HIPAA Privacy Rule Basics: PHI and Business Associates, Definitions and Requirements

The HIPAA Privacy Rule sets national standards for how Protected Health Information (PHI) is used, disclosed, and safeguarded. This guide explains core definitions, the roles of Covered Entities and Business Associates, permissible disclosures, the Minimum Necessary Standard, individual rights, and how Enforcement by Office for Civil Rights works.

Use this overview to translate legal requirements into practical steps you can apply in policies, workflows, and technology. Throughout, you’ll see how Business Associate Agreements, Administrative Safeguards, and Technical Safeguards fit together to protect privacy without impeding care.

Definitions of Protected Health Information

What counts as PHI?

PHI is individually identifiable health information created or received by a Covered Entity or Business Associate that relates to a person’s health status, provision of care, or payment for care. PHI can be paper, oral, or electronic (ePHI).

• Identifiers include names, addresses, full-face photos, Social Security and medical record numbers, and device or account numbers.
• Clinical details include diagnoses, lab results, medications, treatment plans, and encounter dates when linked to a person.
• Financial and claims data tied to an individual are PHI when handled by a Covered Entity or its Business Associates.

What is not PHI?

• De-identified information that cannot reasonably identify a person.
• Education records subject to FERPA and employment records held by a Covered Entity in its role as employer.
• Information about a decedent more than 50 years after death.

De-identified data and limited datasets

PHI is de-identified when a qualified expert determines re-identification risk is very small, or when specified identifiers are removed under the “Safe Harbor” method. De-identified data is not subject to the Privacy Rule.

A “limited dataset” removes most direct identifiers but may retain dates and certain geography. It may be disclosed for research, public health, or health care operations under a data use agreement that limits re-identification and downstream disclosures.

Role and Responsibilities of Business Associates

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI for a Covered Entity. Examples include EHR and billing vendors, cloud and backup providers, telehealth platforms, TPAs, and analytics firms.

Core responsibilities

• Use or disclose PHI only as permitted by the Business Associate Agreement (BAA) and the Privacy Rule.
• Implement Administrative Safeguards, Technical Safeguards, and appropriate physical safeguards to protect PHI.
• Report breaches and certain incidents to the Covered Entity and support investigations.
• Flow down BAA obligations to subcontractors that handle PHI.
• Assist Covered Entities with access, amendment, and accounting requests involving PHI they hold.

Business Associate Agreements

BAAs define permitted uses and disclosures, required safeguards, breach reporting, subcontractor obligations, and how PHI is returned or destroyed at termination. They may authorize limited activities like de-identification or data aggregation for health care operations.

Permitted Business Associate uses

• Activities for or on behalf of the Covered Entity consistent with the BAA.
• Management, legal, and compliance tasks if disclosures are required by law or protected by adequate safeguards.
• De-identification of PHI, if expressly allowed.

Covered Entities and Their Obligations

Covered Entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. Hybrid entities must designate the health care component subject to HIPAA.

Programmatic obligations

• Appoint a privacy official, train the workforce, and apply sanctions for violations.
• Publish and distribute a Notice of Privacy Practices explaining uses, rights, and contacts.
• Adopt policies to implement the Minimum Necessary Standard and verify requestors’ identities.
• Execute and manage Business Associate Agreements with all vendors handling PHI.
• Mitigate harmful effects of improper uses or disclosures and document actions taken.

Reasonable safeguards

Covered Entities must apply reasonable Administrative Safeguards and Technical Safeguards—and physical safeguards—to reduce the risk of impermissible uses or disclosures. Examples include role-based access, secure messaging, authentication, audit logs, and privacy-friendly front-desk practices.

Workforce and vendor management

• Provide initial and periodic privacy training tailored to job roles.
• Review access rights routinely and remove access promptly when roles change.
• Assess vendor risk before onboarding and monitor ongoing BAA compliance.

Use and Disclosure Standards for PHI

Required disclosures

• To the individual (or personal representative) upon request.
• To the Department of Health and Human Services for compliance investigations and reviews.

Permitted uses and disclosures without authorization

• Treatment, payment, and health care operations.
• Public health activities and health oversight.
• Judicial and administrative proceedings, and certain law-enforcement purposes.
• To avert a serious threat to health or safety.
• Research under IRB/Privacy Board waiver or as a limited dataset with a data use agreement.
• Organ, eye, and tissue donation; decedent and cadaveric donation purposes.
• Workers’ compensation and other disclosures required by law.
• Facility directories and disclosures to family or caregivers involved in care, with opportunities to agree or object.

Disclosures requiring authorization

• Most uses beyond those listed above, including marketing and the sale of PHI.
• Most disclosures of psychotherapy notes (with narrow exceptions).

