HIPAA Privacy Rule Explained: Who It Applies To and What’s Protected

Overview of the HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for how health information is used and disclosed, and it gives you enforceable rights over your medical data. It applies to specific organizations and their partners that create, receive, maintain, or transmit Protected Health Information (PHI) in any form—paper, oral, or electronic.

The Rule balances two goals: protecting Patient Rights while allowing necessary data flows for treatment, payment, and health care operations. It works alongside the HIPAA Security Rule (safeguarding electronic PHI) and the Breach Notification Rule, and it is central to how modern Electronic Health Transactions are handled across the health care system.

Definition of Protected Health Information

What counts as PHI

Protected Health Information (PHI) is individually identifiable health information linked to a person’s past, present, or future physical or mental health, the care they receive, or payment for that care. PHI includes common identifiers when connected to health data, such as names, dates of birth, addresses, phone numbers, email addresses, medical record numbers, account numbers, device and serial numbers, IP addresses, full-face photos, and other unique codes.

What is not PHI

• De-identified information that no longer identifies an individual under HIPAA’s de-identification standards.
• Employment records held by a covered entity in its role as an employer.
• Education records protected by FERPA and records on students in those settings.

De-identification and limited data sets

De-identification may be achieved through a formal expert determination or by removing specified identifiers (the “safe harbor” method). A limited data set permits certain elements (for example, dates and generalized locations) for research, public health, or operations when a data use agreement is in place.

Covered Entities and Business Associates

Covered Entities

Covered Entities are the core organizations regulated by the Privacy Rule:

• Health care providers that conduct standard Electronic Health Transactions (such as claims, eligibility, and referrals).
• Health plans (insurers, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and other payers).
• Health care clearinghouses that process nonstandard data into standard formats and vice versa.

Some organizations operate as “hybrid entities,” designating which components perform covered functions so that only those parts are subject to HIPAA requirements.

Business Associates

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a Covered Entity. Examples include billing services, EHR and cloud providers, claims processors, quality analytics firms, consultants, and certain third-party administrators. Subcontractors that handle PHI for a Business Associate are also Business Associates.

Business Associate Agreements

Covered Entities must have written Business Associate Agreements (BAAs) that limit uses and disclosures, require Privacy Safeguards, ensure breach reporting, and flow down obligations to subcontractors. Business Associates have direct HIPAA liability for compliance failures and inappropriate disclosures.

Individual Rights Under the Privacy Rule

Right of access

You can access, inspect, or obtain a copy of your PHI in the format you request if readily producible, including electronic copies of ePHI. Covered Entities must respond within set timelines and may charge only a reasonable, cost-based fee for copies.

Right to direct transmission

You may direct a provider or plan to send your PHI to a designated third party, facilitating care coordination or personal use (for example, sending records to a new provider or an app you choose).

Right to amend

If you believe information is inaccurate or incomplete, you can request an amendment. If denied, you’re entitled to a written explanation and the ability to submit a statement of disagreement.

Right to an accounting of disclosures

You can request a record of certain non-routine disclosures (for example, those not related to treatment, payment, or health care operations) for a defined period.

Right to request restrictions

You may ask to limit uses and disclosures for treatment, payment, or operations. Providers must honor a request to restrict disclosure to a health plan for a specific service when you pay the full amount out of pocket.

Right to confidential communications

You can request communications by alternative means or at alternative locations (for example, using a different mailing address or phone number to protect privacy).

Notice of Privacy Practices and authorizations

Covered Entities must provide a clear Notice of Privacy Practices describing how your PHI is used and your rights. Uses beyond HIPAA’s permissions—such as most marketing, sale of PHI, and psychotherapy notes—require your written authorization, which you may revoke.

Safeguards and Compliance Requirements

Privacy Safeguards

Organizations must implement administrative, physical, and technical Privacy Safeguards appropriate to the size and risk profile of their operations. Typical measures include role-based access, verification procedures, secure disposal, and policies that limit unnecessary viewing or sharing of PHI.

