HIPAA Privacy Rule Explained: It Applies Beyond Just Electronic PHI

HIPAA Privacy Rule Scope

The HIPAA Privacy Rule governs how Protected Health Information (PHI) is used and disclosed by Covered Entities and their Business Associates. It applies to PHI in any form—electronic, paper, or oral—not just to electronic PHI (ePHI). If you create, receive, maintain, or transmit PHI on behalf of a Covered Entity, you are within this scope.

Who must comply

• Covered Entities: health plans, most health care providers, and health care clearinghouses.
• Business Associates: vendors or subcontractors that handle PHI for Covered Entities (for example, billing services, cloud hosts, or analytics providers).

Permitted uses and disclosures

You may use or disclose PHI for treatment, payment, and health care operations, and in other situations specified by the rule or with a valid authorization. The “minimum necessary” standard requires you to limit PHI to the least amount needed to accomplish the purpose.

Individual Rights under HIPAA

• Access and obtain copies of their PHI.
• Request amendments to inaccurate or incomplete PHI.
• Receive an accounting of certain disclosures.
• Request restrictions and confidential communications.
• Receive a Notice of Privacy Practices explaining how their PHI is used.

Definition of PHI

PHI is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of care, or payment for care—and that identifies the person or could reasonably identify them. PHI can be in any medium: electronic records, paper charts, or spoken information.

Examples include names, full-face photos, addresses, Social Security and medical record numbers, device identifiers, biometric data, and any clinical details when linkable to an individual. If information can no longer identify someone, it is not PHI.

Exclusions from PHI

• De-identified information that meets HIPAA’s de-identification standards.
• Education records and certain treatment records subject to FERPA.
• Employment records held by a Covered Entity in its role as employer.
• Health information of individuals deceased for more than 50 years.
• Information collected or maintained by entities that are not Covered Entities or Business Associates (for example, some consumer apps) when not acting on behalf of a Covered Entity.

De-identified Information

De-identified data is not subject to the Privacy Rule. You can de-identify PHI by either removing specified identifiers under the Safe Harbor method and having no actual knowledge of residual identification risk, or by obtaining an Expert Determination that the risk of re-identification is very small.

A Limited Data Set—where certain direct identifiers are removed but some elements like dates or ZIP codes remain—still contains protected data and requires a Data Use Agreement. If you create re-identification codes, they must not be derived from identifiers and the algorithm must remain confidential.

Safeguards for PHI

The Privacy Rule requires you to implement appropriate safeguards and follow the minimum necessary standard to prevent unauthorized uses and disclosures. These measures should be reasonable for your size, complexity, and risks.

Administrative Safeguards

• Assign privacy and security leadership; establish policies, workforce training, and sanctions.
• Perform risk assessments; manage vendors with Business Associate Agreements.
• Implement procedures for access, minimum necessary decisions, and incident response.

Physical Safeguards

• Control facility access; secure workstations and paper records.
• Use locked storage, clean-desk practices, and secure media disposal.
• Protect oral privacy with private areas and “no overhead” disclosure practices.

Technical Safeguards

• Use unique user IDs, role-based access, and multi-factor authentication where appropriate.
• Enable audit logs, integrity controls, and transmission protection (e.g., encryption in transit).
• Protect data at rest with encryption and proper key management when feasible.

Security Rule Applicability

The HIPAA Security Rule applies only to electronic PHI and requires Covered Entities and Business Associates to implement Administrative, Physical, and Technical Safeguards tailored by risk analysis. Some implementation specifications are “required,” while others are “addressable,” allowing flexibility based on your risk, environment, and resources.

• Core expectations include risk analysis and risk management, access and audit controls, integrity protections, authentication, transmission security, and contingency planning with backups and disaster recovery.
• Documentation and ongoing evaluation are essential to keep safeguards effective as technologies and workflows change.

Privacy Rule vs Security Rule

The Privacy Rule defines when and why PHI may be used or disclosed and grants Individual Rights under HIPAA. It covers PHI in any form and emphasizes policies, notices, and minimum necessary use.

The Security Rule focuses on how you safeguard ePHI through concrete controls and risk management. Think of the Privacy Rule as governing “who can do what with PHI,” and the Security Rule as governing “how you protect ePHI.” Both apply simultaneously, and compliance programs should integrate them.

Bottom line: the HIPAA Privacy Rule protects PHI beyond just electronic systems, while the Security Rule establishes the technical and operational controls for ePHI. Together they form the foundation of responsible health data stewardship.

FAQs.

Does the HIPAA Privacy Rule cover paper and oral PHI?

Yes. The Privacy Rule covers PHI in all forms—electronic, paper, and oral. You must apply reasonable safeguards and the minimum necessary standard to non-electronic PHI just as you would to records in your systems.

What types of information are excluded from HIPAA protections?

Excluded categories include de-identified information, education records subject to FERPA, employment records held by a Covered Entity in its role as employer, PHI of individuals deceased for more than 50 years, and information held by entities that are not Covered Entities or Business Associates when not acting for a Covered Entity.

How do Privacy and Security Rules differ under HIPAA?

The Privacy Rule governs permissible uses and disclosures of PHI in any form and grants individual rights. The Security Rule applies only to ePHI and requires Administrative, Physical, and Technical Safeguards based on risk analysis and ongoing risk management.

What safeguards are required to protect PHI?

You must implement Administrative Safeguards (policies, training, risk management), Physical Safeguards (facility and device protections), and Technical Safeguards (access controls, audit logs, encryption) proportionate to your risks, along with the minimum necessary standard to limit PHI use and disclosure.