45 CFR 164.500 Explained: HIPAA Privacy Rule Scope, Who Is Covered, and Key Requirements
Applicability of HIPAA Privacy Rule
What the Rule Covers
45 CFR 164.500 opens Subpart E of the HIPAA Privacy Rule and defines who must protect Protected Health Information (PHI). It applies to covered entities—health care providers, health plans, and health care clearinghouses—and, through contracts and direct liability, many business associates that create, receive, maintain, or transmit PHI.
The Privacy Rule safeguards PHI in any form (electronic, paper, or oral). It sets baseline standards for how you may use and disclose PHI, the rights individuals have over their information, and the administrative steps you must take to ensure confidentiality, integrity, and availability.
Exclusions from PHI
Some information is outside the Privacy Rule. Key exclusions from PHI include de-identified data, education records subject to FERPA (and certain student treatment records), employment records held by a covered entity in its role as employer, and health information about a person deceased for more than 50 years.
Permitted Uses and Disclosures
Permitted uses and disclosures generally include treatment, payment, and health care operations. You may also disclose PHI without authorization for specified public interest and safety activities (for example, certain public health reporting or to avert a serious threat) when conditions in the Rule are met.
Required Disclosures
Required disclosures are narrow. You must disclose PHI to the individual (when they exercise rights such as access or an accounting of disclosures) and to the U.S. Department of Health and Human Services (HHS) when it investigates or reviews compliance.
Definition of Covered Entities
Covered entities are the organizations directly regulated by the Privacy Rule. They include:
- Health care providers that transmit health information electronically in connection with standard transactions (for example, claims or eligibility checks).
- Health plans, such as insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans.
- Health care clearinghouses that convert nonstandard health information into standard formats and vice versa.
Business associates—vendors or contractors that handle PHI for a covered entity—are not covered entities, but they must follow Privacy Rule requirements through business associate agreements and are directly liable for certain violations.
Roles of Health Care Providers
Core Privacy Responsibilities
If you are a provider, the Privacy Rule allows using and disclosing PHI for treatment, payment, and operations without authorization while honoring individual rights. You must implement safeguards, verify identities where appropriate, and apply the Minimum Necessary Standard to non-treatment uses and disclosures.
Providers must also supply a Notice of Privacy Practices, designate a privacy official, train the workforce, manage business associate agreements, and document policies and procedures. When using or disclosing PHI beyond permitted uses, you need a valid authorization.
Patient Rights You Must Support
- Right of access to PHI and to receive it in the requested format if readily producible.
- Right to request amendments and receive an accounting of certain disclosures.
- Right to request restrictions and confidential communications, which you must honor in specific circumstances.
Overview of Health Plans
Health plans are covered entities that finance or pay for health care. If you operate a group health plan, the Privacy Rule requires controls on how plan sponsors access PHI, typically limiting them to plan administration while prohibiting use for employment-related actions.
Plans must issue and update the Notice of Privacy Practices, apply the Minimum Necessary Standard to plan operations, and maintain administrative, technical, and physical safeguards. Many plans also manage relationships with third-party administrators as business associates.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Function of Health Care Clearinghouses
Clearinghouses transform nonstandard health data into standard transactions (and the reverse). As covered entities, they protect PHI they create or receive. When serving a provider or plan, they typically act as a business associate and may use or disclose PHI only as allowed by the Privacy Rule and their service agreements.
If your organization operates as a clearinghouse, focus on limiting PHI access to translation and routing functions, maintaining strong safeguards, and ensuring Minimum Necessary principles are embedded in workflows.
Minimum Necessary Standard
The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the least amount reasonably necessary to accomplish the purpose. It drives role-based access, default redaction, and need-to-know practices across your operations.
Common Exceptions
- Disclosures to or requests by a health care provider for treatment.
- Uses or disclosures to the individual who is the subject of the PHI.
- Uses or disclosures made pursuant to a valid authorization.
- Disclosures to HHS for investigations, reviews, or enforcement.
- Uses or disclosures required by law when the Rule permits reliance on that law.
Practical Implementation Tips
- Create role-based access rules and standard protocols for routine disclosures.
- For non-routine requests, require documented case-by-case review.
- Prefer de-identified data or a limited data set with a data use agreement when full identifiers are unnecessary.
Notice of Privacy Practices
The Notice of Privacy Practices explains how you use and disclose PHI, summarizes individual rights, states your legal duties, and identifies how to submit complaints or exercise rights. It should be clear, prominently displayed, and readily available.
For providers, deliver the notice no later than the first service encounter, post it at the point of care and on your website if you have one, and make a good-faith effort to obtain written acknowledgment. Health plans must provide the notice to enrollees at enrollment and distribute updates after material changes; both providers and plans must make the notice available upon request at any time.
FAQs.
Who Must Comply with 45 CFR 164.500?
Covered entities—health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses—must comply. Business associates that handle PHI for a covered entity must also follow many HIPAA Privacy Rule requirements and are directly liable for certain violations.
What Types of Entities Are Covered Under the Privacy Rule?
The Privacy Rule covers health plans, health care clearinghouses, and health care providers who electronically transmit health information in standard transactions. These entities must protect Protected Health Information, follow permitted uses and disclosures, and make required disclosures when applicable.
What Is the Minimum Necessary Standard?
It is a core requirement to use, disclose, and request only the PHI needed to accomplish a specific purpose. It does not apply to treatment, disclosures to the individual, disclosures to HHS, uses or disclosures under a valid authorization, or uses and disclosures required by law.
When Must Notice of Privacy Practices Be Provided?
Providers must offer the notice no later than the first service encounter and keep it posted and available thereafter. Health plans must furnish it to new enrollees and redistribute it after material changes, while all covered entities must provide the notice on request at any time.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.