Disclosing protected health information (PHI) follows a structured process governed by the HIPAA Privacy Rule. At its core, a covered entity cannot release your health information unless the disclosure falls into a category the Privacy Rule specifically permits or you authorize it in writing. The process involves determining whether authorization is needed, verifying the requester’s identity, applying limits on what gets shared, and documenting the disclosure.
Who Is Required to Follow This Process
The Privacy Rule applies to three types of organizations, collectively called “covered entities”: health plans (individual and group plans that provide or pay for medical care), health care providers who transmit health information electronically for standard transactions, and health care clearinghouses that convert health data between standard and nonstandard formats. If you receive care from a doctor’s office, hospital, or clinic that bills electronically, that provider is a covered entity and must follow these disclosure rules regardless of its size.
Disclosures That Don’t Require Your Authorization
Not every release of your health information requires you to sign a form. The Privacy Rule carves out a broad category called Treatment, Payment, and Health Care Operations (TPO) where covered entities can share PHI without written authorization from you.
For treatment purposes, a hospital can use your records to provide your care and consult with other providers about it. A primary care doctor can send your medical record to a specialist you’ve been referred to. A hospital can forward your care instructions to a nursing home if you’re being transferred.
For payment, a physician can share your insurance coverage details with a lab so the lab can bill for services. An emergency department can give your payment information to the ambulance company that brought you in so it can submit its own claim.
For health care operations, one covered entity can share PHI with another for quality assessment or fraud detection, but only if both entities have (or had) a relationship with you and the information is relevant to that relationship.
Law Enforcement and Public Interest
Covered entities can also disclose PHI without your authorization in response to a court order, a court-ordered warrant, or a subpoena issued by a judge. An administrative request from a law enforcement official can also trigger disclosure, but it must meet three conditions: the official provides a written statement confirming the information is relevant and material, the request is specific and limited in scope, and de-identified information would not serve the purpose.
When Written Authorization Is Required
Outside the categories the Privacy Rule permits on its own, a covered entity needs your written authorization before disclosing your PHI. This authorization form must include several specific elements to be legally valid. It needs to describe the information that will be used or disclosed, name who is authorized to make the disclosure and who will receive it, and state the purpose. Critically, the form must contain either an expiration date or an expiration event tied to you or the purpose of the disclosure. An open-ended, indefinite authorization is not valid.
The authorization must also clearly state your right to revoke it and explain how to do so, either directly on the form or by referencing the entity’s Notice of Privacy Practices if it contains a clear description of the revocation process.
Revoking an Authorization
You can revoke any authorization you’ve given at any time. The revocation must be in writing and takes effect only once the covered entity receives it. There are two limits worth knowing. First, revocation does not undo disclosures that already happened while the authorization was still active. If a provider shared your records last month based on a valid authorization, pulling that authorization today doesn’t reverse what was already sent. Second, if the authorization was a condition of obtaining insurance coverage, the insurer may retain certain rights to contest a claim or the policy itself under other applicable law.
Verifying the Requester’s Identity
Before releasing PHI, a covered entity must verify the identity and authority of the person requesting it, unless that person is already known to the entity. Verification can happen orally or in writing in most situations, though certain types of disclosures require written documentation as a condition of release. For government officials, proof of status can be as straightforward as correspondence from a legitimate government email address. Signed documents can be accepted as scanned images or PDFs with electronic signatures, as long as those signatures are valid under applicable law.
The Minimum Necessary Standard
One of the most important safeguards in the disclosure process is the minimum necessary requirement. Covered entities cannot simply hand over your entire medical record when only a portion is relevant. They must limit what they share to the smallest amount of information needed to accomplish the purpose of the disclosure.
For routine or recurring disclosures, such as regular billing submissions, the entity should have standard protocols already in place that define exactly what information gets sent. For non-routine, one-off requests, the entity must develop reasonable criteria to evaluate how much information is actually necessary.
In some situations, the covered entity can rely on the requester’s judgment about what’s needed. This is permitted when the request comes from another covered entity, a public official stating the information is the minimum necessary for a purpose the Privacy Rule allows, a workforce member or business associate of the entity holding the information, or a researcher who has documentation from an Institutional Review Board or Privacy Board. Even in these cases, the reliance must be reasonable given the circumstances.
One notable exception: the minimum necessary standard does not apply to disclosures made for treatment purposes. When one provider sends your records to another for the purpose of treating you, they are not required to pare down the information.
Your Right to Access Your Own Records
The disclosure process also applies when you request your own information. A covered entity must act on your access request within 30 calendar days of receiving it. If the entity cannot meet that deadline, it gets one extension of up to 30 additional days, but only if it sends you a written explanation of the delay and a specific date by which it will respond, all within that initial 30-day window.
Accounting of Disclosures
You have the right to request an accounting of disclosures, which is essentially a log of where your PHI has been sent. Covered entities are required to track and provide this history going back six years from the date of your request. The accounting does not need to include disclosures made for treatment, payment, or health care operations, nor disclosures you specifically authorized. It primarily captures the less routine releases, such as those made to public health authorities or in response to legal proceedings.
De-identification as an Alternative
When an entity needs to share health data but wants to avoid the restrictions on PHI entirely, it can de-identify the information. The Privacy Rule’s “Safe Harbor” method requires removing 18 specific categories of identifiers: names, geographic data smaller than a state (with limited exceptions for the first three digits of a ZIP code in areas with populations over 20,000), all date elements except year that relate to an individual (including birth, admission, discharge, and death dates), phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers, vehicle identifiers and license plates, device identifiers and serial numbers, URLs, IP addresses, biometric identifiers like fingerprints and voiceprints, full-face photographs, and any other unique identifying number or code.
Ages over 89 must also be removed or grouped into a single “90 or older” category. Once all 18 identifier types are stripped, the data is no longer considered PHI and can be shared without following the disclosure process at all.