Is your sensitive data at risk? Request a free scan to learn more.


Download free DLP for AI whitepaper


  • Healthcare organizations are often confused by the HIPAA privacy rule, which allows a covered entity to use or disclose a patient’s protected health information (PHI) without prior written authorization in certain circumstances. 
  • These circumstances include sharing a patient’s PHI as necessary to enable treatment, facilitate payment, and protect the public good in limited cases. 
  • It’s important to ensure that only the correct recipient receives and sees a patient’s PHI. 

HIPAA has strict rules governing patient data storage and sharing. However in limited circumstances, the HIPAA Privacy Rule allows a covered entity to use or disclose a patient’s Protected Health Information (PHI) without prior written authorization. 

Infographic showing the importance of securing patient health data.

First in our series of HIPAA in-depth blog posts, this piece looks at circumstances under which you don’t require a patient’s permission to use or share their personal data and most importantly, how to do so while remaining HIPAA compliant

Read on to learn about each of these exceptions.

1. Treatment purposes 

You may share a patient’s PHI as necessary to enable treatment. 

Treatment comprises managing or coordinating healthcare and related services by one or more healthcare providers. It also involves consultation between providers and the patient’s referral for treatment. 

For instance, if your patient is referred to another physician, you may share the patient’s personal data with the new physician to ensure that he/she has the necessary info to diagnose/treat the patient. 

You can also disclose a patient’s PHI to health care providers outside your facility who may be involved in the patient’s care.

For instance, if the patient stays in a nursing facility, it may be necessary to disclose the medication prescribed to him/her for proper administration by the facility.

2. Payment purposes

You can share PHI as necessary to enable or facilitate payment.

It may be necessary to share your patient’s personal data to collect payment for treatment and services from his/her insurer or other third-party payers.

Bills requesting payment typically include info that identifies the patient, his/her diagnosis, and supplies or procedures used.

You can also share PCI without the patient’s authorization to obtain prior services from the person’s health insurer.

In addition, it may be necessary to release your patient’s PHI to another healthcare provider or covered entity for payment of their activities.

3. Public health activities

You can share a patient’s PHI for the public good under the following circumstances:

        i.            Collection of information by public health agencies

You may disclose your patient’s personal data to a public health authority legally allowed to receive such info to prevent or control disease, disability, or injury.

The shared information may be used to report disease, injury, or imminent events. It can also be used for public health investigations, surveillance, and intervention.

You can also share your patient’s PHI with a foreign agency partnering with the public health authority.

      ii.            Child abuse or neglect

You may share your patient’s PHI with a government authority legally authorized to receive child abuse and neglect reports.

    iii.            Food and Drug Administration (FDA)

You may disclose a patient’s personal data to an organization mandated by the FDA to report adverse events, biological product deviations, and product defects.

You can also share the data for trading products, enabling recalls, making repairs, and post-marketing surveillance.

     iv.            Communicable diseases

You may release a patient’s PHI if legally authorized, to a person exposed to a communicable disease or is at risk of contracting or spreading a condition or disease.

       v.            Workplace injuries

You may share a patient’s personal info, if legally authorized, in some circumstances regarding the reporting of workplace injuries.

Other scenarios which allow use and disclosure of your patient’s data without authorization include:

  • Disclosure made in compliance with the law.
  • Disclosure consistent with state and federal law requirements to the appropriate government entity if your patient is a victim of abuse, domestic violence, or neglect.
  • Disclosure to health oversight agencies as per the law for inspections, investigations, and audits.
  • Disclosure to comply with a court order, discovery request, or in certain conditions like a response to a subpoena.
  • Disclosure for law enforcement purposes including:
    • Disclosures in response to a legal procedure.
    • Disclosures to identify a suspect, his/her location, material witness, or a missing person.
    • Disclosures in case of a death occurring due to crime.
  • Disclosure for purposes of determining the cause of death.
  • Disclosure to facilitate organ, tissue, or eye transplant/donation.
  • Disclosure for research purposes.
  • Disclosure to prevent or lessen a serious threat to the patient or the public.
  • Disclosure following government functions including personal data for army personnel killed in military missions.

Secure patient data with Polymer DLP

While you can share your patient’s personal data without authorization, you want to ensure that only the correct recipient receives and sees the information. 

That’s why you need Polymer Data Governance and data loss prevention (DLP) tool to help share your patient’s personal information without leaking the data to the wrong third parties.

The tool has an intuitive wizard and dashboard to enable you to customize and manage HIPAA policies at the click of a button.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.