HIPAA and the Privacy Rule: What’s the Difference and Why It Matters

Overview of HIPAA

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a federal law that sets national baselines for how health information moves, is protected, and is used. It created “Administrative Simplification” standards that govern privacy, security, unique identifiers, and code sets for Electronic Health Transactions.

Think of HIPAA as the foundation. It authorizes the U.S. Department of Health and Human Services (HHS) to issue detailed rules—like the Privacy Rule and Security Rule—that spell out what organizations must do to safeguard Protected Health Information and how they may use or disclose it.

HIPAA applies broadly across the healthcare ecosystem, reaching health plans, most healthcare providers, and healthcare clearinghouses, and it also extends obligations to vendors and partners that handle PHI on their behalf.

Purpose of the Privacy Rule

The Privacy Rule is one of HIPAA’s core regulations. Its purpose is to protect individuals by setting national standards for the use and disclosure of Protected Health Information while still allowing the flow of information needed to deliver care, pay claims, and run the healthcare system efficiently.

Balancing privacy with care delivery

• Permits use and Health Information Disclosure for treatment, payment, and healthcare operations without Individual Authorization.
• Allows disclosures required by law and for specific public interest and safety activities (for example, certain public health reporting) under defined conditions.
• Requires Individual Authorization for most other uses, including marketing, the sale of PHI, and most uses of psychotherapy notes.

Core privacy safeguards

• Minimum necessary: limit PHI to the least amount needed to accomplish the task.
• Reasonable Privacy Safeguards: administrative, technical, and physical measures to reduce inappropriate access, use, or disclosure.
• Transparency: provide a clear Notice of Privacy Practices that explains how PHI is used and your rights.

Protected Health Information (PHI)

PHI is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of care, or payment for care. PHI can exist in any form—paper, electronic, or oral—and includes data elements that could identify the person.

Common examples

• Clinical data: diagnoses, lab results, imaging, care plans, medication lists, and progress notes.
• Administrative data: claim numbers, billing details, eligibility information, and appointment histories.
• Identifiers: names, addresses, contact details, dates of service, medical record numbers, and other direct or indirect identifiers.

What is not PHI

• De-identified data stripped of specific identifiers under the Privacy Rule’s safe harbor method or assessed by an expert as very low risk of re-identification.
• Education records protected by FERPA and employment records held by an entity in its role as employer.
• Information about a person deceased for more than 50 years.

PHI vs. ePHI

PHI covers all formats; ePHI is PHI in electronic form and is also subject to HIPAA’s Security Rule. The Privacy Rule governs when and why information may be used or shared, while the Security Rule addresses how ePHI is protected.

Rights Granted by the Privacy Rule

The Privacy Rule gives you meaningful control over your information while keeping care moving. Covered Entities must honor these rights consistently and on time.

Access and copies

• You can inspect and obtain a copy of your PHI held in a designated record set, including electronic copies when records are maintained electronically.
• Fees must be reasonable and cost-based.

Amendment

• You may request corrections to inaccurate or incomplete PHI. If denied, you can submit a statement of disagreement to be included in the record.

Accounting of disclosures

• You can request a list of certain disclosures of your PHI made by a Covered Entity, excluding most disclosures for treatment, payment, and healthcare operations.

Restrictions and confidential communications

• You can request limits on the use or sharing of your PHI; while not all requests must be granted, providers must agree to restrict disclosures to a health plan for an item or service paid in full out of pocket.
• You can ask to be contacted at an alternative address or via a preferred method to enhance privacy.

Notice and complaints

• You are entitled to a Notice of Privacy Practices explaining uses, disclosures, and rights.
• You may file a complaint with a Covered Entity or with HHS if you believe your rights have been violated.

Compliance Requirements for Covered Entities

Covered Entities—health plans, healthcare clearinghouses, and most healthcare providers who conduct specified Electronic Health Transactions—must implement policies, processes, and agreements that translate the Privacy Rule into daily operations.

