A hospital administrator once told me she thought there were only three reasons you could share patient data: treatment, payment, and "when the lawyers say so." She wasn't far off — but that oversimplification had already cost her organization a corrective action plan with OCR. If you've ever searched how many HIPAA defined permissions exist, you're asking exactly the right question. And the answer is more nuanced than most compliance officers realize.

Let me walk you through the full landscape of HIPAA-authorized uses and disclosures — the specific permissions baked into the Privacy Rule that determine when your organization can and cannot share protected health information (PHI).

How Many HIPAA Defined Permissions Exist Under the Privacy Rule?

HIPAA's Privacy Rule, codified at 45 CFR Part 164 Subpart E, establishes two broad categories of permissions for using and disclosing PHI. Within those categories, the regulation defines 12 distinct national priority purposes for which a covered entity may use or disclose PHI without individual authorization, plus additional permissions that require written authorization from the patient.

Here's how it breaks down. First, there are uses and disclosures that require no authorization from the individual. Second, there are uses and disclosures that require the individual's written authorization. And woven throughout are situations where the individual must be given an opportunity to agree or object — like facility directories and notifications to family members.

So the direct answer: HIPAA defines two required disclosures, six permitted uses and disclosures that don't need authorization (including treatment, payment, and health care operations), 12 national priority purposes, and a category of authorization-required uses. That's over 20 distinct permission pathways once you count each national priority purpose individually.

The Two Disclosures HIPAA Actually Requires

Most people don't realize HIPAA mandates disclosure in only two situations. First, when the individual (or their personal representative) requests access to their own PHI. Second, when HHS conducts a compliance investigation or enforcement action.

That's it. Every other permission in the Privacy Rule is either permitted or authorized — not required. This distinction matters. I've seen covered entities refuse to hand over records to patients because they thought disclosure was "optional." That's a violation. The University of California, Los Angeles Health System paid $865,500 in 2011 in part because of failures related to improper access controls and celebrity PHI snooping — a reminder that how you handle permissions has financial consequences.

Treatment, Payment, and Operations: The Permissions Everyone Knows

The three most commonly invoked HIPAA permissions — treatment, payment, and health care operations (TPO) — don't require patient authorization. Your staff uses these every single day without thinking about it.

Treatment

A physician sharing lab results with a specialist. A nurse accessing the EHR to administer medication. These are treatment disclosures, and they're permitted without authorization under 45 CFR § 164.506.

Payment

Submitting a claim to a health plan, verifying insurance eligibility, or sending a bill to the patient — all payment-related uses of PHI that fall under this permission.

Health Care Operations

Quality assessment, workforce training, compliance audits, business planning — these internal activities qualify as health care operations. It's the broadest of the three TPO categories, and the one most often misapplied. I've reviewed compliance programs where marketing activities were incorrectly categorized as "operations." That's the kind of mistake that triggers OCR scrutiny.

The 12 National Priority Purposes You Need to Know

Beyond TPO, HIPAA permits disclosures without authorization for 12 specific national priority purposes. These are outlined in 45 CFR § 164.512, and each one has its own conditions and limitations.

  • Required by law — when a statute, regulation, or court order compels disclosure.
  • Public health activities — reporting communicable diseases, tracking FDA-regulated products, workplace surveillance.
  • Victims of abuse, neglect, or domestic violence — reporting to authorized government agencies.
  • Health oversight activities — audits, inspections, licensure actions by agencies like CMS or state health departments.
  • Judicial and administrative proceedings — in response to a court order or qualified subpoena.
  • Law enforcement purposes — limited circumstances like identifying suspects, reporting crimes on premises, or responding to a warrant.
  • Decedents — disclosures to coroners, medical examiners, and funeral directors.
  • Cadaveric organ, eye, or tissue donation — facilitating transplantation.
  • Research — with IRB or privacy board approval, or using de-identified or limited data sets.
  • Serious threat to health or safety — disclosures to prevent or lessen an imminent threat.
  • Essential government functions — military, veterans' activities, national security, intelligence.
  • Workers' compensation — as authorized by state workers' comp laws.

Each of these comes with guardrails. The "minimum necessary" standard applies to most of them. Your workforce needs to understand not just that these permissions exist, but how to apply them correctly in daily operations. That's where structured HIPAA workforce training becomes essential.

Authorization-Required Permissions: Where Most Violations Happen

Certain uses and disclosures require the individual's written authorization before you can proceed. The Privacy Rule specifically calls out four categories:

  • Marketing — unless it's a face-to-face communication or a promotional gift of nominal value.
  • Sale of PHI — any disclosure where the covered entity receives remuneration.
  • Psychotherapy notes — these get heightened protection beyond standard medical records.
  • Any use not otherwise permitted by the rule — the catch-all.

Authorizations must include specific elements: a description of the PHI, who's disclosing it, who's receiving it, the purpose, an expiration date, and the individual's signature. Miss one element and the authorization is defective. A defective authorization means the disclosure is unauthorized — which means you have a potential breach on your hands.

The $5.55 Million Lesson From Memorial Healthcare System

In 2017, Memorial Healthcare System in Florida paid $5.55 million to settle HIPAA violations with OCR. The core issue? Employees and affiliated physicians had been accessing ePHI of over 115,000 individuals without proper authorization. The organization failed to review access logs, failed to implement access controls, and failed to terminate permissions for former workforce members.

This case underscores a critical point: knowing how many HIPAA defined permissions exist is only half the battle. You also need systems that enforce those permissions — role-based access, audit controls, workforce training, and timely termination procedures. If your organization doesn't have a comprehensive HIPAA training program, you're running blind.

Opportunity to Agree or Object: The Overlooked Middle Ground

Between "no authorization needed" and "written authorization required" sits a middle category that confuses even experienced compliance officers. Under 45 CFR § 164.510, covered entities may disclose limited PHI for facility directories and to persons involved in the individual's care — but only if the individual is given an opportunity to agree or object.

In emergency situations where the individual is incapacitated, you can use professional judgment to determine whether the disclosure is in the patient's best interest. This is one of the most commonly mishandled permissions in hospital settings. Staff need clear guidance, and that guidance needs to be refreshed regularly through scenario-based training.

Why Your Staff Needs to Know the Full Permission Framework

Here's what I see over and over in breach investigations: the violation didn't happen because someone acted maliciously. It happened because a well-meaning employee didn't understand the boundaries of HIPAA's permission structure. A front-desk coordinator disclosed PHI to a patient's employer thinking it fell under "health care operations." A billing specialist shared records with a collection agency without a proper business associate agreement.

These aren't edge cases. They're Tuesday.

The OCR breach portal — sometimes called the "Wall of Shame" — is filled with incidents that trace back to workforce members who simply didn't know the rules. Breach notification obligations under 45 CFR §§ 164.400-414 kick in when unsanctioned disclosures occur, and the cost of notification alone can run into hundreds of thousands of dollars for a large covered entity.

Investing in role-specific training through a structured HIPAA training catalog is one of the most cost-effective risk mitigation strategies your organization can deploy.

Putting It All Together

So how many HIPAA defined permissions exist? When you count the two required disclosures, the TPO permissions, the 12 national priority purposes, the authorization-required categories, and the agree-or-object situations, you're looking at over 20 distinct permission pathways governing how PHI moves through your organization.

Every single one has conditions. Every single one has limits. And every single one is a potential tripwire if your workforce doesn't understand them.

The Privacy Rule isn't a locked door. It's a system of doors, each with its own key. Your job as a covered entity is to make sure your people know which keys they hold — and which doors they should never open.