Skip to Content

A Summary of the Proposed HIPAA Regulations Implementing HITECH
Uses and Disclosures of PHI

Uses and Disclosures of PHI


The Privacy Rule defines and restricts the conditions under which a CE may use or disclose an individual’s PHI. Generally, a CE is prohibited from disclosing PHI except as required or permitted by the Privacy Rule, unless the individual who is the subject of the information provides written authorization for the disclosure.16 A CE must disclose PHI to an individual (or their personal representative) upon specific request for access to their PHI, or to the HHS Secretary when HHS conducts a compliance investigation or enforcement action.17


A covered entity may use and disclose PHI, without an individual’s authorization, for the following purposes: 1) treatment, payment, and health care operations; 2) public interest and benefit activities; 3) incident to an otherwise permitted or required disclosure; 4) in circumstances when an individual has the opportunity to informally agree or object to disclosure of PHI or in emergency situations when the individual is incapacitated; and 5) in the form of an LDS, for the purposes of research, public health, or health care operations.18   In addition, a covered entity may use and disclose PHI pursuant to an individual’s (who is the subject of the information) request or when authorized by the subject individual to disclose.  The most commonly used permissive disclosures are treatment, payment, and health care operations, public interest disclosures, and as authorized by the subject individual. 



  • 16. Id. at § 164.502(a).
  • 17. Id. at § 164.502(a)(2).
  • 18. Id. at § 164.502(a)(1).