HIPAA FAQ: Answers to Your Top Questions About Privacy, PHI, and Compliance

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) sets the national baseline for health information privacy and security in the United States. It establishes rules that protect health information privacy while enabling appropriate information flow to support treatment, payment, and health care operations.

HIPAA applies to Covered Entities—health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses—and to their Business Associates, which are vendors that create, receive, maintain, or transmit Protected Health Information (PHI) on their behalf. Written business associate agreements define responsibilities and liability.

Three core rules work together: the Privacy Rule (governing permissible uses and disclosures of PHI), the Security Rule (safeguarding electronic PHI), and the Breach Notification Rule (breach reporting duties). Where state law provides stronger Health Information Privacy protections, those stronger provisions generally prevail.

HIPAA’s guiding principles include individual autonomy, minimum necessary disclosure, and accountability through documentation, training, and enforcement. Effective compliance balances patient trust with operational needs.

Privacy Rule Provisions

The Privacy Rule sets standards for how PHI may be used and disclosed, when authorization is required, and what notices and safeguards you must provide. It aims to protect patient confidentiality without impeding care coordination or public health activities.

Commonly permitted uses and disclosures without authorization

• Treatment, payment, and health care operations (TPO).
• Disclosures to the individual and to the Department of Health and Human Services for compliance investigations.
• Public health reporting, health oversight activities, workers’ compensation, and as required by law.
• Judicial and law enforcement purposes, organ donation, and to avert a serious threat to health or safety.
• Research under specific conditions (e.g., IRB waiver or limited data sets with data use agreements).

The minimum necessary standard requires limiting PHI to what is reasonably needed for a purpose, except for certain situations such as disclosures for treatment and to the individual. Role-based access, data segmentation, and need-to-know policies help you operationalize this principle.

Authorizations are required for most uses beyond TPO, including marketing communications and the sale of PHI. You must provide a clear Notice of Privacy Practices, honor reasonable requests for confidential communications, and maintain Health Information Privacy policies that reflect your actual workflows.

Security Rule Safeguards

The Security Rule requires you to protect electronic PHI (ePHI) through Administrative Safeguards, Physical Safeguards, and Technical Safeguards. It is risk-based and scalable, so controls should match the size, complexity, and risks of your organization.

Administrative Safeguards

• Security management process: conduct an enterprise-wide Risk Assessment and implement risk management plans.
• Assigned security responsibility and workforce security: define roles, screening, onboarding, and termination procedures.
• Information access management: least privilege, role-based access, and approval workflows.
• Security awareness and training: phishing defense, device handling, and incident reporting drills.
• Contingency planning: data backup, disaster recovery, and emergency mode operations testing.
• Periodic evaluation and Business Associate oversight through agreements and monitoring.

Physical Safeguards

• Facility access controls: visitor management and secured server/network rooms.
• Workstation security: placement, privacy screens, and automatic screen lock.
• Device and media controls: inventory, encryption at rest, secure disposal, and media reuse procedures.

Technical Safeguards

• Access controls: unique user IDs, strong authentication, and automatic logoff.
• Audit controls: centralized logging, alerting, and regular review of access/activity logs.
• Integrity controls: hashing/checksums, configuration baselines, and change management.
• Transmission security: encryption in transit (e.g., TLS), secure APIs, and VPNs for remote access.
• Encryption of ePHI is “addressable,” but strongly recommended; if not implemented, document a reasonable alternative.

PHI Definition and Scope

Protected Health Information is individually identifiable health information that relates to a person’s past, present, or future physical or mental health, health care, or payment for care. PHI can exist in any medium—verbal, paper, or electronic—and includes ePHI stored or transmitted by information systems.

Identifiers that can make information “individually identifiable” include direct identifiers (such as name, address, full-face photos) and indirect identifiers (such as dates, device IDs, or IP addresses) when linked to health data. Removing all 18 HIPAA identifiers or applying expert determination can produce de-identified data.

• PHI examples: lab results with a patient’s name, a claim record with dates of service and member ID, or portal messages discussing diagnosis and treatment.
• Not PHI: employment records held by an employer, education records covered by FERPA, and de-identified datasets. Privacy protections extend to decedents’ PHI for 50 years after death.

Patient Rights and Access

The Privacy Rule grants specific rights that strengthen transparency and control over PHI. You should design processes that make these rights easy to exercise and track.

