In 2023, OCR settled with a dental practice for $350,000 after the organization disclosed a patient's protected health information to a third-party marketing company without obtaining a valid authorization. The practice believed the disclosure fell under a permitted use. It didn't. Understanding exactly when a covered entity can disclose PHI is one of the most critical — and most frequently misapplied — obligations under the HIPAA Privacy Rule.

Healthcare organizations consistently struggle with this question because the Privacy Rule at 45 CFR §164.502 creates a framework that is broad enough to cover dozens of scenarios but precise enough to penalize those who get the details wrong. Let's break down every category your workforce needs to know.

When Can a Covered Entity Disclose PHI Without Authorization?

The Privacy Rule permits a covered entity to use and disclose protected health information without an individual's written authorization in a defined set of circumstances. These are not optional guidelines — they are the legal boundaries that separate compliant operations from a HIPAA violation.

Under 45 CFR §164.502(a)(1), a covered entity may disclose PHI without authorization for:

  • Treatment, Payment, and Health Care Operations (TPO): The most common basis. Your organization can share PHI with another provider for treatment purposes, submit claims to a health plan for payment, or conduct quality improvement activities — all without patient authorization.
  • Disclosures to the individual: A patient has the right to access their own PHI under 45 CFR §164.524. When they request it, you must provide it.
  • Incidental disclosures: If your entity has applied reasonable safeguards and met the minimum necessary standard, incidental disclosures that occur as a byproduct of a permitted use are not violations.

These three categories account for the majority of daily PHI disclosures in any healthcare setting. But the permitted uses extend further.

The 12 National Priority Disclosures Most Workforce Members Overlook

Section 164.512 of the Privacy Rule lists specific situations where a covered entity can disclose PHI without authorization for purposes beyond TPO. In my work with covered entities, I've found that many compliance officers are familiar with only a handful of these. Your entire workforce should understand all twelve:

  • Public health activities — Reporting to public health authorities for disease surveillance, injury reporting, or FDA-regulated product tracking.
  • Victims of abuse, neglect, or domestic violence — Disclosures to government authorities authorized by law to receive such reports.
  • Health oversight activities — Audits, investigations, and inspections conducted by agencies like OCR or state health departments.
  • Judicial and administrative proceedings — In response to a court order, or a subpoena accompanied by satisfactory assurances.
  • Law enforcement purposes — Six specific sub-categories, including identifying suspects, reporting certain wounds, and responding to a court order.
  • Decedents — Disclosures to coroners, medical examiners, and funeral directors.
  • Cadaveric organ, eye, or tissue donation — Facilitating transplantation.
  • Research — With an IRB or privacy board waiver of authorization, or using a limited data set with a data use agreement.
  • Serious threat to health or safety — Disclosure necessary to prevent or lessen a serious and imminent threat.
  • Essential government functions — Military, veterans' affairs, national security, and intelligence activities.
  • Workers' compensation — As authorized by state workers' compensation laws.
  • Required by law — When another federal, state, or local law mandates the disclosure.

Each of these has specific conditions attached. A disclosure to law enforcement, for example, does not give your organization blanket permission to hand over a complete medical record. The minimum necessary standard under 45 CFR §164.502(b) requires you to limit the information disclosed to only what is needed to accomplish the purpose — with the exception of disclosures for treatment or disclosures to the individual.

When Written Authorization Is Required Before Disclosing PHI

If a disclosure doesn't fall into one of the categories above, your covered entity needs a valid written authorization from the patient before releasing protected health information. OCR has been explicit about the situations that always require authorization under 45 CFR §164.508:

  • Marketing communications — Any communication that encourages the purchase or use of a product or service, with narrow exceptions for face-to-face communications and promotional gifts of nominal value.
  • Sale of PHI — A covered entity may not receive remuneration in exchange for PHI without authorization, subject to limited exceptions.
  • Psychotherapy notes — These receive heightened protection and require specific authorization separate from a general authorization for other medical records.
  • Most other uses not described in §164.502 or §164.512 — When in doubt, authorization is required.

A valid authorization must include specific core elements: a description of the PHI to be disclosed, who is authorized to make the disclosure, who will receive it, the purpose, an expiration date, and the individual's signature. Missing any of these elements renders the authorization defective — and the disclosure a potential HIPAA violation.

How Business Associates Factor Into PHI Disclosures

Your covered entity doesn't operate in a vacuum. When PHI is disclosed to a business associate — a billing company, cloud hosting provider, EHR vendor, or any entity performing a function involving PHI on your behalf — a Business Associate Agreement (BAA) under 45 CFR §164.502(e) must be in place before the disclosure occurs.

OCR enforcement actions have repeatedly targeted organizations that failed to execute BAAs. In the Omnibus Rule of 2013, HHS expanded direct liability to business associates, meaning both parties face penalties if PHI is disclosed without proper contractual safeguards.

Practical Steps to Ensure Every PHI Disclosure Is Compliant

Knowing when a covered entity can disclose PHI is only useful if your organization operationalizes that knowledge. Here's what I recommend based on years of working with healthcare compliance teams:

  • Conduct a thorough risk analysis — Identify every point in your workflow where PHI leaves your organization. Map each disclosure to a specific Privacy Rule provision.
  • Update your Notice of Privacy Practices — Your NPP must accurately describe how your entity uses and discloses PHI, including all permitted and required disclosures. Patients rely on this document.
  • Apply the minimum necessary standard consistently — Build it into your EHR role-based access controls, your release-of-information procedures, and your business associate agreements.
  • Invest in ongoing workforce training — A single onboarding session is not sufficient. The Privacy Rule at 45 CFR §164.530(b) requires training on your policies and procedures, and OCR expects it to be updated when material changes occur. Structured programs like HIPAA training and certification give your team the regulatory fluency to make compliant disclosure decisions in real time.
  • Document everything — Under 45 CFR §164.528, individuals have the right to an accounting of certain disclosures. If you can't produce that accounting, you have a compliance gap.

The Cost of Getting PHI Disclosures Wrong

OCR's enforcement record speaks for itself. Between 2003 and 2024, the agency has collected over $142 million in HIPAA penalties, with impermissible disclosures being one of the most common violation categories. Penalties range from $100 per violation for unknowing breaches to $50,000 per violation for willful neglect — up to an annual maximum of $2,067,813 per violation category after inflation adjustments.

Beyond penalties, an impermissible disclosure triggers the Breach Notification Rule at 45 CFR §§164.400-414, requiring notification to affected individuals, HHS, and potentially the media if 500 or more individuals are affected.

Building a culture of compliance starts with making sure every person in your organization who touches PHI understands the rules. Platforms like HIPAA Certify for workforce compliance give your team the tools to stay current as regulations evolve and OCR enforcement intensifies.

The question of when a covered entity can disclose PHI has a clear answer — but only if your organization has done the work to embed that answer into every policy, every workflow, and every member of your workforce.