Under what circumstances can a covered entity disclose PHI without authorization?

The circumstances under which a covered entity can disclose protected health information (PHI) without authorization primarily include activities related to treatment, payment, and healthcare operations. This exemption is outlined in the Health Insurance Portability and Accountability Act (HIPAA) regulations, which are designed to allow healthcare providers and other entities to perform necessary functions while maintaining patient confidentiality.

When it comes to treatment, disclosures are often required to share information with other healthcare professionals involved in a patient's care. Payment refers to actions related to billing and reimbursement processes, where sharing PHI is essential for obtaining payment from health plans or patients. Healthcare operations encompass a broad range of activities, including quality assessment, case management, improvement in services, and training. These functions are vital to the effective and efficient operation of a healthcare organization.

While other options describe valid circumstances where PHI may be disclosed, they either require more specific situations or do not represent the primary routine reasons, such as disaster relief or public emergencies, or situations where the patient has an opportunity to object. Thus, disclosing PHI for treatment, payment, and healthcare operations is the most fundamental and commonly accepted criterion as established by HIPAA.