Basic Principle:  A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by providers. A provider may not use or disclose protected health information, except either:  

(1) as the Privacy Rule permits or requires 

(2) the individual who is the subject of the information (or the individual’s representative) authorizes in writing

Required Disclosures: A provider must disclose protected health information in only two situations:  

(a) to individuals (or their representatives) specifically when they request access to, or an accounting of disclosures of their protected health information

(b) to HHS when it is undertaking a compliance investigation or review or enforcement action