A. Use or disclosure of PHI is prohibited unless it is authorized by the patient, permitted by law or granted through an IRB waiver. HIPAA prohibits leaving PHI in public view. Discarding unneeded medical records in the trash (as opposed to shredding them) is a HIPAA violation. So is giving out patient information without first confirming that the person receiving it is the patient. Some uses and disclosures cannot reasonably be prevented. Conversations that might be overheard or PHI accidentally seen are examples. The key is to make reasonable efforts to limit incidental uses and disclosures.