Under what circumstance can a covered entity disclose Protected Health Information (PHI) without patient consent?

Disclosing Protected Health Information (PHI) without patient consent is permissible during public health activities, which encompasses a variety of situations where the public's health is at stake. This could include actions such as reporting diseases, preventing disease outbreaks, conducting public health investigations, or tracking public health threats. The privacy regulations acknowledge the necessity of such disclosures to protect the health and safety of populations and allow for more effective public health interventions.

The options around marketing purposes and improving customer service typically require prior consent from the patient due to the potential for misuse and privacy invasion. Transfers of records between departments within a covered entity generally occur in the context of treatment or payment, and while those may not require explicit consent, they still do not align with the broader umbrellas of necessity that public health activities do. Hence, the context of public health outweighs the need for individual consent in the interest of community welfare.