CMS HIPAA Privacy Rule Explained: Requirements, Permitted Uses, and Patient Rights

HIPAA Privacy Rule Overview

What the Privacy Rule protects

The HIPAA Privacy Rule sets national standards for safeguarding Protected Health Information (PHI)—any information that identifies a person and relates to their past, present, or future physical or mental health, care, or payment. It applies to PHI in any form: electronic, paper, or oral.

Who the Rule applies to

Covered entities include health plans, most healthcare providers, and healthcare clearinghouses, as well as their business associates that handle PHI on their behalf. While this guide references CMS because many covered entities participate in Medicare and Medicaid, Department of Health and Human Services Enforcement of the Privacy Rule is carried out primarily by the Office for Civil Rights (OCR).

Purpose and scope

The Rule balances privacy with the flow of information needed for treatment, payment, and healthcare operations. It creates baseline rights for patients and accountability measures for organizations, while allowing uses and disclosures that advance public health and other important objectives.

Requirements for Covered Entities

Foundational obligations

• Designate a privacy official and establish written privacy policies and procedures.
• Train the workforce on those policies and sanction violations.
• Implement appropriate administrative, physical, and technical safeguards to protect PHI.
• Execute business associate agreements with vendors that create, receive, maintain, or transmit PHI.
• Maintain required documentation for the period specified by regulation.

Notice of Privacy Practices (NPP)

You must provide a clear Notice of Privacy Practices that describes how you use and disclose PHI, your legal duties, and patients’ rights. Make the NPP available on request, post it prominently where care is delivered, and, where applicable, deliver it at first service with good-faith acknowledgment of receipt.

Access, amendment, and disclosure tracking processes

Maintain procedures to respond to patient access requests, to evaluate and implement requests to amend Protected Health Information (PHI), and to produce an accounting of certain disclosures. Your processes should define verification steps, response timelines, fee practices, and escalation paths for complex cases.

Permitted Uses and Disclosures

Without patient authorization

HIPAA permits uses and disclosures of PHI without authorization for core activities and public interests, subject to the Minimum Necessary Standard where applicable. Key categories include:

• Treatment, payment, and healthcare operations.
• Public Health Disclosures (for disease reporting, adverse events, and similar purposes).
• Health Oversight Activities (such as audits, inspections, and licensure actions).
• Disclosures required by law, and for judicial or administrative proceedings.
• Law enforcement purposes under defined conditions.
• Research under an institutional review board or privacy board waiver, or via a limited data set with a data use agreement.
• To avert a serious threat to health or safety, and for specialized government functions.
• Workers’ compensation and certain employer-related health activities permitted by law.

With patient authorization

For uses outside HIPAA’s permitted pathways—such as most marketing, the sale of PHI, and psychotherapy notes—you must obtain a valid, written authorization. Patients may revoke an authorization prospectively.

De-identified and limited data

De-identified data (meeting HIPAA standards) is not PHI and may be used or disclosed freely. A limited data set, stripped of certain direct identifiers, may be disclosed for research, public health, or healthcare operations with a data use agreement.

Patient Rights Under HIPAA

Right of access and copies

Patients can access, inspect, and obtain copies of their PHI in the form and format requested if readily producible, including electronic copies of electronic records. Reasonable, cost-based fees may be charged for copies as permitted by regulation.

Right to request amendments

Patients may request corrections to PHI they believe is inaccurate or incomplete. If you deny a request, you must explain the reason and allow the patient to submit a statement of disagreement to be included in the record.

Right to an accounting of disclosures

Upon request, patients are entitled to an accounting of certain disclosures made without authorization, excluding routine treatment, payment, and operations activities and other exempt categories.

Right to request restrictions and confidential communications

Patients may ask you to restrict certain uses or disclosures and to communicate in alternative ways or at alternative locations. You must accommodate reasonable requests for confidential communications and specific legally required restrictions, such as when a patient pays out of pocket for an item or service and asks you not to disclose it to a health plan.

