§164.502 critical Severity HIPAA US Federal

HIPAA Privacy Rule — Permitted Uses and Disclosures

Enforced by: HHS OCR (US)
Current as of March 26, 2013
Plain Language Summary
PHI can only be used for treatment, payment, healthcare operations, or with valid patient authorization.

A covered entity may not use or disclose protected health information, except as permitted or required by this subpart. A covered entity is permitted to use or disclose protected health information for treatment, payment, or health care operations as permitted by and in compliance with §164.506, or pursuant to a valid authorization under §164.508.

Related Enforcement Cases

Advocate Aurora Health — Tracking Pixel HIPAA Settlement ($3M) $3.0M
Banner Health — Network Segmentation Failure HIPAA Settlement ($1.25M) $1.25M