HIPAA Privacy Rule Explained: What It Regulates and What It Does Not

Scope of the HIPAA Privacy Rule

What the Privacy Rule covers

The HIPAA Privacy Rule sets national standards for how Covered Entities and their Business Associates use and disclose Protected Health Information (PHI). It applies to PHI in any form—paper, verbal, and electronic, including data in an Electronic Health Record. The rule also gives individuals rights over their information and requires clear Notices of Privacy Practices.

Core regulatory focus

The rule governs when PHI can be used or shared, requires the Minimum Necessary Standard for most uses and disclosures, and defines when Patient Authorization is needed. It mandates organizational Privacy Safeguards such as policies, workforce training, and mitigation of improper disclosures, aligning with modern Health Information Technology workflows.

What the Privacy Rule does not cover

• Data that are not PHI (for example, fully de-identified information and aggregated statistics).
• Organizations that are not Covered Entities or Business Associates (such as many employers, schools, and life insurers).
• Education records covered by FERPA and employment records held by a covered entity in its role as employer.
• Consumer health apps that are not acting on behalf of a covered entity.

Covered Entities under HIPAA

Who is a covered entity

• Health care providers who transmit standard transactions electronically (such as claims or eligibility checks).
• Health plans (including group health plans, HMOs, Medicare, and Medicaid).
• Health care clearinghouses that process nonstandard information into standard formats.

Business associates and subcontractors

Vendors that create, receive, maintain, or transmit PHI on behalf of covered entities are Business Associates. They must follow the Privacy Rule terms in Business Associate Agreements and are directly liable for certain violations. Subcontractors that handle PHI are held to the same obligations.

Special structures

Some organizations operate as hybrid entities, designating health care components that must comply with HIPAA. Employers that sponsor group health plans face limitations on receiving PHI, and plan sponsors must implement safeguards to keep plan information separate from employment records.

Protected Health Information (PHI) Defined

What counts as PHI

PHI is individually identifiable health information related to an individual’s past, present, or future physical or mental health, the provision of care, or payment for care. It includes demographic details when those details can identify the person, whether the information is written, spoken, or stored in an Electronic Health Record.

Common identifiers

• Names, geographic details smaller than a state, and key dates related to a person.
• Contact data like phone numbers and email addresses; numbers such as Social Security, medical record, and insurance IDs.
• Biometric identifiers and full-face photographs, as well as any unique code that could identify the individual.

What is not PHI

• De-identified information that removes identifiers and cannot reasonably identify a person.
• Education records under FERPA and employment records held by a covered entity in its role as employer.
• Information about a person deceased for more than 50 years.

PHI in the digital ecosystem

Electronic PHI within Health Information Technology systems requires careful controls. Access, use, and exchange within and across Electronic Health Records must follow the Privacy Rule’s conditions and the Minimum Necessary Standard, unless an exception applies.

Permitted Uses and Disclosures of PHI

Disclosures allowed without authorization

• Treatment, payment, and health care operations.
• Disclosures required by law or for public health activities (such as reporting certain diseases).
• Health oversight activities, judicial and administrative proceedings, and specific law enforcement purposes.
• To avert a serious threat to health or safety and for specialized government functions.
• Research with Institutional Review Board approval or waiver, or as a limited data set with a data use agreement.
• Disclosures about decedents, organ donation purposes, and workers’ compensation as permitted by law.
• To family, friends, or others involved in care when the individual agrees or does not object, or when professional judgment supports it.

When Patient Authorization is required

• Most uses and disclosures not otherwise permitted by the rule.
• Marketing communications and any sale of PHI.
• Psychotherapy notes, with narrow exceptions such as for treatment by the originator.

The Minimum Necessary Standard

Covered Entities and Business Associates must limit PHI used, disclosed, or requested to the minimum necessary to accomplish the purpose. This standard does not apply to disclosures to a provider for treatment, to the individual, to HHS for compliance, uses or disclosures required by law, or those made pursuant to a valid Patient Authorization.

Incidental disclosures

Incidental disclosures are permissible only when they occur as a by-product of an allowed use or disclosure and when reasonable Privacy Safeguards and the Minimum Necessary Standard are in place.

Individual Rights under the Privacy Rule

Access and copies

You can access and obtain copies of your PHI in the form and format requested when readily producible, including electronic copies of information in an Electronic Health Record. Reasonable, cost-based fees may apply for copies.

Amendments and corrections

You may request an amendment to PHI you believe is inaccurate or incomplete. If a request is denied, you can submit a statement of disagreement that becomes part of the record.

Accounting and restrictions

You can request an accounting of certain disclosures and ask a covered entity to restrict specific uses or disclosures. When you pay a provider out of pocket in full, you can require that information about that service not be disclosed to your health plan.

Confidential communications and notice

You can request communications by alternative means or at alternative locations, and you are entitled to a clear Notice of Privacy Practices explaining how your information is used, your rights, and how to lodge complaints.

Safeguards Required by the Privacy Rule

Administrative safeguards

Organizations must implement policies and procedures, train the workforce, designate a privacy official, and apply appropriate sanctions for violations. They must also mitigate, to the extent practicable, any harmful effects of improper uses or disclosures.

Physical and technical safeguards

Reasonable Privacy Safeguards include facility and workstation protections, role-based access, authentication, and audit activities. While the HIPAA Security Rule sets detailed requirements for electronic PHI, Privacy Rule compliance depends on integrating these controls into daily operations and Health Information Technology.

Minimum necessary and role-based access

Access should align with job roles, limiting PHI to what is needed to perform specific tasks. Procedures for de-identification, limited data sets, and secure exchange support compliance while enabling care coordination and analytics.

Exceptions and Limitations of the Privacy Rule

HIPAA as a federal privacy floor

HIPAA establishes a baseline; state laws that are more protective of privacy remain in force. Entities must evaluate and apply the most stringent applicable standard for a given use or disclosure.

Contexts outside HIPAA

• Many employers, schools, law enforcement agencies, and life insurers are not Covered Entities.
• Personal health tools and apps not acting for a covered entity are typically outside HIPAA, though other consumer privacy laws may apply.
• Other federal laws can impose additional limits, such as special rules for substance use disorder records.

Conclusion

The HIPAA Privacy Rule regulates how Covered Entities and Business Associates handle Protected Health Information, sets the Minimum Necessary Standard, and outlines when Patient Authorization is required. It grants robust individual rights and requires practical Privacy Safeguards, while leaving non-covered contexts and de-identified data outside its scope.

FAQs

What types of entities are covered by the HIPAA Privacy Rule?

Health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses are Covered Entities. Vendors that handle PHI for them are Business Associates and must meet many of the same privacy obligations through binding agreements.

How does the HIPAA Privacy Rule define protected health information?

Protected Health Information is individually identifiable information about a person’s health status, the care they receive, or payment for that care, held or transmitted by a covered entity or its business associate in any form. It includes identifiers like names, contact details, and medical record numbers; de-identified data is not PHI.

What rights do individuals have under the HIPAA Privacy Rule?

You have rights to access and receive copies of your PHI (including electronic records), request amendments, obtain an accounting of certain disclosures, request restrictions, ask for confidential communications, and receive a Notice of Privacy Practices describing how your information is used and your options.

When can protected health information be disclosed without patient authorization?

PHI can be disclosed without Patient Authorization for treatment, payment, and health care operations; when required by law; for public health and health oversight; in certain judicial, administrative, and law enforcement contexts; to avert serious threats; for specified research pathways; and for other limited purposes defined by the rule.