HIPAA: Permitted Uses and Disclosures

Permitted Uses and Disclosures [45 CFR §§ 164.510, 164.512]

Rule: The HIPAA Privacy Rule permits certain uses and disclosures of PHI without written authorization, either with opportunity for individual to agree/object (§164.510) or without any individual involvement (§164.512).

Overview

Two categories of permitted disclosures without written authorization:

Section	Type	Individual Involvement	Examples
§164.510	Opportunity to agree/object	Must inform and give chance to object	Facility directories, family notification
§164.512	No authorization required	No individual involvement needed	Required by law, public health, law enforcement

Facility Directories and Care Involvement [§164.510]

Section 164.510(a): Use and Disclosure for Facility Directories

Healthcare providers may maintain facility directories containing limited PHI.

Permitted directory information:

Information Type	Can Disclose To	Restrictions
Patient name	Anyone who asks for patient by name	Must give opportunity to object
Location in facility	Anyone who asks for patient by name	General area (e.g., “3rd floor”)
General condition	Anyone who asks for patient by name	No specific medical info (e.g., “stable”, “fair”)
Religious affiliation	Clergy only	Even if clergy don’t ask by name

“General condition” means:

• Stable
• Critical
• Serious
• Fair
• Good
• Not specific diagnoses or treatments

Procedure:

1. Inform individual about directory uses
2. Explain what information will be included
3. Inform who will have access (public vs clergy)
4. Provide opportunity to restrict or prohibit
5. Obtain agreement (oral is sufficient)

Example dialogs:

“We maintain a patient directory so friends and family can find you. We’d include your name, room number, and general condition like ‘stable.’ Anyone calling or visiting can ask for you. We also share religious affiliation with clergy. Is this okay, or would you like to restrict anything?”

Restrictions individual can request:

• No directory listing at all
• Name only (no condition)
• No disclosure to clergy
• Disclose to specific persons only

Emergency circumstances (§164.510(a)(3)): If opportunity to object impracticable due to:

• Individual’s incapacity, or
• Emergency treatment circumstance

Provider may include in directory if:

• Consistent with prior expressed preference (if known)
• In individual’s best interest (professional judgment)

After emergency resolves: Inform individual and give opportunity to object

Section 164.510(b): Uses and Disclosures for Involvement in Individual’s Care

May disclose PHI to family members, relatives, friends, or other persons involved in individual’s care or payment for care.

Three scenarios:

Scenario 1: Individual Present and Has Capacity

When individual is present and has capacity to make healthcare decisions:

Option A - Obtain agreement:

• Ask individual if okay to discuss with person present
• Can be oral agreement
• Document in medical record

Option B - Give opportunity to object:

• Inform individual of intended disclosure
• Provide opportunity to object
• Proceed if no objection

Option C - Infer from circumstances:

• Use professional judgment
• Based on circumstances
• Reasonable to infer individual doesn’t object

Examples:

• Family member present during doctor visit (reasonable to discuss)
• Individual introduces person as “my daughter who helps me” (implied consent)
• Individual allows person to participate in conversation (inferred agreement)

Information scope: Only information directly relevant to person’s involvement

Directly relevant means:

• Related to care person is assisting with
• Necessary for person’s involvement
• Not entire medical history

Example:

• Can disclose medication instructions to person picking up prescription
• Can’t disclose entire psychiatric history to person picking up prescription

Scenario 2: Individual Not Present or Opportunity Impracticable

When individual is:

• Not present (left facility), or
• Incapacitated (unconscious, sedated), or
• Emergency circumstance makes opportunity impracticable

Provider may disclose if:

• Uses professional judgment
• Determines disclosure in individual’s best interest
• Discloses only information directly relevant to involvement

Professional judgment considers:

• Nature of relationship (spouse, parent, caregiver)
• Person’s role in care
• Individual’s known preferences
• Circumstances requiring disclosure

Examples:

• Unconscious patient after surgery - can inform spouse
• Elderly patient with dementia - can discuss care with adult children
• Patient leaves before family arrives - can provide update to family

Important: Cannot disclose to person individual specifically prohibited

Scenario 3: Disaster Relief

May disclose to public or private entities authorized to assist in disaster relief efforts.

Authorized entities:

• Red Cross
• Salvation Army
• FEMA
• Other disaster relief organizations

Purpose: Notify family about individual’s:

• Location
• General condition
• Death

Requirements:

• Same as scenario 1 if individual present
• Professional judgment if individual not present/incapacitated
• Consistent with prior preferences if known

Disaster circumstances:

• Hurricane, flood, tornado
• Mass casualty incidents
• Terrorist attacks
• Pandemics

Uses and Disclosures About Decedents

May disclose to family members or others involved in care before death or payment for care.

After death:

• May disclose unless inconsistent with prior expressed preference
• Professional judgment about what family members should know
• Consistent with state law regarding next of kin

Uses and Disclosures Without Authorization [§164.512]

Section 164.512 permits specific uses and disclosures without any authorization or opportunity to agree/object.

§ 164.512(a): Required by Law

May use or disclose PHI to the extent required by law.

