A covered entity may use or disclose PHI, without getting an individual's authorization, in order to:
- Perform requested tests and treatments.
- Bill for the services performed.
- Perform essential operations, including quality assessment, accreditation, and compliance.
- Meet legal reporting requirements, including those mandated by public health departments, workers' compensation, law enforcement agencies, and the US Department of Health and Human Services.
Other uses and disclosures require written authorization.
