HIPAA Privacy Rule Explained: What PHI Is, Who’s Covered, What’s Required

Definition of Protected Health Information

What PHI includes

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associates. It relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care.

PHI spans all formats—electronic (ePHI), paper, and oral. Common identifiers include names, full-face photos, addresses, email addresses, phone numbers, account numbers, device IDs, IP addresses, and any details that could reasonably identify the individual when linked to health data.

What PHI excludes

De-identified information is not PHI. You can de-identify using either the Safe Harbor method (removing specific identifiers) or Expert Determination (a qualified expert certifies very low re-identification risk). Employment records held by an employer, education records covered by FERPA, and health data not created or kept by covered entities or business associates fall outside HIPAA.

Special categories

Psychotherapy notes receive heightened protection and generally require authorization for use or disclosure. Limited data sets (with select identifiers removed) may be used for research, public health, or operations under a data use agreement.

Identification of Covered Entities

Who counts as a covered entity

Covered entities include health care providers that conduct standard electronic transactions (such as billing and eligibility checks), health plans (insurers, HMOs, government programs), and health care clearinghouses that standardize data. If you fit one of these categories and handle PHI, the Privacy Rule applies.

Examples and nuances

Typical covered entities are hospitals, clinics, physicians, dentists, pharmacies, labs, and health plans of all sizes. Hybrid entities—like a university with a medical center—may designate only their health care components as covered, but must safeguard PHI across the organization.

Who is not a covered entity

Life insurers, employers acting as employers, workers’ compensation carriers, schools (for FERPA records), and law enforcement agencies are not covered entities. They may hold sensitive data, but HIPAA’s Privacy Rule governs only covered entities and their business associates.

Role of Business Associates

Definition and examples

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity. Examples include billing services, cloud and data hosting providers, EHR vendors, transcriptionists, analytics firms, consultants, attorneys, and auditors.

Business Associate Agreements (BAAs)

You must execute a written BAA before sharing PHI with a Business Associate. The BAA defines permissible uses and disclosures, requires safeguards, mandates breach reporting, flows obligations to subcontractors, and requires returning or destroying PHI at termination when feasible.

Direct obligations

Business Associates are directly liable for Privacy Rule compliance where applicable and must implement Security Rule safeguards for ePHI. They must apply the minimum necessary standard, maintain documentation, and notify covered entities of breaches without unreasonable delay.

Privacy Safeguards Implementation

Administrative Safeguards

Conduct an enterprise-wide risk analysis, implement risk management, assign a privacy officer and security officer, adopt role-based access, apply the minimum necessary standard, and manage vendors through BAAs. Maintain policies, sanctions, contingency plans, and ongoing evaluation to demonstrate Privacy Rule compliance.

Technical Safeguards

Use unique user IDs, strong authentication, and role-based authorization. Enable audit logs, integrity controls, and transmission security. Encrypt ePHI at rest and in transit where reasonable and appropriate, and implement endpoint protection and secure configuration baselines.

Physical Safeguards

Control facility access, secure workstations and portable devices, and govern device and media handling (tracking, reuse, and secure disposal). Protect paper records with locked storage and clean-desk practices, and limit visual and acoustic exposure in clinical areas.

Operational privacy practices

Issue a clear Notice of Privacy Practices, define authorization workflows, and set procedures for incidental disclosures. Apply data minimization in forms, reports, and interfaces, and use de-identification or limited data sets when full PHI is unnecessary.

Patient Privacy Rights

Right of access

Patients can access and obtain copies of their PHI in the form and format requested if readily producible, including electronic copies of ePHI. Covered entities generally must respond within 30 days (with one 30-day extension if needed) and may charge only a reasonable, cost-based fee.

Right to request amendments

Patients may request corrections to inaccurate or incomplete PHI in the designated record set. If you deny an amendment, you must provide a written explanation and allow a statement of disagreement to be added to the record.

Right to request restrictions

Patients can ask to restrict uses or disclosures. You must honor a restriction on disclosures to a health plan for payment or operations when the patient pays the provider in full out of pocket and the disclosure isn’t otherwise required by law.

Confidential communications

Patients may request communications by alternative means or at alternative locations, such as a different mailing address or phone number. You must accommodate reasonable requests to enhance privacy.

Accounting of disclosures and complaints

Patients may request an accounting of certain disclosures made without authorization (excluding routine treatment, payment, and health care operations). They can also file complaints directly with your organization or with HHS without fear of retaliation.

Compliance and Enforcement Mechanisms

Oversight and investigations

The HHS Office for Civil Rights (OCR) enforces the Privacy Rule through complaint investigations, compliance reviews, and breach investigations. Documentation, timely responses, and demonstrable remediation are central to favorable outcomes.

Penalties and resolution

HIPAA features tiered civil monetary penalties that scale with culpability and are adjusted annually for inflation. Outcomes may include resolution agreements, corrective action plans with monitoring, and, in egregious cases, referral for criminal enforcement.

Breach notification

After discovering a breach of unsecured PHI, you must notify affected individuals without unreasonable delay and no later than 60 days, notify HHS (and, for large breaches, the media), and document investigation and mitigation steps. Strong encryption renders ePHI “secure” and can avert breach-notification duties if keys remain uncompromised.

Interaction with state law

More stringent state privacy laws may apply in addition to HIPAA. You should assess preemption carefully and incorporate state-specific requirements into your policies and training.

Training and Policy Development

Build pragmatic policies

Document clear, role-based policies and procedures aligned to how you actually deliver care and operate. Include data lifecycle, authorizations, disclosures, minimum necessary, incident response, and records management. Retain documentation for at least six years.

Train your workforce

Provide onboarding and periodic training that reflects real workflows, emphasizes administrative, technical, and physical safeguards, and includes phishing awareness and secure messaging. Track completion, assess comprehension, and refresh training when policies change.

Operationalize and monitor

Designate privacy and security officers, perform regular risk analyses, test contingency plans, audit access logs, and monitor vendors for ongoing Privacy Rule compliance. Use metrics and corrective actions to drive continuous improvement.

Conclusion

Effective HIPAA Privacy Rule compliance hinges on knowing what counts as PHI, clarifying who’s covered, managing business associates, and embedding administrative, technical, and physical safeguards. When you honor patient rights, document decisions, and train your workforce, privacy becomes part of daily care—not just a policy binder.

FAQs.

What constitutes Protected Health Information under HIPAA?

PHI is individually identifiable health information—any health-related data linked to identifiers—created, received, maintained, or transmitted by a covered entity or business associate. It includes ePHI, paper, and oral information and spans demographics, clinical details, billing data, and images. De-identified data is not PHI.

Who must comply with the HIPAA Privacy Rule?

Health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions must comply, as must their business associates handling PHI on their behalf. Hybrid entities must ensure covered components and shared services meet HIPAA obligations.

What are the key responsibilities of covered entities?

Covered entities must limit uses and disclosures to what’s permitted or authorized, apply the minimum necessary standard, safeguard PHI with administrative, technical, and physical controls, execute BAAs, provide a Notice of Privacy Practices, honor patient rights, maintain documentation, and notify individuals and HHS of breaches.

How does HIPAA protect patient privacy?

HIPAA sets rules on when PHI may be used or disclosed, grants patients access and control rights, and requires layered safeguards—Administrative Safeguards, Technical Safeguards, and Physical Safeguards. Enforcement by HHS OCR and tiered penalties further deter misuse and promote sustained compliance.