A hospital employee in Texas forwarded a patient's lab results to a family member who called and asked nicely. No written authorization. No identity verification. Just a friendly voice on the phone saying, "I'm her daughter." That single phone call triggered an OCR investigation, a corrective action plan, and months of internal chaos. I've seen this exact scenario play out more times than I can count. The rules around disclosing PHI to other people and organizations are the most misunderstood part of HIPAA — and the most dangerous to get wrong.

This guide breaks down exactly when you can send PHI to third parties, when you absolutely cannot, and the specific safeguards that keep your organization out of OCR's crosshairs.

Here's what your staff needs to understand at a gut level: every single time PHI leaves your organization — whether it goes to a family member, another provider, a vendor, a lawyer, or a government agency — there must be a specific legal basis under HIPAA that permits that disclosure.

The Privacy Rule at 45 CFR Part 164, Subpart E spells out the permitted and required disclosures. They fall into a few categories:

  • Treatment, Payment, and Health Care Operations (TPO): You can share PHI to other covered entities for these purposes without patient authorization in most cases.
  • With valid written authorization: The patient signs a specific authorization form meeting all HIPAA requirements.
  • Required by law: Court orders, subpoenas with proper safeguards, public health reporting, and certain law enforcement requests.
  • Permitted exceptions: These include disclosures to avert serious threats, for workers' compensation, to coroners, and a handful of other narrowly defined scenarios.

Outside of these categories, disclosing PHI to anyone is a violation. Period.

Sending PHI To Other Providers: Simpler Than You Think

One of the most common questions I hear: "Do I need a Business Associate Agreement to send records to another doctor?" The answer is no — not when you're sending PHI to another covered entity for treatment purposes.

Provider-to-provider disclosures for treatment don't even require patient authorization under the Privacy Rule. If your patient's cardiologist needs the echocardiogram results from your facility, you can send them. You should still verify the identity of the requesting provider and use the minimum necessary standard when the disclosure isn't for treatment, but the treatment exception is broad and practical.

Where people get tripped up is confusing treatment disclosures with other types. Sending records to a life insurance company? That's not treatment. Sending records to a patient's employer? Not treatment. Those require written authorization from the patient.

PHI To Business Associates: The BAA Is Non-Negotiable

When you send PHI to a vendor — an IT company, a billing service, a cloud storage provider, a shredding company — that entity is a business associate. You need a signed Business Associate Agreement before any PHI changes hands.

OCR has made this painfully clear through enforcement. In 2018, Advanced Care Hospitalists paid a $500,000 settlement after a billing company received PHI without a proper BAA in place. The billing company posted patient data on its website. Advanced Care Hospitalists learned the hard way that handing PHI to a vendor without a BAA doesn't just create a compliance gap — it creates liability.

Details on this and other enforcement actions are available on the HHS Resolution Agreements page.

What the BAA Must Include

A valid BAA isn't a generic confidentiality clause buried in a service contract. It must describe the permitted uses and disclosures of PHI, require the business associate to implement safeguards, mandate breach notification back to you, and ensure subcontractors are held to the same standards. If your BAA doesn't cover all of these elements, it's not compliant.

PHI To Family Members: The Judgment Call That Gets People Fired

This is the scenario from my opening example, and it's the one I spend the most time on during workforce training sessions. The Privacy Rule does allow disclosures to family members and personal representatives — but only under specific conditions.

If the patient is present and has the capacity to make decisions, you should give the patient the opportunity to agree or object to the disclosure. This can be informal — a verbal agreement is fine. If the patient is incapacitated or unavailable, a provider can use professional judgment to decide whether the disclosure is in the patient's best interest.

But here's the critical part: you can only share information that is directly relevant to that person's involvement in the patient's care or payment. A patient's spouse calling to ask about a prescription refill? Potentially permissible. That same spouse asking for a full copy of the medical record? That requires a signed authorization or proof they're a personal representative under state law.