“Required by law” includes:

Legal Requirement	Examples
Court orders	Subpoena with court order
Statutes	Mandatory child abuse reporting
Regulations	OSHA injury reporting
Orders of administrative tribunals	Workers’ compensation hearings

Requirements:

• Disclose only information specifically required
• Comply with relevant legal requirements
• Limited to minimum necessary

Not “required by law”:

• Voluntary disclosures
• Subpoena without court order (requires authorization or 164.512(e) compliance)
• Permissive reporting statutes

§ 164.512(b): Public Health Activities

May disclose PHI to public health authorities for:

(1) Disease prevention and control

To whom:

• State/local health departments
• CDC
• FDA
• Other agencies authorized to receive reports

For purposes of:

• Preventing or controlling disease, injury, disability
• Reporting disease, injury, vital events (births, deaths)
• Public health surveillance, investigations, interventions

Examples:

• Reportable disease notifications (HIV, TB, measles)
• Immunization registries
• Cancer registries
• Birth and death certificates

(2) Child abuse or neglect reporting

To whom:

• Public health authority
• Social services agency
• Other authority authorized to receive reports

Mandatory reporting:

• Known or suspected child abuse
• As required by state law
• Even if not specifically required by particular statute

(3) FDA-regulated entities

For FDA-regulated products:

• Adverse events and product defects
• Post-marketing surveillance
• Product recalls
• Tracking

Applies to:

• Drugs
• Biologics
• Medical devices
• Food
• Tobacco products

(4) Workplace medical surveillance

To employers about employees:

• Work-related illness or injury
• Workplace medical surveillance
• Medical suitability for work

Requirements:

• Authorized by law (e.g., OSHA)
• Employer needs information
• Employee receives notice

Examples:

• OSHA injury reports
• Workers’ compensation
• Fitness for duty evaluations

(5) Communicable disease exposure

To persons at risk of contracting or spreading communicable disease:

• When authorized by law
• To notify contacts
• Prevent further transmission

Examples:

• TB contact tracing
• HIV partner notification
• STD partner notification

(6) School immunization proof

To schools: proof of immunization required for enrollment.

§ 164.512(c): Victims of Abuse, Neglect, or Domestic Violence

May disclose PHI about individuals reasonably believed to be victims of:

• Abuse
• Neglect
• Domestic violence

To government authorities (including social services, protective services).

Three circumstances:

(1) Required by law

Disclosure required by state/federal law (e.g., mandatory elder abuse reporting).

(2) Individual agrees

Individual agrees to disclosure (can be oral).

(3) Authorized by law + necessary to prevent serious harm

When disclosure is:

• Expressly authorized by statute
• AND necessary to prevent serious harm to individual or others
• AND (individual incapacitated OR law enforcement/authority represents disclosure needed and won’t be used against individual)

Notification to victim:

• Promptly inform individual that disclosure made
• Unless would place individual at risk or informing not feasible

§ 164.512(d): Health Oversight Activities

May disclose to health oversight agencies for oversight activities authorized by law.

Health oversight agencies:

• HHS Office for Civil Rights
• State licensing boards
• Medicare/Medicaid administrators
• Quality assurance organizations

Oversight activities include:

Activity	Purpose
Audits	Compliance with regulations
Civil/criminal investigations	Fraud, waste, abuse
Inspections	Facility inspections
Licensure/accreditation	Provider credentials
Discipline	License revocation, sanctions
Civil/criminal proceedings	Enforcement actions

Examples:

• OCR HIPAA compliance investigation
• State medical board investigation of physician
• CMS Medicare audit
• Joint Commission accreditation survey

Not health oversight: Law enforcement investigating individual crimes (use §164.512(f) instead).

§ 164.512(e): Judicial and Administrative Proceedings

May disclose PHI in response to:

• Court order
• Subpoena, discovery request, or other lawful process

Three pathways:

(1) Order of court or administrative tribunal

If court or administrative tribunal orders disclosure:

• May disclose PHI specified in order
• No further requirements

(2) Subpoena with satisfactory assurances

If subpoena, discovery request, or other lawful process:

Must have satisfactory assurances:

• Reasonable efforts to provide notice to individual, OR
• Reasonable efforts to secure qualified protective order

Notice to individual allows:

• Individual to object
• Individual to seek protective order

Qualified protective order:

• Prohibits use/disclosure for non-litigation purposes
• Requires return or destruction after litigation

(3) Subpoena after verified notice

• Covered entity provides notice to individual
• Individual has chance to object
• No timely objection received

Only minimum necessary information should be disclosed.

