# Privacy Rule: PHI Handling & Patient Rights
This module covers the HIPAA Privacy Rule requirements relevant to our work as a Business Associate.
## Permitted uses and disclosures
As a Business Associate, we may use or disclose PHI only as permitted by our customers' BAA and HIPAA:
**Permitted internal uses:**
- Operating and improving the platform on behalf of the customer
- Troubleshooting customer-reported issues (minimum necessary)
- Generating audit and compliance reports for the customer
- Backup, recovery, and business continuity operations
**Permitted external disclosures:**
- To subprocessors under signed BAAs (see Subprocessor Registry)
- As required by law (subpoena, court order — Privacy Officer notifies customer unless prohibited)
**Prohibited uses — zero exceptions:**
- Marketing, fundraising, or sale of PHI
- Research without explicit customer authorization
- Sending PHI to public AI/LLM APIs (see LLM Routing Policy)
## Minimum necessary standard
When accessing or disclosing PHI, limit it to the minimum required. Practically:
- Access only records you need for the current task
- Do not pull bulk PHI extracts without Privacy Officer approval
- The audit log captures every PHI view
## PHI in operational channels
- **Email**: Never send PHI via unencrypted email. Use encrypted channels or the platform's messaging module.
- **Chat/Slack**: PHI in Slack is generally prohibited. Escalate to the platform if a customer needs to share PHI.
- **Code & tests**: Never include real PHI in source code, test fixtures, or documentation. Use synthetic data only.
- **Databases**: Personal dev databases must not contain real PHI. Use the dev seed tool.
## Attestation
Completing this module confirms you understand Privacy Rule requirements for PHI handling.