A covered entity must obtain the patient's written authorization for any use or disclosure of protected health information (PHI) in which circumstances?

A covered entity is required to obtain a patient's written authorization for specific uses and disclosures of protected health information (PHI) that are not permitted under the HIPAA Privacy Rule without consent.

In the context of marketing activities, authorization is often needed when a covered entity uses PHI to communicate with patients about products or services that are not related to their treatment. This requirement ensures that patients have control over how their information is used for promotional purposes.

Similarly, when it comes to the sale or licensing of PHI, written authorization is mandatory. This stipulation protects patients' privacy and ensures they understand and approve how their information may be financially utilized by the covered entity.

While authorization may also be required in certain research scenarios, not all research uses necessitate it if the research meets specific criteria set forth by HIPAA. Therefore, authorization is primarily emphasized for marketing and the sale of PHI under the regulations, making the combination of these two elements the correct answer.

This careful approach to obtaining patient consent underscores the importance of patient autonomy and reinforces the trust necessary in healthcare relationships regarding the handling of sensitive information.