Page title

HIPAA Policy 4.0: PHI Requests, Access, Uses and Disclosures

Main page content

Document Description

This Policy 4 implements the portion of the HIPAA Privacy Standards that limits the System’s a bility to request, access, Use, or Disclose PHI, which, in most cases is based on the purpose of the intended request, access, Use, or Disclosure, and in many cases is limited to the minimum necessary PHI required for an intended purpose. This Section identifies when System can request, access, Use, and Disclose PHI and sets forth additional procedures for responding to requests for Uses and Disclosures under specific circumstances.

This Policy 4 consists of the following Sections:

Section 4.1  Requests for PHI

Section 4.2  Access to System PHI

Section 4.3  Uses and Disclosures Required by Law

Section 4.4  Discretionary Uses and Disclosures Without An Authorization

4.4(1) Routine Uses and Disclosures Exempt from Prior Approval:

  1. Disclosure of an Individual’s Own PHI to that Individual
  2. Uses and Disclosures for the Purpose of Conducting Payment Operations
  3. Uses and Disclosures for the Purpose of Conducting Health Care Operations
  4. Uses and Disclosures for Health Oversight Activities
  5. Disclosures for Inspection by the Secretary
  6. Disclosures for Workers Compensation
  7. Disclosures of Limited Data Sets

4.4(2) Disclosures for Third-Party Judicial or Administrative Proceedings

4.4(3) Non-Routine Uses and Disclosures Requiring Prior Approval:

  1. Uses and Disclosures for Public Health Activities
  2. Disclosures for Law Enforcement Purposes
  3. Uses and Disclosures Due to Imminent Threat to Health or Safety
  4. Uses and Disclosures Required by Military Authority
  5. Uses and Disclosures for National Security Activities
  6. Disclosures to Coroners and Medical Examiners
  7. Disclosures to Funeral Directors 

Section 4.5  Conducting Underwriting Activities

Section 4.6  Research Disclosures and Uses

Section 4.7  Making Notification Disclosures

Section 4.8  Review of Requests for Use or Disclosure Requiring Approval by the Privacy Officer

Section 4.9  Minimum Necessary Standard for Uses and Disclosures of PHI

Section 4.10 Verification of Requestor’s Identity and Authority

Section 4.11 Obtaining and Relying Upon an Authorization

Section 4.12 Personal Representatives

Section 4.13 De-identified Information

Section 4.14 Documentation of Disclosures


Release Date

Responsible Office(s)

Employee Benefits

Document Type



UT System Links