A Quick Guide to PHI Disclosure

Meeba Gracy

Meeba Gracy

Nov 17, 2023

PHI Disclosure

If you work in a healthcare-related field, you’re familiar with safeguarding patient privacy under HIPAA.

But let’s face it—putting those concepts into action can be overwhelming, especially when new challenges arise while identifying protected health information (PHI) and understanding covered entities.

Staying up-to-date with evolving regulations and technology is a challenging task. Fear not, though! In this post, we’ll be your go-to guide, helping you navigate the entire lifecycle of PHI, from its creation to its eventual deletion.

So, let’s dive…

What is PHI Disclosure?

A disclosure of Protected Health Information (PHI) refers to the act of transmitting that information to an individual or organization outside the covered entity. It can also involve sharing PHI from a healthcare component to a non-healthcare component within a hybrid entity.

PHI is an acronym for Protected Health Information, which refers to personal health information that receives federal protection under the HIPAA Privacy Rule. This rule ensures that covered entities protect PHI and grants patients various rights regarding their health information.

Now, the disclosure of PHI refers to the act of sharing or transmitting this information to an individual or entity external to the covered entity. It can also occur when PHI is communicated from a healthcare component to a non-healthcare component within a hybrid entity.

18 PHI Identifiers

In addition to that, it also covers information about healthcare administration and any payments associated with it. Think of test results, patient demographics, and insurance details as examples of what falls under this category.

To understand more, here are the 18 PHI identifiers:

  • Name
  • Dates (except year)
  • Telephone numbers
  • Geographic data for subdivisions smaller than a state
  • Street addresses, city, county, precinct, and zip code
  • The first three digits of a zip code with over 20,000 people are not PHI
  • If a county has under 20,000 people, the first three digits are changed to 000
  • Fax numbers 
  • SSN
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers such as license plates
  • Web URLs
  • Device identifiers and serial numbers
  • IP Addresses
  • Full face photos
  • Biometric identifiers (ex., fingerprints or retina)
  • Any unique identifier or code

Why is PHI disclosure crucial for Covered Entities and Organizations?

PHI disclosure is crucial for covered entities and organizations because it aligns with maintaining patient privacy. Think about it. When you visit a healthcare provider, you trust them with your details, medical history, and test results. You expect that information to be kept confidential, and covered entities and organizations are responsible for upholding this trust.

Imagine a scenario where unauthorized individuals accessed your medical records. Your sensitive data could be exposed to prying eyes, jeopardizing your privacy and potentially leading to identity theft or other harmful consequences. It’s clear that ensuring the security of PHI is not just a legal obligation but a fundamental duty to safeguard the well-being and trust of patients.

Let’s not forget the financial aspect too. Covered entities and organizations handle billing, insurance claims, and payments related to healthcare services. 

These financial transactions involve sensitive information, such as insurance and payment records. Without proper safeguards, unauthorized access or tampering could lead to fraudulent activities, financial losses, and legal implications.

Also check out this video on some common HIPAA violations:

What is permitted under the disclosure of PHI?

Here are some instances where the Privacy Rule allows for the disclosure of protected health information (PHI) without an individual’s authorization or permission:

PHI Disclosure

When required by law

Covered entities are permitted to use and disclose PHI without individual authorization if it is mandated by law. This includes situations where specific statutes, regulations, or court orders are in place.

When needed for public health activities

Covered entities can disclose PHI to authorized public health authorities who collect or receive such information for activities related to disease prevention, injury control, or disability management. Additionally, disclosures may be made to government authorities responsible for receiving reports of child abuse and neglect.

When it involves employees and work-related health

Employers can request PHI from covered entities regarding their employees if it pertains to a work-related illness or injury or for workplace-related medical surveillance. This is necessary for employers to comply with regulations such as the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MHSA), or similar state laws.

While reporting abuse, neglect, or domestic violence

In certain situations, covered entities can disclose PHI to appropriate government authorities concerning abuse, neglect, or domestic violence victims.

