A receptionist at a New York City dental clinic mentioned a patient's upcoming root canal to the patient's coworker — casually, in a waiting room full of people. That single sentence led to a complaint, an OCR investigation, and a corrective action plan that consumed the practice's resources for two years. One sentence. That's all it takes when your staff doesn't understand the rules around protected health information disclosure.

If you're a compliance officer, practice manager, or clinician at a covered entity, you already know PHI is sensitive. But "knowing" and actually building an organization that prevents unauthorized disclosure are two very different things. This post breaks down exactly what counts as a disclosure, what the law permits, where organizations keep getting burned, and what you can do about it right now.

What Counts as a Protected Health Information Disclosure?

Under the HIPAA Privacy Rule, a disclosure is the release, transfer, provision of access to, or divulging of PHI in any manner to anyone outside the entity holding the information. That includes verbal conversations, faxed records, forwarded emails, screen shares on Zoom, and even a chart left open on a desk where an unauthorized person can read it.

PHI itself covers any individually identifiable health information held or transmitted by a covered entity or its business associates. Names, dates of birth, Social Security numbers, diagnoses, treatment plans, billing records — all of it. If someone can use the data to identify a specific person and it relates to their health, treatment, or payment, it's PHI.

The critical question isn't whether information was disclosed. It's whether the disclosure was permitted or required under 45 CFR § 164.502. If it wasn't, you've got a violation — and potentially a breach.

The Difference Between Use and Disclosure

HHS draws a clear line. A "use" happens within the covered entity — your billing team reviewing a chart, for example. A "disclosure" happens when PHI moves outside the entity. Both are regulated, but unauthorized disclosures trigger breach notification obligations under the HHS Breach Notification Rule, which can escalate fast.

The Six Categories of Permitted Disclosure

The Privacy Rule doesn't lock PHI in a vault. It creates a framework. Here are the circumstances under which protected health information disclosure is permitted without patient authorization:

  • To the individual: Patients have a right to their own records.
  • Treatment, payment, and health care operations (TPO): The day-to-day engine of care delivery.
  • With valid authorization: The patient signs a specific, written authorization form.
  • Incidental disclosures: Permitted only if reasonable safeguards are in place.
  • Public interest and benefit activities: Think public health reporting, law enforcement with a valid order, or abuse/neglect reports.
  • Limited data sets: Research purposes with a data use agreement, stripped of direct identifiers.

Everything outside these categories requires explicit patient authorization. Period. The full regulatory text lives at 45 CFR Part 164, Subpart E.

The $1.5 Million Mistake That Started With a Press Conference

In 2013, Shasta Regional Medical Center in California paid $275,000 to settle with OCR after two senior leaders disclosed a patient's medical information to media outlets. The patient had publicly questioned her hospital bill, and the executives responded by sharing clinical details with journalists. They thought they were defending their institution. OCR saw an impermissible protected health information disclosure — and acted.

More recently, in 2023, Yakima Valley Memorial Hospital settled with OCR for $240,000 after 23 emergency department security guards were found to have accessed patient medical records in ePHI systems without any treatment, payment, or operations justification. That case reinforced a point I keep hammering: unauthorized internal access that leads to disclosure is just as dangerous as an external data breach.

These aren't outliers. OCR's enforcement actions page is full of cases where the root cause was a workforce member who didn't understand — or didn't care — when disclosure is and isn't allowed.

Verbal Disclosures: The Risk Nobody Takes Seriously Enough

In my experience, the most common violations don't involve hackers or ransomware. They involve people talking. A nurse discussing a case in a hospital elevator. A therapist confirming a client's appointment to a family member who calls in. A front-desk staffer reading a diagnosis aloud in a shared space.

Verbal disclosures of PHI are subject to the exact same rules as electronic or paper disclosures. The Privacy Rule makes no exception for spoken words. Yet most organizations spend 90% of their training budget on ePHI security and barely mention what happens when someone opens their mouth.