• Right of access: obtain copies in the requested form and format if readily producible (including electronic copies); respond within 30 days (one 30-day extension allowed). Fees must be reasonable and cost-based, and you may be directed to send records to a third party.
• Right to request amendment: if you deny, provide a written basis and a right to submit a statement of disagreement.
• Right to request restrictions: you must honor a restriction when the patient pays out-of-pocket in full and asks you not to disclose to a health plan for that item or service.
• Right to confidential communications: accommodate reasonable requests (e.g., alternate address or email).
• Right to an accounting of disclosures (excluding most TPO disclosures), and the right to receive your Notice of Privacy Practices and file complaints without retaliation.

Clear instructions, identity verification, and secure delivery options—such as patient portal downloads or encrypted email—help you deliver timely access while protecting Health Information Privacy.

Compliance Requirements

HIPAA compliance is an ongoing program, not a one-time project. Your documentation should show how decisions were made, implemented, and periodically reassessed.

• Perform and update a documented Risk Assessment; address findings with prioritized remediation and timelines.
• Adopt written privacy, security, and breach response policies; designate Privacy and Security Officers.
• Train the workforce initially and at regular intervals; enforce sanctions for violations.
• Execute and manage Business Associate Agreements; verify vendors’ safeguards and breach reporting duties.
• Implement access governance, monitoring, and Audit Controls; review logs and reconcile anomalies.
• Encrypt data at rest and in transit where feasible; secure endpoints and mobile devices.
• Plan for incidents and disasters: incident response playbooks, backups, recovery testing, and communication plans.
• Retain required documentation for at least six years from the date of creation or last effective date, as applicable.

Breach Notification Procedures

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. Certain exceptions apply, but when in doubt you must evaluate the event promptly and document your decision-making.

When an incident may not be a breach

• Unintentional access or use by a workforce member acting in good faith within scope of authority.
• Inadvertent disclosure between authorized persons within the same organization (or organized health care arrangement).
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information.

Risk assessment and decision

Use a four-factor Risk Assessment to determine whether PHI was compromised: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received it, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated. If the result indicates compromise, proceed with Breach Reporting.

Notification steps and timelines

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Include what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and contact information.
• For incidents affecting 500 or more residents of a state/jurisdiction, notify prominent media outlets and report to HHS contemporaneously. For fewer than 500 individuals, log the breach and report to HHS within 60 days after the end of the calendar year.
• Business Associates must notify the Covered Entity without unreasonable delay (no later than 60 days), including the identities of affected individuals and relevant details.
• Use first-class mail (or email if the individual agreed). Provide substitute notice if contact information is insufficient or out of date.

Mitigation and safe harbor

Take immediate containment actions, offer mitigation (such as credit monitoring when appropriate), and document every decision. If PHI was secured using strong encryption or was properly destroyed, the incident may qualify for safe harbor and not require breach notification.

Conclusion

Effective HIPAA programs unite Privacy Rule practices, Security Rule safeguards, and disciplined breach response to protect Protected Health Information. By focusing on practical controls, thorough documentation, and a living Risk Assessment, you strengthen compliance and sustain patient trust.

FAQs.

What is considered protected health information under HIPAA?

Protected Health Information (PHI) is any individually identifiable health information—such as diagnoses, treatment details, claim data, or billing information—linked to identifiers like name, address, dates, or device IDs. It covers information in any form (verbal, paper, or electronic) held by Covered Entities or their Business Associates, excluding de-identified data, certain education records, and employment records.

How does the Privacy Rule protect patient data?

The Privacy Rule limits uses and disclosures of PHI to defined purposes, applies the minimum necessary standard, requires individual authorizations for most non-routine uses, and mandates a Notice of Privacy Practices. It also grants patient rights—access, amendment, restrictions, confidential communications, and accounting of disclosures—to reinforce Health Information Privacy.

What are the key requirements of the Security Rule?

You must implement Administrative Safeguards (e.g., Risk Assessment, training, incident response), Physical Safeguards (facility, workstation, and device controls), and Technical Safeguards (access control, audit logs, integrity, authentication, and transmission security). Encryption is strongly recommended; if not adopted, you must document an equivalent, reasonable alternative.

When must a breach notification be issued?

Issue notification without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured PHI, following a four-factor risk assessment. Notify affected individuals, and when 500 or more are impacted in a state/jurisdiction, also notify HHS concurrently and the media; for fewer than 500, report to HHS annually and maintain documentation.