A covered entity may disclose protected health information (PHI) without a patient's written permission for:

A covered entity can disclose protected health information (PHI) without a patient's written permission for several specific purposes, and all of these fit within the framework established by the Health Insurance Portability and Accountability Act (HIPAA).

In the context of treatment, covered entities are permitted to share PHI to facilitate the medical care of patients. This includes interactions among healthcare professionals who are involved in the patient’s healthcare, ensuring they have the necessary information to provide appropriate services.

For payment, healthcare providers may also disclose PHI to obtain reimbursement for the services provided. This encompasses interactions with insurance companies and other payers to secure the funds necessary for services rendered to patients.

Health care operations activities also allow for the disclosure of PHI without patient consent. This includes a variety of activities such as quality assessment, improvement processes, training programs for staff, and other operations that are essential to maintain the health care organization’s functions and enhance patient care quality.

Thus, since all three scenarios—treatment, payment, and health care operations—are permissible under HIPAA regulations for the disclosure of PHI without needing explicit written consent from the patient, the correct answer is that a covered entity can disclose PHI for all of these purposes. This explains why D is the accurate