HIPAA Privacy Guide: Understanding the Privacy Rule, PHI, and Compliance Requirements

This HIPAA Privacy Guide explains how the Privacy Rule protects health information, what counts as Protected Health Information (PHI), and how you can meet core compliance requirements. You will learn practical steps for applying the Minimum Necessary Standard, honoring Patient Access Rights, and coordinating with vendors through Business Associate Agreements.

Overview of the HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards for when and how PHI may be used and disclosed. It focuses on protecting individual privacy while allowing the flow of health information needed to deliver high-quality care and run a health system safely and efficiently.

Who must comply

• Covered Entities: health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses.
• Business Associates: vendors and service providers that create, receive, maintain, or transmit PHI on behalf of a Covered Entity (for example, EHR providers, billing companies, cloud hosting, telehealth platforms).

What the rule governs

• Permitted and required uses and disclosures of PHI.
• Patient rights, including access, amendments, and accounting of disclosures.
• Organizational duties such as notices, training, and safeguards that support privacy and security.

Defining Protected Health Information

PHI is individually identifiable health information related to a person’s past, present, or future physical or mental health or condition, the provision of health care, or payment for care. PHI can be in any form—paper, electronic (ePHI), or oral.

Identifiers that make data PHI

• Direct identifiers like names, street addresses, full-face photos, phone numbers, email addresses, Social Security numbers, medical record numbers, and account or certificate numbers.
• Device IDs, IP addresses, license plates, biometric identifiers, and any unique code that can reasonably identify the individual.
• Combinations of dates and geographic details that could identify a person when linked to health or payment information.

What is not PHI

• De-identified data: information that has been de-identified via safe harbor removal of specified identifiers or through expert determination that the risk of re-identification is very small.
• Limited Data Set: data stripped of most direct identifiers and shared under a data use agreement for research, public health, or health care operations.

Permitted Uses and Disclosures of PHI

The Privacy Rule allows certain uses and disclosures without individual authorization and requires authorization for others. Build policies that map real-world scenarios to these pathways.

Without authorization

• Treatment, Payment, and Health Care Operations (TPO): coordination of care, claims management, quality improvement, credentialing, audits, and related functions.
• Public interest and other specified purposes: required by law; public health reporting; health oversight activities; judicial and administrative proceedings; certain law enforcement purposes; organ and tissue donation; coroners and medical examiners; research with IRB/Privacy Board waiver or under a Limited Data Set; to avert a serious threat to health or safety; specialized government functions; workers’ compensation; and to HHS for compliance review.
• Incidental disclosures: permitted when reasonable safeguards and the Minimum Necessary Standard are in place.

With authorization

• Marketing communications not otherwise permitted, most disclosures to third parties for non-TPO purposes, and sale of PHI require a valid, written authorization that can be revoked by the individual.

Implementing the Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit uses, disclosures, and requests for PHI to the least amount needed to accomplish the purpose. It applies to both Covered Entities and Business Associates.

Key exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual who is the subject of the information.
• Uses or disclosures made under a valid authorization.
• Uses or disclosures required by law or requested by HHS for compliance.

Practical implementation steps

• Role-based access: define job roles and align system permissions so workforce members see only what they need.
• Standard protocols: create templates for common disclosures (e.g., claims, audits, referrals) that pre-limit data elements.
• Data minimization tools: use filters, data segmentation, and reports that suppress unnecessary identifiers.
• Review and approval: require supervisory checks for non-routine requests and maintain logs of decisions.
• Training and reminders: teach staff how to phrase requests narrowly and verify purpose before releasing PHI.

Patient Rights Under HIPAA

Patients have enforceable privacy rights. Build workflows that make these Patient Access Rights simple, timely, and well-documented.

Access and copies

• Provide access to designated record sets within a prompt timeframe, including electronic copies when you maintain ePHI.
• Offer reasonably cost-based fees for copies and, when directed in writing, send records to a third party chosen by the patient.

