In 2023, OCR settled with a dental practice for $350,000 after the organization disclosed a patient's protected health information to a third-party marketing firm without obtaining a valid authorization. The practice believed a general consent form signed at intake covered all downstream uses. It didn't. Knowing exactly when you can use or disclose PHI is not optional — it is the central obligation of every covered entity and business associate under HIPAA's Privacy Rule.

When Can You Use or Disclose PHI Without Patient Authorization

The Privacy Rule at 45 CFR § 164.502 establishes a foundational principle: a covered entity may not use or disclose protected health information except as the rule specifically permits or requires. Most healthcare professionals assume patient authorization is always needed. That assumption is wrong — and equally dangerous is the opposite belief that authorization is rarely needed.

HIPAA permits use and disclosure of PHI without individual authorization in these core categories:

  • Treatment, Payment, and Health Care Operations (TPO): Your organization can share PHI with other providers for treatment, submit claims to insurers for payment, and use PHI internally for quality improvement, auditing, and compliance activities.
  • Public Health Activities: Disclosures to public health authorities for disease surveillance, reporting vital events, or tracking FDA-regulated products are permitted under 45 CFR § 164.512(b).
  • Victims of Abuse, Neglect, or Domestic Violence: Covered entities may disclose PHI to government authorities authorized by law to receive reports of abuse or neglect.
  • Health Oversight Activities: Disclosures to agencies conducting audits, investigations, inspections, or licensure activities related to the healthcare system are permitted.
  • Judicial and Administrative Proceedings: PHI can be disclosed in response to a court order. Disclosures pursuant to a subpoena require additional safeguards, including notice to the individual or a qualified protective order.
  • Law Enforcement Purposes: Under 45 CFR § 164.512(f), specific and limited disclosures are permitted — for example, to identify a suspect, fugitive, or missing person, or to report certain types of wounds.
  • To Avert a Serious Threat to Health or Safety: If your workforce member believes in good faith that disclosure is necessary to prevent or lessen a serious and imminent threat, the Privacy Rule permits it.
  • Workers' Compensation: PHI may be disclosed as authorized by and to the extent necessary to comply with workers' compensation laws.

The Minimum Necessary Standard You Cannot Ignore

Even when a permitted use applies, your organization must apply the minimum necessary standard under 45 CFR § 164.502(b). This means you limit the PHI used or disclosed to the minimum amount needed to accomplish the intended purpose. The only exception is disclosures for treatment purposes between providers, which are exempt from this requirement.

In my work with covered entities, this is where compliance breaks down most frequently. Staff members default to sending entire medical records when a billing summary or a specific lab result would suffice. OCR has flagged minimum necessary violations repeatedly, and they often compound the severity of other infractions.

When Written Patient Authorization Is Required

Certain uses and disclosures are never permitted without a valid written authorization that meets the requirements of 45 CFR § 164.508. These include:

  • Marketing communications: Any communication encouraging the purchase or use of a product or service requires authorization, with narrow exceptions for face-to-face communications and promotional gifts of nominal value.
  • Sale of PHI: A covered entity may not receive remuneration in exchange for PHI without authorization, subject to limited exceptions for treatment, payment, research, and other specified purposes.
  • Psychotherapy notes: These receive heightened protection. Use or disclosure requires specific authorization separate from any general consent for treatment.
  • Most research purposes: Unless a waiver of authorization is approved by an Institutional Review Board or Privacy Board, research use of PHI requires individual authorization.

A valid authorization must include specific core elements: a description of the PHI to be disclosed, the person authorized to make the disclosure, the recipient, the purpose, an expiration date, and the individual's signature. Generic consent forms that lack these elements will not hold up under OCR scrutiny.

The Role of the Notice of Privacy Practices

Your organization's Notice of Privacy Practices must describe the permitted uses and disclosures your entity makes. Patients must receive this notice at the first service encounter, and your covered entity must make a good-faith effort to obtain a written acknowledgment of receipt. The notice is not an authorization — it informs patients of their rights and your practices.

Healthcare organizations consistently struggle with keeping their Notice of Privacy Practices current. When your actual disclosure practices evolve — for example, adding telehealth platforms or new business associate relationships — the notice must be updated accordingly.

Business Associates and the Chain of PHI Disclosure

When you disclose PHI to a business associate — a billing company, cloud hosting provider, EHR vendor, or shredding service — you must have a Business Associate Agreement in place under 45 CFR § 164.502(e). The agreement must specify the permitted uses and disclosures the business associate can make, require them to implement appropriate safeguards, and obligate them to report breaches.

OCR enforcement actions have made clear that a covered entity cannot outsource its compliance obligations. If your business associate mishandles PHI, your organization may face investigation and penalties for failing to have adequate agreements and oversight in place.

Workforce Training: The Enforcement Gap That Costs Organizations

The Privacy Rule at 45 CFR § 164.530(b) requires that every member of your workforce receive training on your organization's policies and procedures regarding PHI use and disclosure. This is not a suggestion — it is a regulatory mandate. New workforce members must be trained within a reasonable period of joining, and retraining is required when material changes occur.

The $350,000 dental practice settlement mentioned above could have been prevented by proper training. If the staff member responsible for the disclosure had understood when you can use or disclose PHI — and when you absolutely cannot — the organization would have avoided a six-figure penalty and the reputational damage that follows an OCR resolution agreement.

Investing in structured HIPAA training and certification for your entire workforce closes this gap. It transforms abstract regulatory language into concrete decision-making frameworks your staff can apply daily.

Building a Culture of Compliant PHI Handling

Compliance with PHI disclosure rules is not a one-time audit item. It requires a risk analysis that identifies where PHI flows in your organization, who accesses it, and under what circumstances it leaves your control. It requires policies that translate regulatory language into step-by-step procedures your front desk staff, clinicians, and IT teams can follow.

If your organization has not conducted a thorough review of its PHI use and disclosure practices in the past 12 months, you are operating with unacceptable risk. OCR's enforcement priorities continue to focus on entities that fail to perform adequate risk analysis and that lack documentation of workforce training.

The question of when you can use or disclose PHI has clear answers in the Privacy Rule. The challenge is ensuring every person in your organization knows those answers and acts on them. Platforms like HIPAA Certify provide the workforce compliance infrastructure that turns regulatory requirements into daily practice — before a HIPAA violation turns into an enforcement action.