The sharing, employment, application, utilization, examination, or analysis of protected health information within an entity that maintains it.
In HIPAA terminology, "use" refers to activities involving protected health information that occur within the boundaries of the entity that maintains it. This is a critical distinction from "disclosure," which involves sharing PHI outside the entity. Use encompasses a broad range of internal activities: a nurse reviewing a patient chart to provide care, a billing department accessing records for claims processing, a quality team analyzing patient outcomes, or an IT administrator accessing a database for system maintenance. All of these are "uses" of PHI because the information stays within the organization.
Not all uses of PHI are permitted under HIPAA. Covered entities may use PHI for treatment, payment, and health care operations without individual authorization. Other uses generally require the individual's written authorization unless they fall under one of the specific exceptions outlined in the Privacy Rule. Unauthorized uses of PHI, such as an employee accessing a celebrity's medical records out of curiosity or a manager reviewing an employee's health records for employment decisions, violate HIPAA regardless of whether the information is shared externally. Organizations must implement role-based access controls and audit systems to detect and prevent unauthorized uses within their own operations.
The Minimum Necessary Standard applies to most internal uses of PHI. Organizations must identify the workforce members or classes of employees who need access to PHI to perform their duties and limit their access to only the categories of PHI required for their specific job functions. For example, a billing specialist should not have access to clinical notes if their role only requires demographic and insurance information. The only exception to the Minimum Necessary Standard for uses is treatment, where providers need access to complete patient information to deliver safe care. Organizations should implement role-based access controls in their information systems that enforce these limitations automatically, supplemented by policies, training, and regular access audits.
Release of information outside the holding entity
Requirement to limit PHI use to the minimum needed
Individually identifiable health information
Permitted uses that do not require authorization