Minimum necessary standard

Except for certain situations (such as disclosures for treatment), Covered Entities and Business Associates must limit PHI uses, disclosures, and requests to the minimum necessary to accomplish the task.

Policies, training, and documentation

Entities must designate a privacy official, train the workforce, apply sanctions for violations, and maintain written policies and procedures. Documentation, including the Notice of Privacy Practices and BAAs, must be retained for required periods.

Incident response and breach notification

Organizations need processes to identify, mitigate, and document privacy incidents. When an impermissible use or disclosure rises to a breach of unsecured PHI, the Breach Notification Rule requires timely notification to affected individuals and, in some cases, regulators and the media.

Exceptions and Limitations

Uses and disclosures permitted without authorization

• Treatment, payment, and health care operations (TPO), including coordination of care and quality improvement.
• Public interest and benefit activities, such as public health reporting, health oversight, certain law enforcement and judicial requests, and averting a serious threat to health or safety.
• Research under an Institutional Review Board or Privacy Board waiver or with a limited data set and data use agreement.
• Organ and tissue donation, workers’ compensation programs, coroners and medical examiners, and specialized government functions.

Special limits and sensitive categories

• Marketing, sale of PHI, and most uses of psychotherapy notes require explicit authorization.
• Fundraising is limited to specific data elements and must include a clear, no-cost opt-out.
• De-identified data are outside HIPAA; however, re-identification or inadequate de-identification can bring data back within scope.

What HIPAA does not cover

• PHI held by entities that are neither Covered Entities nor Business Associates (for example, some health or wellness apps that do not act on behalf of a Covered Entity).
• Education records under FERPA and employment records held in the employer role.

Enforcement and Penalties

How enforcement works

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the Privacy Rule through complaints, compliance reviews, and audits. Outcomes can include technical assistance, corrective action plans with monitoring, resolution agreements, and monetary penalties.

Civil and Criminal Penalties

Civil penalties are tiered based on the level of culpability, from lack of knowledge to willful neglect, with escalating fines per violation and annual caps that adjust over time. Criminal penalties—handled by the Department of Justice—can include fines and imprisonment, with the most severe penalties for obtaining PHI under false pretenses or for commercial gain or malicious harm.

Common pitfalls to avoid

• Delays or improper denials of Right of Access requests.
• Lack of BAAs with vendors handling PHI.
• Overbroad disclosures that ignore the minimum necessary standard.
• Insufficient workforce training and weak Privacy Safeguards for ePHI and paper records.

Conclusion

The HIPAA Privacy Rule defines what PHI is, who must protect it, how it may be used or shared, and the Patient Rights you can exercise. By implementing strong Privacy Safeguards, honoring individual rights, and following clear rules for permitted disclosures, Covered Entities and Business Associates can support care delivery while maintaining trust.

FAQs.

What types of information are protected under the HIPAA Privacy Rule?

The Rule protects Protected Health Information (PHI): any individually identifiable health information related to your health status, care, or payment, when it includes identifiers like names, contact details, medical record numbers, device IDs, or full-face photos. PHI can be paper, electronic, or spoken; properly de-identified information is not PHI.

Who must comply with the HIPAA Privacy Rule?

Compliance is required for Covered Entities—health care providers that conduct standard Electronic Health Transactions, health plans, and health care clearinghouses—and their Business Associates and subcontractors that handle PHI on their behalf. Hybrid entities must ensure their designated health care components comply.

What rights do individuals have regarding their health information?

You have the right to access and receive copies of your records (including ePHI), direct records to a third party, request amendments, obtain an accounting of certain disclosures, request restrictions (including when you pay in full out of pocket), receive confidential communications, and review a Notice of Privacy Practices. You may authorize or revoke uses that require your permission and file complaints without retaliation.

What are the penalties for violating the HIPAA Privacy Rule?

OCR can require corrective actions and impose civil money penalties that scale with the level of noncompliance. Serious or intentional misuse of PHI can trigger criminal prosecution with fines and possible imprisonment. Penalties can be significant, particularly for willful neglect or repeated violations.