The sharing of protected health information (PHI) is guided primarily by the HIPAA Privacy Rule, a federal regulation that sets the baseline standards for when, how, and with whom health data can be shared. But HIPAA isn’t the only framework in play. State privacy laws, the 21st Century Cures Act, and recent federal rule changes around reproductive health care all shape what’s permitted, what’s required, and what’s prohibited.
The HIPAA Privacy Rule Sets the Foundation
HIPAA’s Privacy Rule is the core regulation governing PHI. It applies to “covered entities,” which include health care providers, health plans, and health care clearinghouses, along with their business associates. The rule establishes when PHI can be used or disclosed without a patient’s explicit authorization, and it creates rights for individuals to access and control their own health data.
The most common permitted disclosures fall into three categories: treatment, payment, and health care operations. Treatment covers the coordination and management of care between providers, including consultations and referrals. Payment includes activities like processing insurance claims, determining coverage, and obtaining reimbursement. Health care operations is a broader bucket that encompasses quality assessment, credentialing, fraud detection, auditing, and general business administration.
A covered entity can share PHI for these three purposes without asking the patient first. Beyond those categories, HIPAA also permits disclosure without authorization for public health purposes, law enforcement requests under specific conditions, judicial proceedings, and certain government oversight activities. For most other uses, the entity needs the individual’s written authorization.
The Minimum Necessary Standard
Even when sharing is permitted, HIPAA doesn’t allow a free flow of information. The Privacy Rule requires covered entities to take reasonable steps to limit any use or disclosure to the minimum amount of PHI necessary to accomplish the purpose. If a billing department only needs a diagnosis code and date of service, it shouldn’t receive the patient’s full medical history.
For routine disclosures, organizations are expected to have standing policies that define who can access what. For non-routine requests, each disclosure must be reviewed individually against reasonable criteria the entity has developed. In some cases, the entity can rely on the judgment of the party requesting the information, specifically when that party is another covered entity, a public official citing a permitted purpose, a workforce member or business associate, or a researcher with documented approval from an Institutional Review Board. Even then, the entity holding the data always retains the discretion to make its own determination about what qualifies as the minimum necessary.
State Laws Can Impose Stricter Rules
HIPAA creates a federal floor for privacy protections, not a ceiling. State laws that provide greater privacy protections or greater individual rights remain in effect, even where they differ from the federal rule. A state law is considered “contrary” to HIPAA only if it’s impossible to comply with both simultaneously, or if the state law undermines HIPAA’s objectives. Where a state law is more protective (for example, prohibiting disclosure of HIV status in situations where HIPAA would permit it), both laws apply and the stricter standard wins.
This means the rules governing PHI sharing can vary depending on where you live. States like California, New York, and Texas have their own health privacy statutes that add requirements on top of HIPAA. If you’re trying to understand what applies to a specific situation, the answer is always whichever law gives the patient more protection.
The Cures Act and Information Blocking
While HIPAA focuses on limiting inappropriate sharing, the 21st Century Cures Act addresses the opposite problem: making sure PHI flows freely when it should. The Cures Act established “information blocking” rules that prohibit health care providers, health IT developers, and health information networks from interfering with the access, exchange, or use of electronic health information.
There are nine recognized exceptions where restricting access is not considered information blocking. These cover situations involving:
- Preventing harm: The actor reasonably believes the restriction will substantially reduce a risk of harm to a patient or another person, and the restriction is no broader than necessary.
- Privacy: The restriction protects an individual’s privacy.
- Security: The restriction protects the security of electronic health information.
- Infeasibility: Fulfilling the request isn’t technically feasible under the circumstances.
- Health IT performance: Systems are temporarily unavailable for maintenance or performance reasons.
- Manner: The actor limits the format or method of fulfilling a request, not the information itself.
- Fees: Reasonable fees, including a reasonable profit margin, are charged for access.
- Licensing: Interoperability elements are licensed under reasonable terms.
Together, HIPAA and the Cures Act create a regulatory balance: share what needs to be shared for care and patient access, but protect what needs to be protected from misuse.
Reproductive Health Care Protections
A 2024 modification to the HIPAA Privacy Rule added new restrictions on PHI sharing related to reproductive health care. Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, HHS issued a final rule that prohibits covered entities and their business associates from using or disclosing PHI to investigate or impose liability on any person for seeking, obtaining, providing, or facilitating lawful reproductive health care.
The rule applies when the reproductive health care was lawful in the state where it was provided, or when it was protected, required, or authorized by federal law. To enforce this, the rule requires that when a covered entity receives a request for PHI that could relate to reproductive health care (for purposes like law enforcement, judicial proceedings, or health oversight), the requesting party must sign an attestation confirming the request is not for a prohibited purpose.
Your Right To Access Your Own Records
HIPAA doesn’t just regulate sharing between organizations. It also guarantees your right to obtain copies of your own PHI. A covered entity must respond to your access request within 30 calendar days. If the records are archived or hard to retrieve, the entity can extend that timeline by an additional 30 days, but it must notify you in writing of the delay. Only one extension is allowed per request.
Fees for copies must be reasonable and cost-based. They can only cover the labor of copying, supplies like a CD or USB drive, postage if you request mailing, and preparation of a summary if you’ve agreed to one. Entities cannot charge you for searching for records, verifying your identity, maintaining their systems, or recouping infrastructure costs. For electronic copies of records maintained electronically, per-page fees are not permitted. Instead, a covered entity may charge a flat fee of no more than $6.50 for the entire request.
De-Identification: When Data Is No Longer PHI
One key principle guiding PHI sharing is that once health information is properly de-identified, it is no longer considered PHI and falls outside HIPAA’s restrictions. The Privacy Rule defines a “Safe Harbor” method for de-identification that requires removing 18 categories of identifiers: names, addresses more specific than a state, all date elements except year (with special rules for ages over 89), phone numbers, email addresses, Social Security numbers, medical record numbers, health plan numbers, account numbers, license and certificate numbers, vehicle and device identifiers, URLs, IP addresses, biometric data like fingerprints, full-face photos, and any other unique identifying number or code.
Even after stripping all 18 categories, the entity must also have no actual knowledge that the remaining information could be combined with other data to re-identify someone. This two-part requirement, removing specific identifiers and lacking knowledge of re-identification risk, is what makes data truly de-identified under HIPAA.
Breach Notification Requirements
When PHI sharing goes wrong, another set of rules kicks in. Under the HITECH Act’s breach notification regulations, covered entities must promptly notify affected individuals when their PHI has been compromised. If a breach affects more than 500 people, the entity must also notify the HHS Secretary and the media. Smaller breaches, those affecting fewer than 500 individuals, are reported to HHS on an annual basis. Business associates that experience a breach are required to notify the covered entity, which then handles notifications to individuals and regulators.