The release, transfer, provision of access to, or divulging of information outside the entity holding the information.
In HIPAA terminology, disclosure refers specifically to the sharing of protected health information (PHI) outside of the entity that holds it. This is distinct from "use," which refers to the sharing, examination, or analysis of PHI within the entity. The distinction matters because different rules may apply to uses versus disclosures. Disclosures can occur in many forms: sending patient records to another provider, sharing billing information with an insurer, providing data to a business associate, responding to a legal request, or even verbally sharing patient information with someone outside the organization.
The Privacy Rule establishes when disclosures are permitted, required, or prohibited. Covered entities are required to disclose PHI in only two situations: when an individual requests access to their own records and when HHS is conducting a compliance investigation or enforcement action. Permitted disclosures include those for treatment, payment, and health care operations (TPO), those authorized by the individual, and those allowed under specific public interest exceptions such as public health reporting, law enforcement purposes, judicial proceedings, and organ donation. All other disclosures are prohibited unless the individual provides written authorization.
HIPAA requires covered entities to track certain disclosures and provide an accounting of disclosures to individuals upon request. The accounting must cover disclosures made during the six years prior to the request, though it excludes disclosures made for treatment, payment, and health care operations; disclosures authorized by the individual; and several other categories. Organizations must maintain systems capable of tracking who received PHI, when, what was disclosed, and for what purpose. The Minimum Necessary Standard applies to most disclosures, requiring organizations to share only the minimum amount of PHI needed to achieve the disclosure's purpose.