If this is a gap in your program, our focused module on Verbal Disclosures: Watch What You Say addresses it head-on with real scenarios your staff will recognize.

What Is the Minimum Necessary Standard?

When a disclosure is permitted, you still can't share everything. The minimum necessary standard requires covered entities to limit PHI disclosed to only what's reasonably needed for the purpose. Sending an entire medical record to an insurance company that only asked for a procedure code? That's a violation. The minimum necessary rule applies to all disclosures except those made to the patient, pursuant to an authorization, or required by law.

Mental Health Records Get Extra Protection

If your organization handles behavioral health data, the stakes around protected health information disclosure are even higher. Psychotherapy notes — the personal notes a therapist takes during a session — receive special protection under 45 CFR § 164.508(a)(2). They can't be disclosed for treatment, payment, or operations without a specific patient authorization. That's a stricter standard than virtually any other type of PHI.

Substance use disorder records add another layer: 42 CFR Part 2 imposes federal restrictions that go beyond HIPAA, requiring written patient consent for most disclosures. Recent rule changes have moved toward aligning Part 2 with HIPAA, but the consent requirements remain tighter.

I've seen behavioral health clinics get tripped up because their intake staff applied general HIPAA disclosure rules to psychotherapy notes. The result was a complaint, a corrective action plan, and months of remediation. Our HIPAA Training for Mental & Behavioral Health course was built specifically for these nuances.

Building a Disclosure-Proof Workforce

Compliance isn't a document. It's a culture. And culture gets built through training that's specific, repeated, and scenario-based. Here's what I recommend to every covered entity I work with:

1. Train on Disclosure Scenarios, Not Just Definitions

Your workforce doesn't need to memorize 45 CFR citations. They need to know what to do when a police officer walks in asking for a patient's address, or when a spouse calls demanding lab results. Scenario-based training sticks. Abstract regulatory language doesn't.

2. Audit Access Logs Monthly

If your EHR system tracks who accessed what records — and it should — review those logs. The Yakima Valley case proved that unauthorized access is often hiding in plain sight. Don't wait for OCR to find it.

3. Post Minimum Necessary Reminders at Every Disclosure Point

Fax machines, release-of-information desks, referral coordinators — anywhere PHI leaves your organization, your staff should see a physical or digital reminder about the minimum necessary standard.

4. Create a Culture Where Reporting Is Safe

Workforce members who witness an impermissible disclosure need to report it without fear of retaliation. HIPAA requires this. More importantly, early detection of a breach can be the difference between a self-reported incident and a six-figure settlement.

What Happens When You Get It Wrong

OCR uses a four-tier penalty structure for HIPAA violations, ranging from $137 per violation (Tier 1, no knowledge) to $68,928 per violation (Tier 4, willful neglect not corrected) as of 2024 inflation-adjusted amounts. Annual caps can reach $2,067,813 per violation category. These numbers climb fast when a systemic disclosure problem affects hundreds of patients.

Beyond fines, an impermissible disclosure triggers the breach notification process. You'll need to notify affected individuals within 60 days, notify HHS, and — if 500 or more individuals are affected — notify prominent local media. That's not just a compliance headache. It's a reputational crisis.

Your Disclosure Compliance Checklist for 2026

  • Map every point where PHI leaves your organization — electronically, on paper, and verbally.
  • Verify that every business associate agreement is current and covers disclosure obligations.
  • Conduct role-specific workforce training at least annually. Browse our full training catalog for options that fit your team.
  • Implement and test your breach notification procedures before you need them.
  • Review your Notice of Privacy Practices to ensure it accurately reflects your disclosure practices.

Protected health information disclosure isn't a corner case in HIPAA compliance — it's the center of it. Every patient interaction, every record release, every conversation in a hallway is an opportunity to get it right or trigger a violation. The organizations that avoid enforcement actions aren't the ones with the thickest policy manuals. They're the ones whose people know exactly when PHI can leave the building — and when it can't.