For health oversight activities

Covered entities can disclose PHI to health oversight agencies for legally authorized activities for overseeing the healthcare system and government benefit programs. This includes audits and investigations.

For judicial and administrative proceedings

In judicial or administrative proceedings, covered entities may disclose PHI if there is a court order, administrative tribunal request, subpoena, or other lawful process. However, certain assurances may be required, such as notice to the individual or a protective order.

For purposes of law enforcement

Covered entities can disclose PHI to law enforcement officials for specific law enforcement purposes under the following circumstances:

  • As required by law, including court orders, court-ordered warrants, subpoenas, and administrative requests.
  • Identify or locate a suspect, fugitive, material witness, or missing person.
  • Responding to a law enforcement official’s request for information about a crime victim or suspected victim.
  • To notify law enforcement of death if criminal activity is suspected as the cause.
  • When a covered entity believes that PHI is evidence of a crime that occurred on its premises.
  • By a covered healthcare provider in a medical emergency occurring outside its premises to inform law enforcement about the crime, its nature, location, victims, and perpetrator.

In circumstances involving deceased individuals

Covered entities can disclose PHI to funeral directors as necessary. PHI may be disclosed to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other authorized functions per the law.

During cadaveric, organ, eye, or tissue donation

Covered entities can use or disclose PHI to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.

For research

Research refers to systematic investigations aimed at developing or contributing to generalizable knowledge. The Privacy Rule permits covered entities to use and disclose PHI for research purposes without an individual’s authorization under certain conditions:

  • The covered entity must obtain Institutional Review Board or Privacy Board approval documentation for altering or waiving individuals’ authorization.
  • Alternatively, the researcher can provide representations that the use or disclosure of PHI is solely for preparing a research protocol or similar preparatory purposes, without removing any PHI from the covered entity, and that the requested access to PHI is necessary for the research.
  • Suppose the research involves deceased individuals’ PHI. In that case, the researcher can provide representations that the use or disclosure is solely for research purposes, the PHI sought is necessary for the research, and, upon the covered entity’s request, provide documentation of the individuals’ death.

When it involves a serious threat to health or safety

Covered entities can disclose PHI if they believe it’s necessary to prevent or reduce a serious and immediate threat to someone’s health or safety or the public. 

Also, disclosure can be made to individuals who can help prevent or mitigate the threat, even if the person facing the threat is included in the disclosure. In cases where the information is needed to identify or apprehend an escapee or violent criminal, disclosure to law enforcement is also allowed.

For essential government functions

Some government functions do not require authorization to use or disclose PHI. These functions include:

  • Ensuring the proper execution of military missions.
  • Conducting intelligence and national security activities as authorized by law.
  • Providing protective services to the President.
  • Making medical suitability determinations for U.S. State Department employees.
  • Safeguarding the health and safety of inmates or employees in correctional institutions.
  • Determining eligibility for certain government benefit programs and facilitating enrollment.

For the purposes of workers’ compensation purposes

Covered entities can disclose PHI as authorized and compliant with workers’ compensation laws and similar programs. This allows for the necessary disclosure of PHI to fulfill the requirements of these programs, which provide benefits for work-related injuries or illnesses.

Also, check out a detailed guide to HIPAA Compliance

What are the requirements for PHI disclosure?

Under the HIPAA Privacy Rule, a covered entity must make PHI disclosures in just two specific situations. Let’s break it down:

Individual requests

A covered entity must disclose PHI to individuals (or their representatives) when they specifically request access to their PHI or want an accounting of disclosures made with their information. It’s all about allowing individuals to manage and understand how their health information is handled.

Department of Health and Human Services (HHS) Involvement

The second situation where PHI must be disclosed is when the Department of Health and Human Services (HHS) conducts a compliance investigation, review, or enforcement action. This helps ensure that proper oversight and enforcement are in place to protect the privacy of health information.

What is the difference between use and disclosure of PHI?

The key distinction is that “use” happens within the HIPAA-covered parts of an entity, while “disclosure” involves releasing information to entities or individuals outside of those covered parts. 

