Tag: a covered entity may use or disclose phi without an authorization