When can you use or disclose PHI?

Using or disclosing Protected Health Information (PHI) is governed by regulations under the Health Insurance Portability and Accountability Act (HIPAA). The correct choice centers on written authorization from the patient.

When a patient provides a written authorization, it indicates informed consent and allows healthcare providers to disclose PHI for specific purposes outlined in that authorization. This ensures that the patient's rights are respected and that they have control over who accesses their personal health information and for what reasons.

While verbal consent may be acceptable in certain situations, it does not provide the same level of protection or documentation as written consent and may not always meet regulatory requirements. Disclosures solely for treatment purposes, while permissible under specific circumstances without explicit consent, do not encompass the broader range of situations addressed by written authorization. Additionally, the use of PHI strictly for research purposes is a distinct category that also requires careful adherence to regulations, often involving a separate approval process and not merely as a blanket statement for all situations.

Thus, the requirement for written authorization in this context emphasizes the importance of patients' autonomy over their own health information and aligns with HIPAA’s foundational principles of privacy and security concerning PHI.