When discussing nontreatment purposes in healthcare, we’re referring to ways that protected health information (PHI) is used beyond direct patient care. So, rather than focusing on treating the patient, nontreatment involves things like managing healthcare operations. PHI is anything that can identify an individual and relates to their health status, treatment, or payment for healthcare services.
When PHI is used for treatment, healthcare providers can share it fairly freely without needing extra permission. However, moving to nontreatment purposes becomes more complicated because these uses don’t directly involve patient care.
One BMC Medical Ethics study noted that “rapid ethical access to personal health information (PHI) to support research is extremely important during pandemics, yet little is known regarding patient preferences for consent during such crises.” The same research found that during the COVID-19 pandemic, patients were “significantly more comfortable with sharing all information and biological samples (90% vs. 79%)” and wanted more transparency, with “75% expressing a wish to track use of PHI and 83% wanting to be notified of results.”
That’s when HIPAA sets boundaries on how PHI can be shared and when patient consent is required. One of the most common nontreatment uses is healthcare operations, which includes activities like quality assurance, auditing, provider credentialing, and case management. These functions help keep hospitals, clinics, and insurers running smoothly behind the scenes. While these activities don’t involve treating patients face-to-face, they are still delivering safe, efficient care.
When PHI is used for treatment, it falls within what HIPAA refers to as the “circle of care.” This includes activities such as conversations among healthcare providers, lab testing, imaging, referrals, and other processes directly involved in diagnosing or treating a patient. As noted in a StatPearls chapter on HIPAA’s Privacy Rule, “a covered entity may disclose PHI without the individual’s permission for treatment, payment, and health care operations purposes.”
By contrast, when PHI is used for nontreatment purposes, it encounters a more stringent set of rules and safeguards. The Privacy Rule broadly restricts disclosure “except as permitted or required by the Privacy Rule”, which means uses beyond treatment warrant additional scrutiny.
The broadest and most frequently invoked category is healthcare operations. Under HIPAA 45 CFR §164.506, healthcare operations include activities that support the core functions of a healthcare provider or health plan but do not involve direct patient care. As a New England Journal of Medicine study explains, HIPAA permits disclosures “for billing, quality improvement, or other administrative purposes without informing patients” when they fall under treatment, payment, or healthcare operations.
Research is another category of nontreatment use. HIPAA permits using PHI for research purposes under specific conditions without patient authorization, as outlined in 45 CFR §164.512(i). Research includes systematic investigations to contribute to generalizable knowledge. Researchers may use PHI if the research has been approved by an Institutional Review Board (IRB) or a privacy board that enforces strict privacy safeguards and conditions. The NEJM article clarifies that “this exception does not apply to using identifiable patient records for research purposes, which generally requires obtaining consent.”
Public health and safety activities are also part of nontreatment purposes. These uses involve disclosures of PHI to public health authorities authorized by law to monitor, investigate, and control diseases, injuries, or other threats to the community. Under 45 CFR §164.512(b), covered entities can disclose necessary PHI without patient consent for tasks like infectious disease reporting, vital statistics reporting, or preventing or controlling epidemics.
Legal and administrative uses includes disclosures required or permitted by law, including responding to court orders, subpoenas, or law enforcement investigations. HIPAA allows these disclosures under strict conditions specified in sections like 45 CFR §164.512(e) and (f). These nontreatment uses support the justice system and law enforcement while protecting individuals’ privacy rights as much as possible within legal frameworks.
Marketing and fundraising represent particularly sensitive nontreatment uses of PHI. Unlike healthcare operations or public health, marketing communications using PHI generally require explicit written patient authorization under 45 CFR §164.508(a)(3). This includes direct advertising of health-related products or services. Hoffman points out that many non-covered entities, like “marketing companies, website operators, data brokers, and life, disability, and long-term care insurers—are not obligated to comply with HIPAA’s provisions."
Patients typically know they have the right to access their health records, ask for corrections, and get notices about how their information is being used. The StatPearls chapter on informed consent notes, “individuals have a right to adequate notice of how covered entities may use and disclose their protected health information, as well as their rights and the covered entity’s legal duties with respect to protected health information” They can request restrictions on disclosures or how they receive communications, like choosing whether appointment reminders come by phone, mail, or text.
These rights are pretty straightforward when it comes to their own care and treatment. Providers have to honor these requests within reason and let patients see their information, correct errors, and understand who’s seen their PHI. The Privacy Rule “generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.”
But moving into nontreatment territory, it gets a bit more complex. Take research, for example. Normally, researchers need permission to use health info, but there are special rules that let studies move forward even without everyone’s consent, if an ethics board reviews the project and agrees the privacy risks are low.
This is necessary for medical advances, but it means individual control isn’t quite as direct. Similarly, for public health needs, like reporting infectious diseases to stop an outbreak, healthcare providers can share PHI without asking patients first, because the public good outweighs individual control in these cases.
Marketing and fundraising are a different story altogether. Here, HIPAA is pretty clear that patients should have to explicitly agree before their health info is used to send promotions or solicit donations. This keeps things transparent and helps protect patient trust, because nobody wants their sensitive info used without their okay to push products or ask for money.
Formal permission that a patient must provide before their PHI can be used or disclosed.
General agreement from the patient allowing for their PHI to be used or shared within specific guidelines.
Any unauthorized uses or releases of PHI that violate HIPAA.