Governance and documentation

• Appoint a privacy official and designate a contact for complaints and questions.
• Maintain written policies and procedures, review them periodically, and retain required documentation for the mandated timeframes.
• Train the workforce on privacy practices and apply appropriate sanctions for violations.

Use and disclosure controls

• Apply the minimum necessary standard, with role-based access to PHI.
• Obtain valid Individual Authorization when required and manage revocations appropriately.
• Execute Business Associate Agreements with vendors and partners that create, receive, maintain, or transmit PHI.

Operational safeguards

• Implement reasonable Privacy Safeguards to reduce incidental or inappropriate disclosures in clinics, call centers, and digital workflows.
• Integrate privacy checks in Electronic Health Transactions, revenue cycle processes, and data sharing for care coordination.

Breach response

• Assess suspected incidents to determine whether an impermissible use or disclosure occurred and whether there is a low probability of compromise.
• If a breach is confirmed, notify affected individuals and HHS; for certain large breaches, notify the media as required.

Impact on Healthcare Providers

For providers, the Privacy Rule shapes front-desk scripts, charting habits, patient portal practices, and vendor management. Getting it right builds patient trust and reduces risk.

Practical implications

• Front office: verify identities, share only the minimum necessary, and manage family and caregiver requests appropriately.
• Clinical teams: document with care, use secure channels, and limit hallway or elevator conversations that could expose PHI.
• Release-of-information: standardize requests, validate authorizations, and track Health Information Disclosure decisions.
• Technology: ensure EHR configurations support role-based access, audit trails, and timely patient access.
• Vendors: put Business Associate Agreements in place for billing services, cloud hosting, telehealth platforms, and analytics tools.

Special situations

• Marketing and fundraising: carefully distinguish communications that require Individual Authorization from those allowed under the rule.
• Research: apply de-identification, limited data sets with data use agreements, or obtain authorizations as appropriate.
• Legal requests: respond to subpoenas and court orders only in ways permitted by the Privacy Rule and applicable law.

Enforcement and Penalties

HHS’s Office for Civil Rights (OCR) enforces the Privacy Rule through complaint investigations, compliance reviews, and breach investigations. Outcomes range from technical assistance and voluntary corrective action to formal resolution agreements with multi-year corrective action plans.

Civil monetary penalties scale by the level of culpability, from lack of knowledge to willful neglect not corrected. The U.S. Department of Justice can bring criminal cases for knowing misuse or sale of PHI, especially when done under false pretenses or for personal gain. State attorneys general may also bring civil actions to protect residents.

Conclusion

HIPAA is the overarching law; the Privacy Rule is the detailed playbook that tells Covered Entities when and how they may use or disclose Protected Health Information and what rights you have over it. By embedding privacy controls into daily workflows, honoring patient rights, and responding effectively to incidents, organizations protect individuals and maintain the trust essential to high-quality care.

FAQs.

What is the relationship between HIPAA and the Privacy Rule?

HIPAA is the federal statute that authorizes national standards for health information. The Privacy Rule is a regulation issued under HIPAA that sets specific requirements for when PHI can be used or disclosed and what rights individuals have. In short, HIPAA provides the legal authority; the Privacy Rule provides the operational rules you must follow.

How does the Privacy Rule protect patient information?

It limits uses and disclosures to defined purposes, requires Individual Authorization for many non-routine uses, enforces the minimum necessary standard, and mandates reasonable Privacy Safeguards and transparency through a Notice of Privacy Practices. These controls reduce inappropriate access while preserving information flow for care, payment, and operations.

Who must comply with the HIPAA Privacy Rule?

Covered Entities—health plans, healthcare clearinghouses, and most healthcare providers that conduct specified Electronic Health Transactions—must comply. Business associates that handle PHI for Covered Entities must also follow contractually imposed Privacy Rule obligations through Business Associate Agreements.

What rights do individuals have under the Privacy Rule?

You have the right to access and obtain copies of your PHI, request amendments, receive an accounting of certain disclosures, request restrictions and confidential communications, obtain a Notice of Privacy Practices, and file a complaint if you believe your privacy rights were violated.