Incidental disclosures

Incidental disclosures that occur despite reasonable safeguards—such as a visitor overhearing a name at a nursing station—are not violations when the underlying use or disclosure is permissible and safeguards are in place.

Minimum Necessary Standard Implementation

What the standard requires

When the Minimum Necessary Standard applies, you must limit PHI uses, disclosures, and requests to the least amount of information needed to accomplish the purpose. Policies should define who may access what, under which circumstances, and why.

Key exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual, or pursuant to a valid authorization.
• Disclosures to HHS for compliance, or uses/disclosures required by law.

Practical implementation steps

• Role-based access with job matrices and periodic access reviews.
• Standardized request forms and workflows that predefine needed data elements.
• EHR query filters, break-glass controls, and audit logs to deter over-access.
• Use de-identified data or limited datasets when full PHI is not necessary.
• Policies to rely on another Covered Entity’s documented minimum-necessary determination when appropriate.
• Ongoing training and sanctions for accessing more information than required.

Common pitfalls

• Exporting entire charts when a summary will do.
• Using broad email lists instead of targeted recipients.
• Failing to adjust access rights after role changes.

Individual Rights Under the Privacy Rule

Right of access

Individuals have the right to inspect or obtain copies of PHI in a designated record set in the form and format requested if readily producible, including electronic formats. Covered Entities generally must respond within 30 days (with one allowable 30-day extension) and may charge only reasonable, cost-based fees.

Right to request amendment

Individuals may ask to amend PHI that is inaccurate or incomplete. Covered Entities must act within 60 days (with one 30-day extension). If denied, individuals may submit a statement of disagreement, and the Covered Entity must append appropriate statements to future disclosures.

Right to an accounting of disclosures

Upon request, individuals may receive an accounting of certain disclosures made in the prior six years, excluding routine treatment, payment, and operations or disclosures authorized by the individual.

Right to request restrictions

Covered Entities must consider restriction requests and must honor a request to restrict disclosure to a health plan when the individual pays in full out of pocket for the item or service, if the disclosure is solely for payment or operations.

Right to confidential communications

Individuals can request communications at alternative locations or by alternative means (for example, mailing to a P.O. box). Covered Entities must accommodate reasonable requests.

Notice of Privacy Practices

Covered Entities must provide, post, and adhere to a Notice of Privacy Practices explaining uses and disclosures, individual rights, how to exercise those rights, and how to contact the privacy office.

Enforcement and Penalties for Noncompliance

Who enforces

Enforcement by Office for Civil Rights focuses on complaint investigations, compliance reviews, guidance, and corrective action. State Attorneys General and, for criminal violations, the Department of Justice may also take action.

Resolution pathways

• Technical assistance and voluntary corrective action for minor issues.
• Resolution agreements with multi-year corrective action plans and monitoring.
• Civil monetary penalties using a tiered structure based on culpability, with amounts adjusted annually.
• Criminal penalties for knowing misuse or wrongful disclosures of PHI.

Common compliance gaps

• Missing or outdated Business Associate Agreements.
• Delayed responses to right-of-access requests.
• Excessive access to PHI and weak audit controls.
• Inadequate training and incomplete policies or documentation.

Building a defensible program

• Maintain current policies, BAAs, and risk assessments; document decisions and reviews.
• Embed privacy checks in new projects and vendor onboarding.
• Monitor, audit, and promptly correct issues; retrain when necessary.

Conclusion

By understanding PHI definitions, aligning Covered Entities and Business Associates through strong BAAs, applying the Minimum Necessary Standard, and operationalizing Administrative Safeguards and Technical Safeguards, you can protect privacy and deliver care efficiently. A documented, proactive approach is your best defense in the event of scrutiny or a complaint.

FAQs.

What is Protected Health Information (PHI)?

PHI is individually identifiable health information—paper, oral, or electronic—created or received by a Covered Entity or Business Associate that relates to health status, care provided, or payment for care. When data cannot reasonably identify a person (de-identified), it is no longer PHI.

What are the responsibilities of Business Associates under HIPAA?

Business Associates must use and disclose PHI only as allowed by their Business Associate Agreements and the Privacy Rule, implement appropriate safeguards, report breaches, flow down obligations to subcontractors, and support individuals’ rights requests involving PHI they hold.

How does the Minimum Necessary Standard apply to PHI use?

Except for specific exceptions (such as treatment, disclosures to the individual, HHS compliance, and uses required by law), you must limit uses, disclosures, and requests to the least PHI needed to achieve the purpose, using role-based access, targeted requests, and technical controls.

What penalties exist for HIPAA Privacy Rule violations?

OCR applies a tiered civil penalty structure based on the level of culpability and may require corrective action plans and monitoring. The Department of Justice can bring criminal cases for knowing misuse, and State Attorneys General may also enforce HIPAA.