Information can be shared without violating HIPAA when the disclosure is not protected health information, the individual has provided a valid HIPAA authorization, or the disclosure fits within a permitted or required use or disclosure under the HIPAA Privacy Rule and any applicable restrictions are followed.
HIPAA applies to protected health information held by a HIPAA Covered Entity or Business Associate in any form, including oral, paper, and electronic records. Information that does not meet the definition of protected health information, such as properly de-identified information prepared using a HIPAA Privacy Rule method, can be shared because it is not regulated as protected health information. Workforce members still remain subject to employer policies, professional duties, and other privacy laws that may limit disclosure even when HIPAA does not apply.
A HIPAA Covered Entity may use and disclose protected health information without the individual’s authorization for treatment, payment, and health care operations, subject to applicable conditions. Treatment disclosures include coordination and management of care among providers and may involve disclosures to other providers for treatment purposes. Payment disclosures include activities to obtain reimbursement and determine coverage and benefits. Health care operations disclosures include defined administrative and quality activities, including certain quality assessment and improvement activities and fraud and abuse detection, within the limits set by the HIPAA Privacy Rule.
Disclosures to the individual are permitted, and access to records is a required HIPAA Privacy Rule right with defined exceptions and response timeframes. Disclosures to a personal representative are treated as disclosures to the individual when the person has authority under applicable law, subject to the HIPAA Privacy Rule provisions that allow denial of access or refusal to treat a person as a personal representative in defined circumstances.
A HIPAA Covered Entity may share protected health information with family members, friends, and others involved in the individual’s care or payment for care when the individual agrees, has been given an opportunity to object and does not object, or when the provider uses professional judgment to determine that the disclosure is in the individual’s best interests. The shared information must be directly relevant to that person’s involvement. Similar standards apply to sharing information for facility directories when the individual has been informed and has not objected, with added limits for disclosures of religious affiliation.
HIPAA permits disclosures without authorization for multiple public interest and benefit activities, each with specific conditions. These include disclosures required by law, disclosures for public health activities, certain disclosures to oversight agencies, disclosures for judicial and administrative proceedings under specified safeguards, certain disclosures for law enforcement purposes, disclosures to avert a serious and imminent threat to health or safety under defined standards, disclosures for workers’ compensation when authorized by law, and disclosures related to decedents, organ donation, and specialized government functions.
HIPAA also permits sharing protected health information with Business Associates when a compliant business associate agreement is in place and the disclosure supports functions or services performed on behalf of the HIPAA Covered Entity. Business Associates may use and disclose protected health information only as permitted by the agreement and the HIPAA Rules, including the HIPAA Security Rule requirements for electronic protected health information.
The HIPAA Privacy Rule limits many disclosures through the HIPAA Minimum Necessary Rule, which requires limiting protected health information to the minimum necessary to accomplish the intended purpose. The HIPAA Minimum Necessary Rule does not apply to disclosures for treatment, disclosures to the individual, disclosures made under a valid authorization, certain disclosures required by law, and certain disclosures to the U.S. Department of Health and Human Services for compliance and enforcement activities.
Some categories of information require additional controls. Psychotherapy notes have separate authorization requirements with narrow exceptions. Other federal and state laws can impose stricter limits than HIPAA for certain records, including substance use disorder treatment records subject to 42 CFR Part 2 and state privacy statutes governing sensitive information.