy Rule. There are a few instances in which a covered entity can use or disclose an individual's PHI without obtaining authorization.

Permitted

To the Individual (unless required for access or accounting of disclosures);
Treatment, Payment, and Health Care Operations;
Opportunity to Agree or Object;
Incident to an otherwise permitted use and disclosure;
Public Interest and Benefit Activities; and
Limited Dataset for the purposes of research, public health or health care operations.

Required

To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and
To HHS when it is undertaking a compliance investigation or review or enforcement action.

Resources:
Summary of the HIPAA Privacy Rule: Authorized Uses and Disclosures - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003). This site provides a summary of the HIPAA Privacy Rule.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.

About

Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care. More>

Stay Informed

Comments?
E-mail the HealthIT e-mail box: healthit@hrsa.gov