5 Key HIPAA Privacy Rule Requirements: Compliance Guide for Covered Entities

The HIPAA Privacy Rule sets nationwide standards for how covered entities handle protected health information (PHI). This guide explains the five core areas you must master—scope, PHI definition, use and disclosure limits, individual rights, and safeguards—plus essential operational requirements like the minimum necessary standard, workforce training, and enforcement.

Use this as a practical checklist to build policies, train staff, and document compliance. Throughout, you’ll see where Business Associate Agreements, a Notice of Privacy Practices, and recordkeeping obligations fit into day‑to‑day operations.

Covered Entities and Their Scope

Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. If you are one of these, the Privacy Rule applies to all PHI you create, receive, maintain, or transmit.

• Health plans: group and individual plans, HMOs, Medicare/Medicaid, and employer-sponsored plans.
• Health care providers: any provider who conducts standard electronic transactions (claims, eligibility, referrals).
• Health care clearinghouses: entities that process nonstandard information into standard formats.

Business associates—vendors that handle PHI on your behalf—are not covered entities but are directly regulated. You must execute Business Associate Agreements that define permitted uses, require safeguards, and mandate breach reporting. Hybrid entities should designate health care components to clarify where HIPAA applies.

Protected Health Information (PHI) Definition

PHI is individually identifiable health information related to a person’s health condition, care, or payment for care, maintained or transmitted in any form. Identifiers include names, addresses, contact details, medical record numbers, full-face photos, and device or account numbers, among others.

PHI excludes de-identified data, which can be created by removing specific identifiers (Safe Harbor) or via expert determination that the risk of re-identification is very small. It also excludes employment records held by a covered entity in its role as an employer and education records subject to FERPA.

Use and Disclosure Limitations

You may use or disclose PHI without authorization for treatment, payment, and health care operations (TPO), and for certain public interest purposes allowed by the Rule. All other uses and disclosures require a valid, written authorization.

• Permitted/required without authorization: TPO, disclosures to the individual, public health reporting, health oversight, judicial and law enforcement purposes, research with an IRB waiver, averting a serious threat, workers’ compensation, and as required by law.
• Authorization required: most marketing, sale of PHI, and psychotherapy notes (with limited exceptions).
• Incidental disclosures: allowed only if you implement reasonable safeguards and apply the minimum necessary standard where applicable.

Your Notice of Privacy Practices must clearly explain these uses and disclosures, including how patients can exercise their rights and how to file complaints. Ensure business associates’ uses and disclosures are limited to what your Business Associate Agreements permit.

Individual Rights Under the Privacy Rule

Individuals have strong rights that your policies and workflows must honor within required timeframes. You must verify identity, document actions taken, and communicate decisions clearly.

• Right of access: individuals can inspect or obtain copies of PHI in the requested format if readily producible, generally within 30 days. Reasonable, cost-based fees only.
• Right to amend: they may request corrections to inaccurate or incomplete PHI; denials require a written explanation and the right to submit a statement of disagreement.
• Right to request restrictions: you must accept a restriction on disclosures to health plans when the patient pays in full out of pocket.
• Right to confidential communications: accommodate reasonable requests for alternative addresses or contact methods.
• Right to an accounting of disclosures: for certain non-TPO disclosures during a defined period.
• Right to receive your Notice of Privacy Practices: provide, post, and make it available upon request.

Required Safeguards for PHI

The Privacy Rule requires reasonable safeguards for PHI in any form, and the HIPAA Security Rule specifies protections for electronic PHI. Implement a risk-based program covering Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

Administrative Safeguards

• Assign privacy and security officials; perform risk analyses and mitigation plans.
• Adopt policies for role-based access, minimum necessary, sanctions, and incident response.
• Manage Business Associate Agreements and vendor due diligence.

Physical Safeguards

• Control facility access; use workstation security, screen privacy, and device/media controls.
• Secure disposal (shredding, wiping) and transport of records and media.

Technical Safeguards

• Access controls (unique IDs, MFA), audit logs, and integrity protections.
• Encryption in transit and at rest where feasible; secure messaging and portals.

Minimum Necessary Standard Compliance

Limit PHI uses, disclosures, and requests to the minimum necessary to accomplish the purpose. Apply role-based access and standard protocols so staff automatically receive only what they need.

• Document routines for common scenarios (release of information, payer requests, research).
• Use de-identified data or limited data sets whenever possible; apply data segmentation and masking.
• Rely on requesters’ representations when appropriate (e.g., other covered entities), but validate unusual or broad requests.
• Know the exceptions: disclosures to the individual, for treatment, as required by law, and to HHS for compliance reviews.

Training and Enforcement Procedures

Build a culture of compliance through ongoing education, clear accountability, and documented enforcement. Train your workforce on policies relevant to their roles and refresh annually or when rules or duties change.

Training

• Provide orientation on the Privacy Rule, Notice of Privacy Practices, and minimum necessary.
• Role-specific exercises for release-of-information, telehealth, and patient portal workflows.
• Phishing, secure messaging, and incident reporting drills for practical readiness.

Enforcement

• Maintain a complaint process; investigate promptly; mitigate harmful effects of violations.
• Apply a written sanctions policy consistently and document corrective actions.
• Perform audits and risk assessments; track issues to closure.

Record Retention Requirements

Retain HIPAA-related documentation—policies, procedures, training records, risk analyses, complaints, sanctions, Business Associate Agreements, and Notice of Privacy Practices versions—for at least six years from creation or last effective date. State law or payer rules may require longer retention for medical records themselves.

Civil and Criminal Penalties

OCR enforces tiered civil monetary penalties that scale with culpability and can reach significant annual caps. The Department of Justice can pursue criminal penalties for knowing wrongful disclosures or obtaining PHI under false pretenses, with potential fines and imprisonment. Strong safeguards, timely breach response, and thorough documentation reduce exposure.

Conclusion

To comply with the HIPAA Privacy Rule, define your scope, treat PHI carefully, restrict uses and disclosures, honor individual rights, and operationalize safeguards. Reinforce the minimum necessary standard, train your workforce, enforce policies, and retain records. This integrated approach protects patients and reduces legal, financial, and reputational risk.

FAQs.

What entities are covered under HIPAA Privacy Rule?

Covered entities are health plans, health care clearinghouses, and health care providers who conduct standard electronic transactions. Business associates that handle PHI for covered entities are also directly regulated and must sign Business Associate Agreements defining permitted uses and safeguards.

How is Protected Health Information defined?

PHI is individually identifiable health information related to health, care, or payment that is created, received, maintained, or transmitted by a covered entity or business associate. It includes common identifiers (for example, name, address, medical record number). De-identified data and employment records held in the employer role are not PHI.

What are individual rights related to PHI?

Individuals have the right to access and obtain copies of PHI, request amendments, request restrictions (including limiting disclosures to a health plan when paying out of pocket), request confidential communications, receive a Notice of Privacy Practices, and obtain an accounting of certain disclosures.

What are the consequences of non-compliance?

Consequences range from corrective action plans and tiered civil monetary penalties imposed by OCR to criminal penalties pursued by the Department of Justice for knowing wrongful acts. Beyond fines, non-compliance can trigger breach notifications, litigation, loss of trust, and costly remediation.