APD HIPAA Basics: What Providers Need to Know About PHI, Privacy, and Security

APD HIPAA Basics equips you to handle protected health information (PHI) responsibly, reduce risk, and meet federal expectations. This practical guide walks through the HIPAA Privacy Rule, Security Rule, PHI definitions, roles of covered entities and business associates, patient rights, permitted disclosures, and breach notification. It is general information, not legal advice.

Understanding the HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for when PHI may be used or disclosed and how individuals’ privacy is protected. It applies to covered entities and, by extension through contracts, to their business associates.

• Core principles: use or disclose only the minimum necessary, limit access to workforce members who need it, and verify a requestor’s identity and authority.
• Common permitted uses without authorization: treatment, payment, and healthcare operations (TPO); certain public interest activities; and disclosures required by law.
• Authorizations: when not permitted by another provision, obtain a valid, written authorization describing what, who, why, and for how long.
• Notice of Privacy Practices: provide clear notice describing your uses/disclosures, patient rights, and how to exercise them.
• Documentation: maintain policies, procedures, and training records; retain required documentation for at least six years.

Implementing the HIPAA Security Rule

The Security Rule focuses on electronic protected health information (ePHI). It is risk-based and scalable, requiring you to implement reasonable and appropriate safeguards based on your size, complexity, and threats.

• Administrative safeguards: conduct and document an enterprise-wide risk analysis; implement risk management plans; assign a security official; apply workforce security and sanction policies; require security awareness training; and establish contingency plans and security incident response.
• Physical safeguards: control facility access; secure workstations and servers; manage device and media controls (receipt, movement, reuse, disposal); and restrict physical access based on role.
• Technical safeguards: implement unique user IDs and role-based access controls; enable audit controls and activity logs; protect integrity of ePHI; secure transmission (e.g., TLS/VPN); and use encryption at rest and in transit where appropriate.
• Required vs. addressable: all standards must be evaluated; addressable specifications allow flexibility, but you must document how you implement or reasonably justify an alternative.
• Third parties: ensure business associates implement comparable safeguards and report incidents promptly.

Defining Protected Health Information (PHI)

PHI is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate, in any form. ePHI is PHI in electronic form.

• It links an individual to health status, care, or payment and includes common identifiers such as name, address, full-face photos, dates (other than year), contact details, medical record and account numbers, biometric identifiers, and device/serial numbers.
• De-identification may be achieved by removing specified identifiers (safe harbor) or via expert determination that re-identification risk is very small.
• Limited data sets exclude direct identifiers and can be used for certain purposes under a data use agreement.

Identifying Covered Entities and Business Associates

Covered entities include healthcare providers who conduct standard electronic transactions, health plans, and healthcare clearinghouses. Business associates are vendors or partners who create, receive, maintain, or transmit PHI on a covered entity’s behalf.

• Examples of business associates: EHR and cloud service providers, billing and coding firms, IT support, transcription, analytics, and secure messaging vendors.
• Business associate agreements must define permitted uses/disclosures, require administrative, physical, and technical safeguards, mandate breach notification, flow down obligations to subcontractors, and address return or destruction of PHI at termination.
• Some organizations are hybrid entities; clearly designate HIPAA-covered components and apply protections accordingly.

Upholding Patient Rights Under HIPAA

HIPAA grants individuals rights that providers must respect and operationalize through clear policies, procedures, and training.

• Right of access: provide timely access to records in the requested readily producible format, for a reasonable, cost-based fee.
• Right to request amendment: review, respond, and append statements of disagreement when amendments are denied.
• Right to request restrictions: particularly to restrict disclosures to a health plan when a patient pays out of pocket in full for a specific service.
• Right to confidential communications: accommodate reasonable requests for alternative addresses or contact methods.
• Right to an accounting of certain disclosures and to receive a Notice of Privacy Practices and file complaints without retaliation.

Managing Permitted Uses and Disclosures of PHI

Build decision-making around clear pathways for when PHI can be used or disclosed and how to document your rationale.

• Permitted uses/disclosures: TPO; required by law; public health activities; health oversight; judicial and law enforcement requests; research under specified conditions; decedent and organ donation activities; to avert serious threats; workers’ compensation; and specialized government functions.
• Required disclosures: to the individual upon request and to the U.S. Department of Health and Human Services for compliance investigations.
• Authorizations: obtain when a purpose falls outside permitted pathways (e.g., most marketing); ensure content and expiration meet rule requirements.
• Minimum necessary: limit information to what is reasonably necessary to accomplish the purpose, and apply role-based access.
• Verification and documentation: verify identity/authority before disclosure and log disclosures where required.

Complying with the Breach Notification Rule

A breach is an impermissible use or disclosure that compromises the security or privacy of unsecured PHI. If PHI is properly encrypted consistent with federal guidance, it is not considered “unsecured,” and breach notification typically is not required.

• Initial response: contain the incident, preserve logs/evidence, and begin mitigation.
• Risk assessment: evaluate the nature and extent of PHI involved, who received it, whether it was actually acquired or viewed, and the extent of mitigation.
• Notifications: provide written notice to affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notify HHS and, for incidents affecting 500 or more residents of a state/jurisdiction, prominent media. Business associates must notify the covered entity.
• Content: describe what happened, types of information involved, steps individuals should take, what you are doing to investigate/mitigate, and contact methods.
• Program readiness: maintain incident response plans, workforce training, vendor oversight, and breach logs; test your process through tabletop exercises.

In practice, strong administrative safeguards, layered physical safeguards, and modern technical safeguards—supported by robust business associate agreements—form the foundation of compliance. By aligning your policies with the Privacy, Security, and Breach Notification Rules, you protect patients, strengthen trust, and reduce regulatory risk.

FAQs.

What is considered protected health information under HIPAA?

PHI is any individually identifiable health information related to a person’s health, care, or payment for care that is created, received, maintained, or transmitted by a covered entity or business associate. It includes identifiers like names, addresses, dates, medical record numbers, and many others across paper, oral, and electronic formats.

How do providers ensure HIPAA compliance for electronic health records?

Start with a documented risk analysis, then implement administrative, physical, and technical safeguards for ePHI. Use role-based access, unique IDs, audit logs, encryption in transit and at rest where appropriate, secure configurations and patching, workforce training, contingency planning, and vendor oversight through business associate agreements.

What are the patient rights regarding their health information?

Patients have the right to access and obtain copies of their records, request amendments, request restrictions, receive confidential communications, get a Notice of Privacy Practices, and obtain an accounting of certain disclosures. They may also file privacy complaints without retaliation.

What actions must be taken in the event of a PHI breach?

Immediately contain and investigate, perform a breach risk assessment, and notify affected individuals without unreasonable delay and within required timeframes. Notify HHS and, if applicable, the media, and ensure business associates notify the covered entity. Provide guidance to affected individuals and take steps to prevent recurrence.