§ 164.512(f): Law Enforcement Purposes

May disclose to law enforcement in six situations:

(1) As required by law

Court orders, court-ordered warrants, subpoenas, summons:

• Must comply with specific requirements
• Only information expressly authorized
• Administrative requests must include statement of specific information needed and compliance with relevant laws

(2) Limited information to locate/identify

To identify or locate suspect, fugitive, material witness, missing person:

May disclose ONLY:

• Name and address
• Date and place of birth
• Social Security Number
• ABO blood type and Rh factor
• Type of injury
• Date and time of treatment
• Date and time of death (if applicable)
• Description of distinguishing physical characteristics

May NOT disclose:

• DNA information
• Dental records
• Body fluid/tissue typing
• Detailed medical information

(3) Crime victim information

PHI about individual who is crime victim:

• If individual incapacitated or emergency AND law enforcement represents information needed to determine if law violated by someone other than victim
• If individual agrees
• Necessary for immediate law enforcement activity

(4) Suspicious death

When individual dies and death may have resulted from criminal conduct.

(5) Crime on premises

About individual when evidence that crime occurred on covered entity’s premises.

(6) Medical emergency off-site

In medical emergency off premises: may report if crime likely involved.

Minimum necessary applies to all law enforcement disclosures.

§ 164.512(g): About Decedents

(1) Coroners and medical examiners

To coroners or medical examiners for:

• Identifying deceased
• Determining cause of death
• Fulfilling other duties authorized by law

(2) Funeral directors

To funeral directors as necessary for:

• Carrying out their duties
• Prior to and in reasonable anticipation of death

Reasonable time: May disclose in reasonable anticipation of death.

§ 164.512(h): Organ, Eye, or Tissue Donation

To organ procurement organizations or others for:

• Facilitating organ, eye, or tissue donation and transplantation

May disclose PHI to:

• Organ procurement organizations
• Eye banks
• Tissue banks

§ 164.512(i): Research

May use or disclose for research without authorization if:

Waiver of authorization granted by IRB or Privacy Board

When Institutional Review Board or Privacy Board has:

• Documented approval of waiver
• Determined research involves no more than minimal risk
• Waiver will not adversely affect privacy rights
• Research could not practicably be conducted without waiver
• Research could not practicably be conducted without access to PHI

Reviews preparatory to research

For reviews preparatory to research:

• Researcher represents PHI necessary for research preparation
• PHI will not be removed from facility
• PHI necessary for research purposes

Research on decedents’ information

After death:

• Researcher represents use solely for research on decedents
• PHI necessary for research
• Documentation of death

§ 164.512(j): Serious Threat to Health or Safety

May use or disclose if:

• Good faith belief disclosure necessary to prevent or lessen serious and imminent threat to health/safety of person or public
• To person(s) reasonably able to prevent or lessen threat
• To law enforcement to identify or apprehend individual who admitted participation in violent crime or escaped from institution

High threshold:

• Serious threat (not minor concerns)
• Imminent threat (not speculative future risk)
• Good faith belief (reasonable basis)

Examples:

• Patient makes credible threat to kill specific person
• Patient with communicable disease intends to expose others
• Escaped mental health patient poses danger

§ 164.512(k): Specialized Government Functions

(1) Military and veterans

To military authorities regarding armed forces personnel.

(2) National security and intelligence

To authorized federal officials for:

• Intelligence activities
• Protective services for President and others
• National security purposes

(3) Correctional institutions

To correctional institutions or law enforcement regarding inmates.

(4) Government programs

For government benefits determinations.

§ 164.512(l): Workers’ Compensation

To comply with workers’ compensation or similar programs providing benefits for work-related injuries or illness.

No authorization required for:

• Workers’ comp claims
• Disability determinations
• Occupational health programs

Practical Compliance

For § 164.510 (Opportunity to Agree/Object)

Facility directories:

• Develop standard information script
• Train admissions staff
• Document patient preferences
• Honor restrictions
• Review preferences if circumstances change

Family/friend involvement:

• Ask patient about persons to involve
• Document authorized persons
• Respect prohibitions
• Use professional judgment in emergencies
• Limit to relevant information

For § 164.512 (No Authorization Required)

Required by law:

• Verify legal requirement
• Disclose only what’s required
• Document legal basis
• Keep copy of legal process

Public health:

• Know mandatory reporting laws
• Establish reporting procedures
• Train staff on requirements
• Document reports made

Law enforcement:

• Verify which subsection applies
• Follow specific requirements
• Disclose only permitted information
• Document basis for disclosure
• Apply minimum necessary

Research:

• Obtain IRB/Privacy Board documentation
• Verify waiver criteria met
• Track disclosures
• Follow research protocols

Common Mistakes

Assuming family can always access info:

• Must follow §164.510 procedures
• Give patient opportunity to object
• Respect patient prohibitions

Disclosing too much to law enforcement:

• Follow specific limitations in §164.512(f)
• Only information permitted for that subsection
• Don’t disclose entire medical record

Confusing “permitted” with “required”:

• Subpoena without court order ≠ “required by law”
• Must follow §164.512(e) process

Not applying minimum necessary:

• Even permitted disclosures should be limited
• Disclose only what’s needed for purpose

Citation

• 45 CFR § 164.510 - Opportunity to agree or object
• 45 CFR § 164.512 - No authorization required

Sources

• HHS Law Enforcement Disclosures Guidance
• HHS Public Health Disclosures Guidance

Related

• HIPAA Privacy Rule fundamentals
• HIPAA authorizations
• Patient rights
• Minimum necessary
• Back to HIPAA overview