When Does a Family Member Become a Personal Representative?

A personal representative has the same rights as the patient under HIPAA. For adults, this typically means someone with healthcare power of attorney or legal guardianship. For minor children, parents generally serve as personal representatives — though state laws create exceptions, especially around reproductive health and substance abuse treatment.

Your staff needs to know: a family relationship alone is not enough. The legal documentation matters.

PHI To Law Enforcement and Government Agencies

Disclosures of PHI to law enforcement are permitted under HIPAA in several circumstances, but they are narrow. You can disclose PHI in response to a court order. You can respond to an administrative subpoena if certain conditions are met. You can report certain types of wounds or injuries as required by state law. You can share limited information to help identify a suspect, fugitive, or missing person.

What you cannot do is hand over a patient's entire medical record because a police officer walks in and asks for it. Without a court order or one of the specific exceptions, that's a violation.

I've seen covered entities get this wrong in both directions — over-disclosing because they're intimidated by law enforcement, or refusing legitimate court orders because they're afraid of HIPAA. Both mistakes carry consequences.

The Minimum Necessary Standard: Your Best Defense

Every time you send PHI to a third party — with the exception of disclosures to the patient themselves or for treatment — you must apply the minimum necessary standard. This means you limit the disclosure to only the PHI that is reasonably necessary for the purpose.

Sending a full medical record to a health plan when they only need a specific claim? That's a minimum necessary violation. Copying an entire chart when a disability form only asks for a diagnosis and dates of service? Same problem.

This standard is where most organizations fail in practice. Staff don't know how to apply it because they've never been trained on it. That's a fixable problem. Investing in comprehensive HIPAA workforce training is the single most effective way to reduce unauthorized disclosures.

What Happens When You Disclose PHI To the Wrong Person?

An impermissible disclosure of PHI is a breach. Under the Breach Notification Rule, you must notify affected individuals, HHS, and potentially the media if the breach affects 500 or more people. The only way to avoid notification is if a four-factor risk assessment demonstrates a low probability that the PHI was compromised.

The penalties are real. OCR can impose civil monetary penalties ranging from $141 per violation (for unknowing violations) up to nearly $2.2 million per violation category per year. Criminal penalties — handled by the Department of Justice — can include fines up to $250,000 and imprisonment for knowing misuse of PHI.

And beyond the federal penalties, you face state attorney general actions, lawsuits, and reputational damage that no settlement check can undo.

A Quick Reference: When Can You Disclose PHI To Third Parties?

If someone in your organization asks, "Can I send this PHI to that person?" — here's the decision framework:

  • Is it for treatment? Generally permitted without authorization.
  • Is it for payment or operations? Permitted, with minimum necessary applied.
  • Is there a signed patient authorization? Permitted as specified in the authorization.
  • Is there a valid BAA? Required before any disclosure to a business associate.
  • Is it required by law? Permitted — but verify the legal basis before disclosing.
  • Does the patient agree? Needed for disclosures to family and friends involved in care.
  • None of the above? Don't disclose. Full stop.

Print this list. Tape it near every fax machine, every shared workstation, every nurses' station. Or better yet, make sure your team has completed role-based HIPAA training that covers these scenarios with real-world examples.

Build a Culture Where People Ask Before They Send

The organizations that avoid breaches aren't the ones with perfect policies. They're the ones where staff feel comfortable pausing and asking, "Am I allowed to send this?" That culture doesn't happen by accident. It comes from leadership that prioritizes training, from privacy officers who are accessible, and from consistent reinforcement that protecting PHI isn't a bureaucratic burden — it's the job.

Every disclosure of PHI to a third party is a decision point. Make sure your people have the knowledge to make the right call. Explore the full HIPAA training catalog to find courses tailored to your organization's specific risks and roles.

Because the next phone call asking for patient information is already coming. The only question is whether your team knows what to do when it rings.