HIPAA Privacy Rule Compliance: Who’s Covered, What Counts as PHI

To meet HIPAA Privacy Rule compliance, you need to know who the law covers and what qualifies as Protected Health Information (PHI). This guide clarifies covered entities, business associates, PHI disclosures, and the safeguards and rights that shape everyday compliance decisions.

Covered Entities Definition

Covered entities are the organizations directly regulated by the HIPAA Privacy Rule: health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. If you operate in one of these categories, HIPAA’s requirements apply to you.

Employers are generally not covered entities, but an employer’s self‑funded group health plan is. Some organizations are “hybrid entities” that designate specific health care components as covered while keeping non‑health functions outside HIPAA’s scope.

Common examples of covered entities

• Health plans: insurers, HMOs, employer-sponsored group health plans, and government programs such as Medicare or Medicaid.
• Health care providers: hospitals, physicians, clinics, dentists, pharmacists, labs, and telehealth practices that conduct standard electronic transactions.
• Health care clearinghouses: entities that transform nonstandard data into standard formats or vice versa, such as billing or repricing services.

Identifying Protected Health Information

Protected Health Information is individually identifiable health information related to a person’s health status, care received, or payment for care that is created or received by a covered entity or business associate. PHI can exist in any form—oral, paper, or electronic (ePHI).

Typical identifiers that make data PHI

• Names; geographic details smaller than a state; elements of dates (e.g., birth or treatment dates); and contact information like phone numbers and email addresses.
• Numbers and codes such as Social Security, medical record, account, certificate/license, and device identifiers.
• Biometric identifiers, full-face photographs and comparable images, and any other unique characteristic that could identify an individual.

What is not PHI

• De-identified data processed via HIPAA’s Safe Harbor or expert determination methods.
• Limited data sets used under a data use agreement, which remove direct identifiers but may retain certain dates and general geography.
• Employment records held by an employer and education records subject to FERPA.

Business Associates and Their Role

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity. Common examples include EHR and cloud service providers, billing and claims processors, analytics firms, telehealth platforms, and specialized consultants or law firms handling PHI.

Business associates must comply with applicable Privacy Rule provisions and implement safeguards akin to covered entities. Their subcontractors that handle PHI are also business associates, inheriting the same obligations through “flow‑down” terms.

Business Associate Agreements (BAAs)

• Define permitted and required uses and disclosures of PHI and prohibit uses beyond those terms or the law.
• Require administrative, physical, and technical safeguards; breach reporting; and cooperation with investigations.
• Obligate subcontractors to agree to the same restrictions and to return or securely destroy PHI when the engagement ends.

Safeguards for PHI Protection

HIPAA follows a risk-based approach: you must implement safeguards that are reasonable and appropriate for your size, complexity, and risks. Strong governance, documented policies, and ongoing monitoring are essential.

Administrative safeguards

• Risk analysis and risk management to identify threats and prioritize controls.
• Assigned security and privacy leadership, workforce training, role-based access, and sanction policies.
• Vendor oversight, incident response, contingency planning, and regular evaluations of program effectiveness.

Physical safeguards

• Facility access controls, workstation security, and protection of paper records.
• Device and media controls, including secure disposal and procedures for lost or stolen equipment.

Technical safeguards

• Unique user IDs, robust authentication, and role-based authorization.
• Audit controls and log review, integrity protections, and automatic logoff.
• Encryption for ePHI in transit and at rest where reasonable and appropriate, plus secure transmission methods.

Operational practices that reduce risk

• Data minimization and standardized workflows for PHI disclosures.
• Least-privilege access, periodic access reviews, and segregation of duties.
• Privacy-by-design in new systems and continuous employee awareness efforts.

Minimum Necessary Disclosure Standard

The minimum necessary standard requires you to limit uses, disclosures, and requests for PHI to the least amount needed to achieve the purpose. Build role-based rules for routine disclosures and an approval process for nonroutine ones.

Key exceptions include disclosures for treatment, disclosures to the individual, and disclosures required by law. Incidental disclosures are permitted only when you use reasonable safeguards and apply the minimum necessary principle consistently.

Individual Rights Under HIPAA

Individuals have powerful rights you must honor promptly. They can access and obtain copies of their PHI in the format they request if it is readily producible, and you may charge only reasonable, cost‑based fees for copies.

They may request amendments to inaccurate or incomplete PHI, ask for restrictions on certain uses or disclosures, and request confidential communications by alternative means or at alternative locations. Individuals also have the right to receive a Notice of Privacy Practices and an accounting of certain disclosures.

Enforcement and Penalties for Noncompliance

HIPAA enforcement is led by the HHS Office for Civil Rights, with state attorneys general also empowered to act. OCR investigates complaints and breaches, issues guidance, and enters into resolution agreements that often include corrective action plans and monitoring.

Civil penalties are tiered and scale with the level of culpability, from reasonable-cause violations to willful neglect, with annual caps. The Department of Justice can bring criminal cases for knowingly obtaining or disclosing PHI in violation of HIPAA, with heightened penalties for offenses involving false pretenses or intent to profit.

Effective compliance—documented risk management, staff training, sound BAAs, and disciplined handling of PHI disclosures—reduces exposure and demonstrates a culture of accountability during HIPAA enforcement actions.

Conclusion

To sustain HIPAA Privacy Rule compliance, identify whether you are a covered entity, understand what counts as PHI, manage business associates with solid BAAs, deploy layered safeguards, apply the minimum necessary standard, respect individual rights, and prepare for enforcement scrutiny. Treat these elements as an integrated program, not isolated tasks.

FAQs.

Who qualifies as a covered entity under HIPAA?

Covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. Examples are hospitals, clinics, pharmacies, insurers, HMOs, employer-sponsored group health plans, and entities that translate billing data into standard formats.

What types of information are considered PHI?

PHI is individually identifiable health information related to health, care, or payment that is created or received by a covered entity or business associate. It includes medical details linked with identifiers such as names, contact information, medical record numbers, and other unique characteristics that could identify a person.

How do business associates impact HIPAA compliance?

Business associates handle PHI on your behalf, so they must implement safeguards and follow Privacy Rule restrictions. A Business Associate Agreement sets permitted uses, requires security controls and breach reporting, and ensures subcontractors follow the same obligations—extending your compliance program across the vendor ecosystem.

What responsibilities do covered entities have to protect PHI?

Covered entities must implement administrative safeguards, physical and technical controls, and policies that enforce the minimum necessary standard. They must train staff, manage vendors through BAAs, monitor and log access, respond to incidents, and honor individual rights such as access, amendments, and confidential communications.