A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
- Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)
- Treatment, payment, and healthcare operations
- Opportunity to agree or object to the disclosure of PHI (Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object)
- Incident to an otherwise permitted use and disclosure
- Public interest and benefit activities—The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes
- When required by law
- Public health activities
- Victims of abuse or neglect or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement
- Functions (such as identification) concerning deceased persons
- Cadaveric organ, eye, or tissue donation
- Research, under certain conditions
- To prevent or lessen a serious threat to health or safety
- Essential government functions
- Workers compensation
- Limited dataset for research, public health, or healthcare operations
Source: http://www.cdc.gov/phlp/publications/topic/hipaa.html