Amendments and accounting

• Amendment: allow patients to request corrections; if you deny, explain the reason and how to submit a statement of disagreement.
• Accounting of disclosures: track and, upon request, provide certain non-TPO disclosures for the applicable look-back period.

Restrictions and confidential communications

• Consider requests to restrict uses or disclosures; if the patient pays for an item or service in full out of pocket, do not disclose that PHI to a health plan for payment or operations unless required by law.
• Accommodate reasonable requests for alternative addresses or communication channels.

Notice and complaints

• Give patients a clear Notice of Privacy Practices describing uses, disclosures, and rights.
• Explain how to file privacy complaints without fear of retaliation.

Safeguarding PHI with Administrative and Technical Measures

Protecting PHI requires layered controls. Combine Administrative Safeguards, Technical Safeguards, and physical protections to reduce risk and support compliance.

Administrative Safeguards

• Conduct risk analysis and implement risk management plans; review regularly.
• Adopt written policies and procedures, workforce training, sanction policies, and vendor due diligence.
• Establish contingency plans, incident response, and breach notification processes.
• Execute and manage Business Associate Agreements with all relevant vendors and subcontractors.

Technical Safeguards

• Enforce unique user IDs, multi-factor authentication, automatic logoff, and robust access controls.
• Use encryption for ePHI in transit and at rest, plus integrity controls and digital signatures where appropriate.
• Enable audit logs, monitoring, and alerts for anomalous access or data exfiltration.
• Apply secure configuration baselines, patching, endpoint protection, and secure disposal of media.

Physical protections

• Control facility and workstation access; position screens to avoid shoulder surfing.
• Manage device and media controls, including inventory, storage, reuse, and destruction.

Compliance for Business Associates

Business Associates are directly liable for maintaining appropriate privacy and security practices when handling PHI. Your contracts and operations should work together to meet HIPAA’s standards.

Business Associate Agreements

• Define permitted uses and disclosures, Minimum Necessary obligations, and safeguards requirements.
• Require breach reporting to the Covered Entity without unreasonable delay and downstream BAAs for subcontractors.
• Address termination, data return or destruction, and ongoing cooperation during investigations.

Operational expectations

• Conduct risk assessments, train staff, and restrict access to role-based needs.
• Implement encryption, logging, and change management across hosted or managed systems.
• Document decisions, maintain incident response plans, and test contingency procedures.

Conclusion

Effective HIPAA privacy compliance centers on knowing what PHI is, limiting its use through the Minimum Necessary Standard, honoring patient rights, and implementing strong Administrative and Technical Safeguards. When Covered Entities and Business Associates align contracts and day-to-day practices, they reduce risk, build trust, and support better care.

FAQs

What is considered Protected Health Information under HIPAA?

PHI is any individually identifiable health or payment information—such as names, contact details, medical record numbers, IP addresses, diagnoses, treatment notes, or billing data—that relates to a person’s health, care provided, or payment for care. PHI can be paper, electronic, or oral, and becomes de-identified only when identifiers are removed or an expert determines re-identification risk is very small.

How do covered entities ensure minimum necessary disclosures?

Covered Entities set role-based access rules, standardize disclosure templates, and use data minimization tools that filter out unnecessary fields. They require approvals for non-routine requests, train staff to verify purpose before releasing PHI, and document decisions to show that each use, disclosure, or request was limited to what was reasonably needed.

What are the patient rights for accessing PHI?

Patients can inspect and obtain copies of their records—including electronic copies when available—and direct records to a chosen third party. They may request amendments, ask for an accounting of certain disclosures, request restrictions (including limiting disclosures to a health plan for fully self-paid services), and receive communications at alternative locations or by alternative means.

What safeguards must be implemented to comply with the HIPAA Privacy Rule?

Implement layered protections: Administrative Safeguards (policies, training, risk management, BAAs, incident response), Technical Safeguards (access controls, MFA, encryption, audit logging, integrity controls), and physical controls (facility and device protections). Together, these measures reduce the likelihood of unauthorized access, use, or disclosure of PHI and support ongoing compliance.