To break it down more clearly:

Use of PHIDisclosure of PHI
Think of “use” as the way PHI is shared or utilized within the different parts of an entity that are covered under HIPAA. It’s like passing the information around within the family. The focus is on how the entity itself uses the PHI internally to carry out its healthcare-related activities.
Now, “disclosure” is when PHI goes beyond the entity’s covered parts and is released to someone or something outside of that bubble. It’s like sharing family secrets with outsiders. The important thing here is that the information is being shared with entities or individuals who are not part of the HIPAA-covered parts of the organization.

What is not required for the disclosure of PHI?

Let’s break down the rules around using and disclosing patient data in a conversational and jargon-free way. Remember, organizations have strict guidelines to follow to protect patient privacy. Here’s the lowdown:

Selling patient data

Selling patient data is a big no-no unless it meets a specific requirement (§164.508(a)(4)). Selling means disclosing protected health information (PHI) where the covered entity or business associate receives compensation directly or indirectly from the recipient.

But hold on; there are exceptions to this rule. Selling PHI doesn’t include disclosure in the following situations:

Selling PHI doesn’t include disclosure in the following situations

  • Public health purposes
  • Research purposes (with reasonable compensation that covers PHI preparation and transmission costs)
  • Treatment and payment purposes
  • Sale, transfer, merger, or consolidation of a covered entity (or part of it)
  • Business associates providing services on behalf of a covered entity
  • Disclosures to individuals
  • Disclosures required by law

Genetic information and underwriting

Using or disclosing genetic information for underwriting purposes (related to health plans) is generally not allowed. However, there are exceptions when this information can be used to determine:

  • Changes in benefits, coverage, or deductibles (like completing a health risk assessment to adjust deductibles)
  • Premium or contribution amounts (such as offering discounts for participating in a wellness program)
  • Application of pre-existing condition exclusions
  • Other activities are tied to creating, renewing, or replacing health insurance or benefits.

These rules protect patient privacy and ensure patient data is not misused or disclosed without proper authorization. It’s all about maintaining confidentiality and following the guidelines to respect patients’ rights and well-being.

Recommended: Penalties for HIPAA non-compliance

Ready to protect your PHI?

Overall, PHI disclosure involves communicating PHI to individuals or entities outside the covered entity. It is crucial to handle PHI with the utmost care to protect sensitive data and maintain trust in your organization.

Trying to keep up with HIPAA compliance while growing your business can feel like a juggling act. It’s not easy, right? Don’t worry! Sprinto is here to help.

We’ve got the perfect solution to get you on the right track. With our automated HIPAA system, we take care of all those compliance tasks that can weigh you down. Our system does everything from risk assessments to evaluating your compliance status. It’s like having a personal assistant dedicated to keeping your business HIPAA-compliant.

Our system is smart. It flags potential issues impacting your compliance goals, ensuring you stay on top. Plus, we provide training solutions to help you and your team learn the ropes and avoid making the same mistakes again.

Drop us a line to know more!


What is the best way to share PHI?

The best way to share is by sending secure email links to users to access PHI. Users are directed to safe environments by employing secure connections, which offer more data protection. 

What is an example of PHI?

The address is an example of PHI as it includes specific details beyond the state, such as a street address, city, county, precinct, and typically zip code, along with their corresponding geocodes.

How do you communicate with PHI?

To securely communicate PHI to users, transmit it as a password-protected or encrypted attachment. Also, avoid including patient names, identifiers, or other specific details in the subject heading of the communication. Instead, incorporate a confidentiality banner such as “This is confidential medical communication.”

Meeba Gracy

Meeba Gracy

Meeba, an ISC2-certified cybersecurity specialist, passionately decodes and delivers impactful content on compliance and complex digital security matters. Adept at transforming intricate concepts into accessible insights, she’s committed to enlightening readers. Off the clock, she can be found with her nose in the latest thriller novel or exploring new haunts in the city.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.