Skip to Content

Fast Facts: What Activities are "Healthcare Operations" Under the HIPAA Privacy Rule?

The HIPAA Privacy Rule sets a federal floor for the protection of personal health information and generally prohibits covered entities from using or disclosing protected health information (PHI) without the consent of the patient.  However, to allow for the efficient operation of the system as a whole, the Privacy Rule permits covered entities to use and disclose PHI without patient consent for certain core activities: treatment, payment and healthcare operations.  While treatment and payment are fairly self-explanatory, “healthcare operations” can be ambiguous.  To learn more about "healthcare operations," please read our Fast Facts.


Current View