Patient’s Guide to HIPAA – Uses and Disclosures: Does HIPAA Really Restrict Use and Disclosure of My Health Records?





You are reading the Patient’s Guide to HIPAA, FAQ 54

HIPAA Guide Quick Links:


FAQ 54: Does HIPAA Really Restrict Use and Disclosure of My Health Records?

This is a tough question to answer in a simple way. The answer depends in part on your perspective. If you thought that your health records would never be disclosed without your consent, then you won’t think much of the HIPAA use and disclosure provisions.

Another answer is that HIPAA regulates all uses and disclosures. If the rule does not allow a use or disclosure, then the only way that a covered entity can use or disclose the record is with your written authorization. If you think that sounds good, you should keep reading because the rule allows a large number of uses and disclosures without your consent. By the way, a use of information occurs when a covered entity makes a record available to someone within the organization that maintains the record. A disclosure occurs when a record is shared with someone outside the organization.

The Center for Law, Ethics, and Applied Research in Health Information at Indiana University has a map that shows the flow of information within the health care system. The system of information flows is so complex that the map is hard to understand, but that’s the point. Have a look for yourself at There another map maintained by Harvard Professor Latanya Sweeney at  Both of these maps are works in progress.

A third answer is that HIPAA allows many uses and disclosures to occur without any need for your approval. Typically, these are disclosures made so a covered entity can be paid for services, manage its operations, provide treatment, or comply with government reporting requirements. I most cases, these disclosures are reasonable and expected.

It is genuinely difficult to count the number of categories of permissible uses and disclosures. Much depends on how you do the counting. The number of government and private institutions that can ask for and receive health records without your permission numbers in the tens of thousands. A covered entity can make nearly all permissible uses and disclosures without your consent or authorization. Indeed, with only a few exceptions, a covered entity can make most allowable uses and disclosures even over your express written objection.

A fourth answer is that HIPAA did not really change the practice for most covered entities regarding use and disclosure in any major way. Instead, HIPAA established universal standards and procedures for covered entities. These standards and procedures were new. However, the uses and disclosures that HIPAA allows are largely those that became routine in the last half of the twentieth century. Most health care providers were not aware of how widespread the use and disclosure of health records had become. Before HIPAA, many providers thought that they only disclosed patient records with the consent of the patient, but it just wasn’t true. HIPAA made everyone pay attention to and learn about privacy, often for the first time.

The biggest drivers for the sharing of medical records are:

• Growth of third party insurance (including Medicare)

• Pressures for increased controls on the cost of health care

• Development of quality controls for medical practice

• Growth of health care fraud and fraud investigations

• Increase in public health activities

• Expansion of records-based health research

• Electronic health records and electronic health networks such as Health Information Exchanges (HIE). For more about HIEs, see WPF’s HIE resources at

All of these activities and others contributed to the demand for access to individually identifiable medical records. Most of these activities serve important public or personal purposes, and it is not always easy to dismiss the HIPAA rule’s policies as anti-privacy. Disclosure often serves another significant but competing goal. Protecting privacy is only one objective in the health care system. We don’t know how the Affordable Care Act (Obamacare) will affect the flow of health information, but we confidently predict that the flow will not diminish.


Roadmap: Patient’s Guide to HIPAA: Part 3: What You Should Know about Uses and Disclosures (FAQ 54 of 65)

Jump to list of FAQs 1-65 | See all of Part 3