HIPAA Privacy Rule Explained: Summary, Scope, and Covered Entity Obligations

Overview of HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for how health information may be used and disclosed, and how you must protect individuals’ privacy. It applies to covered entities and their business associates, and it governs Protected Health Information (PHI) in any form—paper, oral, or electronic.

Core obligations include the Minimum Necessary Standard, documented privacy policies and procedures, and HIPAA compliance training for the workforce. You must designate a privacy official, provide a Notice of Privacy Practices, apply appropriate safeguards, mitigate improper disclosures, and sanction workforce members who violate policy.

The Privacy Rule works alongside the Security Rule (for ePHI safeguards) and the Breach Notification Rule (for incident reporting). Together, they form the framework for lawful handling of PHI across the healthcare ecosystem.

Definition of Covered Entities

The covered entities definition under HIPAA includes three categories that must comply with the Privacy Rule. If your organization meets any of these, the Rule applies to you.

• Health care providers that transmit health information electronically in standard transactions (for example, hospitals, physicians, dentists, pharmacies, labs, and telehealth providers).
• Health plans (such as group health plans, insurers, HMOs, and government programs like Medicare, Medicaid, and certain veterans’ health programs).
• Health care clearinghouses (entities that process nonstandard health data into standard formats and vice versa).

Some organizations are hybrid entities, designating health care components that perform covered functions. Organized Health Care Arrangements may coordinate compliance across participants, but each participant remains responsible for its own obligations.

Roles of Business Associates

Business associates are vendors or partners that perform services for a covered entity (or for another business associate) that involve creating, receiving, maintaining, or transmitting PHI. Typical examples include billing services, EHR and cloud providers, consultants, TPAs, and analytics firms.

Before sharing PHI, you must execute Business Associate Agreements that define permitted uses and disclosures, require safeguards, impose breach reporting, and flow down obligations to subcontractors. Business associates are directly liable for certain violations and must follow the Minimum Necessary Standard and your documented privacy policies and procedures where applicable.

Understanding Protected Health Information (PHI)

PHI is individually identifiable health information related to an individual’s past, present, or future health status, care, or payment for care. Identifiers include obvious items like names and medical record numbers, as well as device IDs, photos, and other data that can identify a person.

What is not PHI? De-identified information (via expert determination or Safe Harbor removal of specified identifiers), a limited data set used under a data use agreement, education records covered by FERPA, employment records held by an entity in its role as employer, and records of persons deceased for more than 50 years.

PHI may exist in any medium. While the Security Rule focuses on electronic PHI, the Privacy Rule applies broadly and governs how you use, disclose, and safeguard PHI across all formats.

Individual Rights Under HIPAA

Individuals have enforceable rights that you must honor promptly and transparently. Your processes should make these rights easy to exercise and track.

• Right of access: Individuals may inspect or obtain copies of their PHI in a timely manner, including electronic copies when available, and may direct you to transmit a copy to a third party.
• Right to request amendment: Individuals can request corrections to PHI in the designated record set; if you deny, you must provide a written explanation and allow a statement of disagreement.
• Right to an accounting of disclosures: Individuals may receive a record of certain disclosures made without authorization.
• Right to request restrictions: Individuals can ask you to limit disclosures; you must honor a restriction on disclosures to a health plan when the individual pays in full out-of-pocket for a specific service.
• Right to confidential communications: Individuals can request alternative means or locations for communications (for example, a different address or phone number).
• Right to receive a Notice of Privacy Practices and to file a complaint without retaliation.

Permitted Uses and Disclosures of PHI

The Privacy Rule permits specific uses and disclosures and otherwise requires individual authorization. Always apply the Minimum Necessary Standard unless an exception applies.

• Treatment, payment, and health care operations (TPO): Sharing for care coordination, billing, and core operations is generally permitted without authorization; minimum necessary does not apply to disclosures for treatment.
• With individual authorization: Required for uses beyond permitted categories, including most marketing, sale of PHI, and disclosure of psychotherapy notes.
• Opportunity to agree or object: For facility directories and sharing with family or friends involved in care, when the individual can be asked or does not object.
• Required by law and public interest: Public health reporting, health oversight activities, judicial and administrative proceedings, certain law enforcement purposes, to avert a serious threat, specialized government functions, and workers’ compensation.
• Research: With authorization or under an IRB/Privacy Board waiver and safeguards; limited data sets may be used under a data use agreement.
• Incidental disclosures: Allowed only when reasonable safeguards are in place and the minimum necessary is observed.
• De-identified information: Not subject to the Privacy Rule and may be used or disclosed freely.

Enforcement and Penalties of HIPAA Violations

The Health and Human Services Office for Civil Rights (OCR) enforces the Privacy Rule through complaint investigations, compliance reviews, and audits. Outcomes range from technical assistance and corrective action to resolution agreements with multi-year monitoring.

Civil penalties follow a tiered structure based on culpability—from violations a covered entity would not reasonably have known about, to willful neglect not corrected—each with per-violation amounts and annual caps adjusted for inflation. Factors include the nature and extent of the violation, the harm caused, cooperation, and corrective efforts. State attorneys general may also bring civil actions.

Criminal penalties, enforced by the Department of Justice, apply to knowing wrongful disclosures, with enhanced penalties for offenses committed under false pretenses or for personal gain. Business associates can be directly liable, and failures such as not having Business Associate Agreements, inadequate privacy policies and procedures, and lack of HIPAA compliance training are common enforcement themes.

Conclusion

The HIPAA Privacy Rule establishes who must comply, what counts as PHI, which uses and disclosures are permitted, and what rights individuals hold. By implementing strong privacy policies and procedures, honoring the Minimum Necessary Standard, executing Business Associate Agreements, and training your workforce, you build a defensible compliance program that protects patients and reduces enforcement risk.

FAQs.

What types of entities are considered covered entities under HIPAA?

Covered entities include health care providers that conduct standard electronic transactions, health plans such as insurers and government programs, and health care clearinghouses that translate data between formats. Some organizations may be hybrid entities with designated health care components.

How does the HIPAA Privacy Rule protect patient information?

It restricts when PHI can be used or disclosed, requires the Minimum Necessary Standard, mandates privacy policies and procedures, and gives individuals rights over their information. It also requires notices, safeguards, workforce training, and oversight by OCR to enforce compliance.

What rights do individuals have regarding their protected health information?

Individuals can access and obtain copies of their PHI, request amendments, receive an accounting of certain disclosures, request restrictions and confidential communications, receive a Notice of Privacy Practices, and file complaints without retaliation.

What are the consequences of violating the HIPAA Privacy Rule?

Consequences range from corrective action and resolution agreements to civil monetary penalties under a tiered structure, with amounts adjusted for inflation. Serious or intentional misconduct may lead to criminal prosecution, and business associates can be directly liable alongside covered entities.