OCR Clarifies Permitted Uses and Disclosures of PHI

by | Mar 1, 2016

The Office for Civil Rights encourages suggestions from HIPAA-covered bodies about aspects of HIPAA that are unclear or need further clarification. Some of the inquiries submitted via the OCR website indicate some covered bodies are struggling to comprehend the Health Insurance Portability and Accountably Act Rules covering the sharing of Protected Health Information (PHI).

HIPAA allows the disclosure of PHI for healthcare operations and the provision of treatment. Health information can be utilized to help patients receive medical treatment, as well as for the evaluation of care provided to patients. It is necessary to use PHI to optimize care between different healthcare providers, and PHI is required for billing purposes. Patients must also be permitted access to their health information so they can take a more active role in their own healthcare. HIPAA permits patient health data to be shared for all of these reasons once PHI is secured at all times. However, a number of restrictions are in place.

Even though the HIPAA Privacy and Security Rules have been in operation for many years, and the Health Insurance Portability and Accountability Act was passed into law two decades ago, some covered bodies are still uncertain about when PHI can be shared, for what purposes, and about the individuals and organizations that have permission to access to health data.

The U.S. Department of Health and Human Services’ Office for Civil Rights and Office of the National Coordinator for Health IT (ONC) have been working on and developing a number of new fact sheets to clear up confusion in relation to HIPAA.

This month, two fact sheets have been released which explain some of the permitted uses and disclosures under HIPAA, including when PHI can be shared by covered bodies without authorization from patients being obtained.

The first fact sheet provides further background on some of the allowable uses of PHI for healthcare operations, including when covered bodies are allowed to share patient health information with other healthcare organizations and business partners. The definition of “healthcare operations” under HIPAA is outlined and the fact sheet provides some useful hypothetical case studies of when patient data can and cannot be shared.

The second fact sheet covers the permitted uses and disclosures in relation to the provision of treatment to patients, and explains when it is possible to share PHI with healthcare providers to co-ordinate patient care.

The fact sheets can be obtained via download from the Office for Civil Rights on the following links

Permitted Uses and Disclosures: Exchange for Treatment

Permitted Uses and Disclosures for Health Care Operations

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy