No. If you are a covered entity, all uses and disclosures of PHI are regulated. You must institute safeguards to protect PHI whether you disclose it verbally, in writing or electronically. The good news is that under the final rule, you do not need the patient’s consent for most routine uses or disclosures of PHI related to treatment, payment and health care operations (TPO). Health care operations include but are not limited to fundraising activities; quality assessment and improvement activities; insurance activities; business planning, development and management activities; licensing and audits; evaluating health care professionals and plans; and training health care professionals.