HIPAA allows a surprising amount of health information to be shared legally, as long as specific conditions are met. The law doesn’t block all sharing of medical data. It sets rules about who can share it, with whom, and under what circumstances. Understanding these boundaries matters whether you work in healthcare, run a business that handles health data, or simply want to know your rights as a patient.
Who HIPAA Actually Applies To
HIPAA only governs three types of organizations: healthcare providers (doctors, clinics, pharmacies, nursing homes), health plans (insurance companies, HMOs, Medicare, Medicaid), and healthcare clearinghouses that process medical billing. These are called “covered entities.” Their contractors and vendors, known as business associates, also must follow the rules.
If an organization doesn’t fall into one of those categories, HIPAA doesn’t apply to it at all. Your employer (outside of its role as a health plan sponsor), fitness apps, life insurance companies, schools, and most websites that collect health-related data are not bound by HIPAA. They may be subject to other privacy laws, but not this one.
Sharing for Treatment, Payment, and Operations
The broadest permission in HIPAA covers the everyday flow of medical information. A covered entity can use or share protected health information for its own treatment, payment, and healthcare operations without needing your written authorization. This is how medicine actually functions: your primary care doctor sends records to a specialist, a hospital shares billing details with your insurer, and a clinic reviews patient outcomes for quality improvement.
Providers can also share your information with any other healthcare provider involved in your treatment, even if that provider isn’t covered by HIPAA. For payment purposes, a covered entity can send your information to another covered entity or provider that needs it to get paid. Healthcare operations disclosures are slightly more restricted. Both organizations must have (or have had) a relationship with you, and the disclosure must relate to quality assessment, fraud detection, or compliance activities.
Sharing With Family and Friends
HIPAA specifically permits providers to share information that is directly relevant to a family member’s, friend’s, or caregiver’s involvement in your care or payment for your care. A doctor can discuss your condition with your spouse if you’re present and don’t object, or if the provider reasonably infers based on professional judgment that you wouldn’t mind. A pharmacist can let someone else pick up your prescription using that same standard of reasonable inference.
Providers can also notify family members, personal representatives, or other responsible persons about your location, general condition, or death. This is what allows a hospital to tell your emergency contact that you’ve been admitted and are in stable condition.
De-Identified Data Is Not Protected
Once health information has been stripped of anything that could identify a specific person, it’s no longer protected by HIPAA and can be shared freely. The most straightforward way to de-identify data is the “Safe Harbor” method, which requires removing 18 specific identifiers:
- Direct identifiers: names, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and certificate or license numbers
- Contact information: phone numbers, fax numbers, email addresses, web URLs, and IP addresses
- Location data: any geographic unit smaller than a state (street address, city, county, ZIP code), though the first three digits of a ZIP code can remain if that three-digit zone has more than 20,000 people
- Dates: all date elements except year for dates tied to an individual (birth, admission, discharge, death), plus all ages over 89, which must be grouped into a single “90 or older” category
- Physical and digital identifiers: vehicle and device serial numbers, license plates, biometric data like fingerprints or voiceprints, full-face photos, and any other unique identifying number or code
The second method, called Expert Determination, involves a qualified statistician certifying that the risk of identifying any individual from the data is very small. Organizations doing large-scale research or analytics often use this approach when the Safe Harbor method would strip out too much useful information.
Public Health and Safety Disclosures
HIPAA permits sharing health information without patient authorization for several public health purposes. Covered entities can report diseases, injuries, births, and deaths to public health authorities for disease surveillance and prevention. They can report known or suspected child abuse or neglect to authorized government agencies. They can also share information related to FDA-regulated products, including adverse event reports, product defects, recalls, and post-marketing surveillance.
If someone poses a risk of spreading a communicable disease, a covered entity can disclose information to notify people who may be at risk, provided other laws authorize that notification. For workplace health, a provider who performs services at an employer’s request can share results with that employer for occupational safety purposes, such as complying with OSHA requirements.
Law Enforcement and Legal Proceedings
Health information can be shared with law enforcement under specific, limited conditions. A provider can disclose information to prevent or lessen a serious and imminent threat to someone’s health or safety. They can report what they believe in good faith to be evidence of a crime that occurred on their premises. They can alert police to a death suspected to involve criminal conduct, or report criminal activity observed during an off-site medical emergency.
Some disclosures are required by law, such as reporting gunshot wounds or stab wounds in states with mandatory reporting statutes. Providers must also comply with court orders, court-ordered warrants, and subpoenas issued by a judge. Administrative requests from law enforcement require a written statement confirming the information is relevant, specific, limited in scope, and that de-identified data wouldn’t serve the purpose.
When law enforcement is trying to locate a suspect, fugitive, witness, or missing person, a provider can share basic demographic and health information, but nothing beyond that.
The Minimum Necessary Standard
Even when sharing is permitted, HIPAA requires that covered entities share only the minimum amount of information needed to accomplish the purpose. A billing department processing a claim doesn’t need your full psychiatric notes. An employer verifying insurance enrollment doesn’t need your diagnosis history. Organizations must have policies identifying which employees need access to what types of information and under what conditions.
For routine, recurring disclosures, organizations can set standard protocols rather than reviewing each one individually. Non-routine requests require individual review against reasonable criteria. There are notable exceptions to this standard: it doesn’t apply to disclosures for treatment purposes, disclosures directly to the patient, or uses authorized by the patient in writing.
What Employers Can and Cannot Receive
Employers who sponsor group health plans occupy a unique position. The health plan can share enrollment and disenrollment data with the employer freely. If the employer requests it, the plan can also provide “summary health information,” which aggregates claims history, expenses, and types of claims across all plan members. This summary is stripped of most identifiers but can still include five-digit ZIP codes. Employers use this data to get premium bids or decide whether to modify the plan.
For the plan to share more detailed information for plan administration, the employer must formally certify that it won’t use the data for employment decisions or in connection with any other benefit plan. This separation is designed to prevent your health conditions from influencing hiring, firing, or promotion decisions.
Patient Authorization Covers Everything Else
For any use or disclosure not covered by the categories above, a covered entity needs your signed, written authorization. This applies to things like sharing your records with a life insurance company, using your information in marketing materials, or selling your data. The authorization must be specific about what information will be shared, who will receive it, and the purpose. You can revoke an authorization at any time, though that won’t undo disclosures already made while it was in effect.

