In 2023, OCR settled with a covered entity for $1.3 million after workforce members disclosed protected health information to unauthorized individuals — people who seemed like they had a legitimate reason to receive it but didn't meet the regulatory threshold. The question of when it would be appropriate to release patient information to a requesting party is one of the most frequent compliance failures I encounter in my work with healthcare organizations.

Getting this wrong doesn't just risk OCR enforcement. It erodes patient trust and can expose your organization to state-level penalties, civil lawsuits, and reputational harm that no corrective action plan can fix.

When It Would Be Appropriate to Release Patient Information to Third Parties

The HIPAA Privacy Rule at 45 CFR §164.502 establishes the foundational principle: a covered entity may use or disclose protected health information only as the Privacy Rule specifically permits or requires. Outside of those boundaries, every disclosure requires valid written authorization from the patient.

Understanding the permitted categories is essential for every workforce member who touches PHI. Here are the circumstances where it would be appropriate to release patient information to an external party without patient authorization.

Treatment, Payment, and Health Care Operations (TPO)

Under 45 CFR §164.506, your organization may disclose PHI for treatment purposes — sharing records with a specialist coordinating a patient's care, for example. Payment disclosures include sending claims information to a health plan. Health care operations cover quality assessment, auditing, and compliance activities.

TPO is the broadest permitted disclosure category, but it still requires applying the minimum necessary standard. Your workforce must disclose only the PHI reasonably needed for the stated purpose — not the entire medical record when a billing code summary would suffice.

Disclosures Required by Law

When federal or state law mandates reporting, your covered entity must comply. This includes public health reporting to agencies like the CDC, mandatory reporting of gunshot wounds, and court orders that meet specific criteria under 45 CFR §164.512(e). A subpoena alone — without a court order or satisfactory assurance of patient notice — does not automatically authorize disclosure.

Public Health and Safety Disclosures

The Privacy Rule permits disclosures to public health authorities for disease surveillance, to the FDA regarding adverse events, and to employers for workplace medical surveillance when specific conditions are met. Disclosures to avert a serious and imminent threat to health or safety fall under 45 CFR §164.512(j), but your organization must document the basis for the determination.

Disclosures to Business Associates

It would be appropriate to release patient information to a business associate — but only when a compliant business associate agreement (BAA) is in place under 45 CFR §164.502(e). Cloud hosting providers, billing companies, EHR vendors, and shredding services are common examples. Without a signed BAA, the disclosure becomes a HIPAA violation regardless of the business associate's intentions.

Disclosures for Law Enforcement and Judicial Proceedings

Law enforcement disclosures are permitted under narrowly defined circumstances in 45 CFR §164.512(f): court orders, grand jury subpoenas, administrative requests meeting specific criteria, and limited information to identify suspects or locate fugitives. Your workforce should never hand over records simply because someone presents a badge. Verify the legal basis every time.

Situations That Require Patient Authorization

Outside of permitted disclosures, the Privacy Rule requires a valid authorization under 45 CFR §164.508. Common scenarios that demand written authorization include:

  • Releasing psychotherapy notes (with very narrow exceptions)
  • Disclosing PHI for marketing purposes
  • Selling protected health information
  • Sharing records with an employer for employment decisions outside of workplace medical surveillance
  • Releasing information to media, even when the patient is a public figure

An authorization must include specific core elements: a description of the information to be disclosed, the recipient, the purpose, an expiration date, and the patient's signature. Missing any element renders the authorization invalid.

The Minimum Necessary Standard Your Workforce Must Apply

Even when disclosure is permitted, the minimum necessary standard under 45 CFR §164.502(b) requires your organization to limit PHI disclosed to only what is needed. The only exception is disclosures for treatment purposes between providers, where the full record may be shared when clinically relevant.

OCR has repeatedly cited minimum necessary violations in enforcement actions. Organizations that default to releasing complete records for payment or operations requests are taking on unnecessary risk.

How Your Notice of Privacy Practices Guides Patient Expectations

Your Notice of Privacy Practices (NPP) must clearly explain to patients how their information may be used and disclosed. Under 45 CFR §164.520, the NPP must describe TPO disclosures, situations requiring authorization, and the patient's rights to request restrictions. When your workforce understands the NPP, they can confidently explain to patients and requestors why a disclosure is or isn't permitted.

Common Disclosure Mistakes That Trigger OCR Enforcement

In my experience, these are the disclosure errors that most frequently lead to complaints, breach investigations, and HIPAA violations:

  • Verbal disclosures to family members without verifying the patient's preferences or capacity
  • Faxing or mailing records to the wrong recipient due to lack of verification procedures
  • Disclosing to attorneys based on a subpoena without confirming it meets Privacy Rule requirements
  • Sharing PHI with other covered entities for purposes that don't qualify under TPO
  • Releasing information to law enforcement without documenting the legal basis

Each of these scenarios is preventable with proper workforce training and clearly documented policies.

Build Disclosure Competence Across Your Entire Workforce

A robust risk analysis will reveal where your organization's disclosure practices are vulnerable. But analysis without training is incomplete. Every workforce member — from front desk staff to clinicians to IT administrators — must understand when it would be appropriate to release patient information to a third party and when to stop and escalate.

Comprehensive HIPAA training and certification programs build this competence systematically, covering permitted disclosures, authorization requirements, and the minimum necessary standard with scenario-based learning that sticks.

If your organization hasn't refreshed its disclosure training recently, now is the time. HIPAA Certify's workforce compliance platform helps covered entities and business associates ensure every team member can make confident, compliant disclosure decisions — before OCR comes asking questions.

The margin for error on PHI disclosures is razor thin. Know the rules. Train your people. Document everything.