Many people don’t realize that the Health Insurance Portability and Accountability Act (HIPAA) actually enables information sharing. HIPAA (specifically the HIPAA Privacy Rule) defines the circumstances in which a Covered Entity (CE) may use or disclose an individual’s Protected Health Information (PHI). HIPAA provides many pathways for permissibly exchanging PHI, which are commonly referred to as HIPAA Permitted Uses and Disclosures.
Permitted Uses and Disclosures are situations in which a CE, is permitted, but not required, to use and disclose PHI, without first having to obtain a written authorization from the patient. The circumstances for which this information may be shared, must meet specific criteria and the minimum necessary rule applies. Instances when a patient’s authorization is not required are listed in the provider’s HIPAA Notice of Privacy Practices.
In general, a CE may only use or disclose PHI if either (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information provides a written authorization. The first type of scenarios are referred to as “Permitted Uses.”
Click on the links below to learn more about types of Permitted Uses: Health Care Operations and Treatment.
- HIPAA Permitted Uses and Disclosures: Exchange for Health Care Operation [PDF - 673 KB] | Versión en Español
- HIPAA Permitted Uses and Disclosures: Exchange for Health Oversight Activities [PDF - 750 KB] | Versión en Español
- HIPAA Permitted Uses and Disclosures: Exchange for Treatment [PDF - 732 KB] | Versión en Español
- HIPAA Permitted Uses and Disclosures: Exchange for Public Health Activities [PDF - 921 KB]