Under HIPAA Payers May Not Misuse PHI: Key Rules

In 2023, OCR settled with a major health plan for $1.3 million after an investigation revealed the plan had used enrollee protected health information for marketing purposes without valid authorization. The case underscored a principle that every payer should already know: under HIPAA payers may not use or disclose PHI beyond what the Privacy Rule explicitly permits. Yet health plans continue to run afoul of these boundaries, often because leadership assumes that being a covered entity automatically grants broad access to member data.

Under HIPAA Payers May Not Use PHI Without Proper Authority

The HIPAA Privacy Rule at 45 CFR §164.502 establishes a foundational principle: a covered entity — including every health plan that qualifies as a payer — may only use or disclose protected health information for treatment, payment, and health care operations unless another exception applies or the individual provides written authorization.

This means that under HIPAA payers may not repurpose claims data, enrollment records, or clinical information for activities that fall outside these permitted categories. Marketing, sale of PHI, underwriting for eligibility determinations (post-ACA), and employment-related decisions are all off-limits without explicit individual authorization or a specific regulatory carve-out.

Too many health plans treat member data as a corporate asset to be leveraged across departments. That mindset is exactly what triggers OCR enforcement actions.

Specific Restrictions Payers Must Follow Under the Privacy Rule

Let's break down the most critical restrictions that bind health plans as covered entities under HIPAA.

No Disclosure Beyond the Minimum Necessary Standard

Under 45 CFR §164.502(b), payers must apply the minimum necessary standard every time they use, disclose, or request PHI. Your claims processing team should never have access to the full medical record when only a diagnosis code and procedure code are needed to adjudicate a claim.

This standard requires your organization to implement role-based access controls, written policies identifying who needs access to what categories of PHI, and routine audits verifying that access hasn't crept beyond those boundaries.

No Marketing Without Authorization

Under 45 CFR §164.508(a)(3), payers may not use PHI to send marketing communications unless the member signs a valid authorization. There is a narrow exception for face-to-face communications and promotional gifts of nominal value, but targeted outreach campaigns based on diagnoses, prescription data, or utilization history require explicit written consent.

Health plans that partner with pharmaceutical companies or wellness vendors frequently stumble here. If your organization receives financial remuneration for sending member communications, that activity is classified as marketing — full stop.

No Sale of PHI Without Authorization

The Omnibus Rule of 2013 added 45 CFR §164.502(a)(5)(ii), which prohibits the sale of protected health information without individual authorization. Payers may not sell member datasets, analytics derived from PHI, or de-identified data that was improperly de-identified. The only exceptions are narrow: public health activities, treatment, payment, certain research scenarios, and a handful of other carved-out purposes.

No Improper Sharing with Employer-Sponsors

Group health plans face a unique restriction under 45 CFR §164.504(f). Payers may not disclose PHI to the employer that sponsors the plan unless the plan documents have been amended with specific certification language, and even then, the employer may only receive enrollment and disenrollment information, summary health information for premium bidding, or PHI authorized by the individual.

In my work with covered entities, this is one of the most commonly violated provisions. HR departments often assume they can request claims details for specific employees. They cannot.

Business Associate Obligations That Payers Must Enforce

Your restrictions as a payer extend to every business associate that handles PHI on your behalf. Under 45 CFR §164.502(e), you must have a compliant business associate agreement in place, and that agreement must prohibit the business associate from using or disclosing PHI in ways that you yourself are prohibited from doing.

If your third-party administrator, data analytics vendor, or cloud hosting provider misuses member PHI, your organization shares liability. OCR has consistently taken the position that a covered entity cannot delegate away its compliance obligations through outsourcing.

The Breach Notification Consequence Payers Often Forget

When payers violate these restrictions — using PHI for an unauthorized purpose or disclosing it beyond what's permitted — the result is often a HIPAA violation that also triggers the Breach Notification Rule at 45 CFR §§164.400-414. Unauthorized access, use, or disclosure of PHI is presumed to be a breach unless your organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI was compromised.

For health plans with thousands or millions of members, a single systemic misuse of data can result in notifications to every affected individual, HHS, and in cases exceeding 500 individuals, prominent media outlets. The reputational damage alone can dwarf the civil monetary penalties, which range from $137 to $68,928 per violation under the current penalty tiers.

How Payers Can Build a Defensible Compliance Program

Staying on the right side of these restrictions requires more than a policies-and-procedures binder gathering dust in your compliance office. Healthcare organizations consistently struggle with operationalizing HIPAA requirements across large, distributed workforces.

• Conduct a thorough risk analysis — 45 CFR §164.308(a)(1)(ii)(A) requires it, and it should map every data flow involving PHI, including flows to business associates and employer-sponsors.
• Implement role-based access controls — Ensure that claims staff, customer service representatives, and analytics teams can only access the PHI categories necessary for their job functions.
• Update your Notice of Privacy Practices — Your NPP must accurately describe how your plan uses and discloses PHI. If your practices have evolved, your notice must keep pace.
• Invest in ongoing workforce training — One-time onboarding training is insufficient. Your workforce needs regular, updated education on what payers may and may not do with member data. A comprehensive HIPAA training and certification program ensures that every team member understands these boundaries before a violation occurs.

Don't Wait for an OCR Investigation to Close the Gaps

OCR enforcement data consistently shows that health plans account for a significant share of HIPAA complaints and resolution agreements. The agency's audit program has specifically targeted payer compliance with the minimum necessary standard, business associate oversight, and breach notification timelines.

If your health plan hasn't pressure-tested its PHI practices recently, the time to act is now — not after a member complaint lands on OCR's desk. Start by ensuring your entire workforce understands the boundaries that HIPAA places on payer use of protected health information through workforce HIPAA compliance training from HIPAA Certify.

The rules are clear. Under HIPAA payers may not treat member data as an unrestricted business resource. Every use, every disclosure, and every access point must be justified, documented, and limited to what the Privacy Rule permits.