The page below is a sample from the LabCE course HIPAA Privacy and Security Rules for All Healthcare Personnel. Access the complete course and earn ASCLS P.A.C.E.-approved continuing education credits by subscribing online.

Learn more about HIPAA Privacy and Security Rules for All Healthcare Personnel (online CE course) »
How to Subscribe


The privacy regulations give covered entities permission to use and disclose PHI for treatment, payment, and health care operations (TPO), without obtaining specific authorization.

  • A covered entity may disclose PHI to other covered entities such as reference laboratories, and home care services, which are providing services to the primary covered entity. (Each entity must either have or have had a relationship with the individual who is the subject of the PHI being requested).
  • The service that the other covered entity is providing must fall within treatment, payment, or health care operations (TPO).
  • If the service being provided does not fall within TPO, an authorization is generally required.
  • An authorization form must state the specific disclosures of PHI to be made, what the information will be used for, and must be signed and dated by the patient.
  • A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information.