Under HIPAA, “use” of protected health information (PHI) refers to any sharing, examination, application, or analysis of individually identifiable health data within an organization that holds it. This is distinct from “disclosure,” which involves releasing PHI to an outside entity. The distinction matters because different rules govern each. Any time a staff member pulls up a patient record, references a diagnosis for billing, or reviews charts for quality improvement, that counts as a use of PHI.
But to understand what constitutes use of PHI, you first need to know what makes health information “protected” in the first place, and then how the law draws lines around when that information can and cannot be accessed.
What Makes Health Information “Protected”
Health information becomes PHI when it includes any data point that could identify a specific person. HIPAA defines 18 identifiers that, when linked to health data, trigger federal privacy protections. These include obvious ones like names, Social Security numbers, and phone numbers. But the list extends further than most people expect:
- Geographic data smaller than a state, including street address, city, county, and ZIP code
- Dates directly related to a person (birth date, admission date, discharge date, date of death), plus all ages over 89
- Contact information: phone numbers, fax numbers, email addresses
- Account identifiers: medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers
- Device and vehicle identifiers, including serial numbers and license plate numbers
- Digital identifiers: URLs, IP addresses
- Biometric data, including fingerprints and voiceprints
- Full-face photographs or comparable images
- Any other unique identifying number or characteristic
A lab result on its own is not PHI. A lab result attached to a name, medical record number, or date of birth is. The trigger is the link between health data and an identifier.
Use vs. Disclosure: The Legal Distinction
HIPAA separates internal “use” from external “disclosure” because each carries different compliance obligations. Use happens inside the walls of a covered entity, meaning a hospital, clinic, insurance plan, or healthcare clearinghouse. When a nurse reviews a patient’s chart to prepare for a procedure, that’s a use. When a billing specialist checks a diagnosis code to submit a claim, that’s also a use.
Disclosure happens when PHI leaves the organization: sending records to another provider, submitting claims to an insurer, or releasing information to a patient’s family member. Both use and disclosure are regulated, but the rules around authorization, record-keeping, and patient notification differ depending on which is happening.
When PHI Can Be Used Without Patient Permission
HIPAA permits the use of PHI without a patient’s written authorization for three core purposes, often called TPO: treatment, payment, and healthcare operations.
Treatment covers the provision, coordination, and management of care. A doctor reviewing your medical history before prescribing medication is using PHI for treatment. So is a specialist consulting with your primary care physician about your case, or a hospital coordinating your referral to a rehabilitation center.
Payment includes everything involved in getting reimbursed for services. Determining whether you’re eligible for coverage, submitting claims, running utilization reviews, and performing risk adjustments all fall under this category. If a billing department accesses your diagnosis and procedure codes to collect payment, that use is permitted without your explicit sign-off.
Healthcare operations is the broadest category and covers the administrative backbone of running a healthcare organization. Quality assessment and improvement programs, staff training, medical review, legal and auditing services, and business planning all qualify. If a hospital pulls a set of patient records to evaluate how well a surgical unit is performing, that’s a permitted operational use.
The Minimum Necessary Standard
Even when a use of PHI is permitted, HIPAA requires that organizations limit access to the smallest amount of information needed to get the job done. This is called the minimum necessary standard, and it’s one of the most practically important rules governing PHI use.
Organizations must have policies that specify which employees or roles can access PHI, what categories of information they need, and under what conditions. A hospital might allow doctors and nurses involved in a patient’s treatment to view the full medical record, but a billing clerk would only need access to demographic and financial data. The key is that these access levels need to be defined in advance through written policies, not decided on the fly.
For routine, recurring uses, organizations can set standard protocols rather than reviewing each instance individually. A radiology department that regularly accesses imaging records for interpretation doesn’t need a case-by-case review. But for non-routine requests, each one must be individually evaluated against reasonable criteria to ensure only the minimum necessary information is accessed.
One important exception: the minimum necessary standard does not apply to uses for treatment purposes. A treating physician can access whatever they need from a patient’s record without the organization having to limit the scope.
When Written Authorization Is Required
Uses that fall outside treatment, payment, and operations generally require a patient’s written authorization. This includes things like sharing records for marketing purposes, selling PHI, or providing information to an employer for workplace decisions.
A valid authorization form must include specific elements to be legally binding: a clear description of the information being used, the name of the person or entity requesting it, the purpose of the use, an expiration date or event, and the patient’s signature with a date. Vague or open-ended authorizations don’t meet the standard. If the patient initiates the authorization themselves, the purpose can simply be stated as “at the request of the individual.”
How Third-Party Vendors Fit In
When an outside company handles PHI on behalf of a healthcare organization, it becomes a “business associate” under HIPAA. Common examples include cloud storage providers, billing companies, IT contractors, and data analytics firms. These vendors are permitted to use PHI only as outlined in a formal business associate agreement.
Under that agreement, a business associate can use PHI to perform the specific services it was hired for, to manage its own operations, and to carry out its legal responsibilities. It can also provide data aggregation services related to the healthcare organization’s operations. What it cannot do is use PHI in any way that the healthcare organization itself would be prohibited from doing. The agreement must spell out these boundaries, and violations can result in penalties for both the vendor and the organization that hired it.
When Health Data Stops Being PHI
If all 18 identifiers are stripped from a dataset, it is no longer considered PHI, and HIPAA restrictions on its use no longer apply. This process is called de-identification, and HIPAA recognizes two methods for accomplishing it.
The Safe Harbor method is the more straightforward approach: remove all 18 identifiers and confirm that the remaining data could not, alone or in combination, identify any individual. There are a few nuances. ZIP codes can be kept to their first three digits, but only if the geographic area those digits represent contains more than 20,000 people. Dates can retain the year but not more specific elements like month or day. Ages over 89 must be grouped into a single “90 or older” category.
The second method, Expert Determination, involves a qualified statistician certifying that the risk of identifying any individual from the dataset is very small. Organizations that successfully de-identify data can use it freely for research, analytics, or any other purpose without triggering HIPAA obligations.
Reproductive Health Care Protections
A 2024 rule added specific restrictions on how PHI related to reproductive health care can be used. The rule prohibited covered entities and their business associates from using PHI to investigate or impose liability on anyone for seeking, obtaining, providing, or facilitating lawful reproductive health care. It also required organizations receiving certain requests for reproductive health-related PHI (for law enforcement, judicial proceedings, or health oversight) to obtain a signed attestation that the request was not for a prohibited purpose.
However, in June 2025, a federal court in Texas vacated most of these reproductive health privacy protections, declaring them unlawful. Some related updates to privacy notice requirements survived the ruling and remain in effect, with a compliance deadline of February 16, 2026. The legal landscape here is actively shifting, so the specific protections available depend on when and where the question arises.