Right to receive the Notice of Privacy Practices and to complain

Patients are entitled to an NPP and may file complaints directly with you or with HHS OCR if they believe privacy rights were violated. Retaliation for exercising HIPAA rights is prohibited.

Minimum Necessary Standard

Core principle

When using, disclosing, or requesting PHI, limit the information to the minimum necessary to accomplish the purpose—except for treatment, disclosures to the individual, uses or disclosures authorized by the individual, and certain other defined exceptions.

Putting “minimum necessary” into practice

• Adopt role-based access and need-to-know rules that map job duties to PHI access.
• Standardize routine disclosures and requests with protocols that specify the data elements needed.
• Use de-identification or a limited data set whenever full identifiers are not required.
• Periodically review logs and requests to tighten overbroad access patterns.

State Laws and HIPAA

Preemption and more stringent protections

HIPAA generally preempts contrary state laws, but state rules that are more stringent—such as those governing mental health, substance use disorder records, HIV status, genetic data, or reproductive health—remain in force. You must evaluate and follow the most protective applicable law.

Practical steps for multi-state operations

• Map state-specific privacy requirements that exceed HIPAA and build them into policies.
• Configure EHR and release-of-information workflows to honor state consent and disclosure rules.
• Train staff on jurisdictional differences, especially for sensitive information categories.

Enforcement and Compliance

Department of Health and Human Services Enforcement

OCR leads investigations, audits, and enforcement actions, seeking corrective action through voluntary compliance, resolution agreements, and, when warranted, civil monetary penalties. The Department of Justice may pursue criminal cases for knowing, wrongful disclosures. State attorneys general may bring civil actions under HIPAA.

What triggers investigations

Enforcement often follows individual complaints, breach reports, patterns of non-compliance, or significant security incidents. OCR examines your policies, training, safeguards, business associate oversight, and response to known risks.

Consequences and corrective actions

Outcomes range from technical assistance to formal corrective action plans, external monitoring, and financial penalties scaled to culpability and harm. Beyond regulatory exposure, non-compliance drives operational disruption, reputational damage, and contractual risk.

Building a durable compliance program

• Conduct periodic risk assessments focused on privacy practices and Minimum Necessary Standard adherence.
• Refresh the Notice of Privacy Practices, workforce training, and business associate management.
• Test incident response and breach notification procedures, and document decisions.
• Monitor Public Health Disclosures and Health Oversight Activities for rule-fit and data minimization.

Bottom line: when you align policies, training, technology, and vendor governance with HIPAA’s requirements—and continuously verify practice against policy—you protect patients, reduce risk, and enable compliant information sharing.

FAQs

What types of entities are covered under the CMS HIPAA Privacy Rule?

Covered entities include health plans, most healthcare providers that transmit health information electronically in standard transactions, and healthcare clearinghouses. Their business associates are also bound by HIPAA through contracts. Although many covered entities participate in CMS programs, the Privacy Rule’s primary enforcement authority rests with HHS’s Office for Civil Rights.

What are the permitted uses and disclosures of PHI without patient authorization?

HIPAA allows PHI to be used or disclosed without authorization for treatment, payment, and healthcare operations; Public Health Disclosures; Health Oversight Activities; disclosures required by law; certain law enforcement and judicial purposes; research under a waiver or limited data set; to avert serious threats; specialized government functions; and workers’ compensation, subject to conditions and the Minimum Necessary Standard where applicable.

How can patients exercise their rights under HIPAA?

Patients can request the Notice of Privacy Practices, ask for access to and copies of their PHI (including electronic formats when available), request amendments to incorrect or incomplete information, obtain an accounting of certain disclosures, ask for restrictions and confidential communications, and file complaints with the provider, plan, or HHS OCR if they believe their rights were violated.

What are the consequences of non-compliance with HIPAA regulations?

Non-compliance may lead to investigations, corrective action plans, and civil monetary penalties scaled by the level of culpability and harm; egregious conduct can trigger criminal liability. Organizations also face reputational damage, contractual exposure, and operational costs tied to remediation and monitoring.