HIPAA Privacy Rule Guide for Beginners: What It Covers and Requires

HIPAA Privacy Rule Overview

What the Rule Does

The HIPAA Privacy Rule sets national standards for how health information is used and disclosed. It balances protecting individual privacy with enabling the flow of information needed for high-quality care, public health, and oversight. If you work in health care or handle patient data, this guide explains what the Rule covers and requires—clearly and in practical terms.

What Counts as Protected Health Information (PHI)

PHI is individually identifiable health information held or transmitted by a covered entity or business associate in any form—paper, electronic, or oral. It includes data that relates to a person’s past, present, or future health, care provided, or payment for care, when the person can be identified.

PHI excludes de-identified information, employment records held by an employer, and education records covered by FERPA. Information about a person who has been deceased for more than 50 years is also no longer PHI.

De-identification Methods

To remove privacy risk, you may use two recognized de-identification methods: (1) expert determination that the risk of re-identification is very small, or (2) the safe harbor method, which removes specified direct identifiers. De-identified data is not subject to the Privacy Rule and can be used more freely for analytics, quality improvement, or research.

Covered Entities and Business Associates

Who Is a Covered Entity

Covered entities include health plans, health care providers who transmit health information electronically in standard transactions, and health care clearinghouses. If you’re in one of these categories, the Privacy Rule applies to your use and disclosure of PHI.

Health Care Clearinghouses

Health care clearinghouses process nonstandard health information they receive from another entity into a standard format (or vice versa). Even though many do not deliver care directly, they are covered entities because they transform and route PHI.

Business Associates

Business associates are vendors or subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity (for example, billing services, cloud hosting, EHR support, or analytics firms). They must sign business associate agreements (BAAs) and are directly liable for certain HIPAA obligations.

Practical Examples

• A hospital (covered entity) shares PHI with a coding company (business associate) under a BAA.
• An insurer (covered entity) exchanges transactions with a health care clearinghouse to standardize claim formats.

Individual Rights and Access

Right of Access

Individuals have the right to inspect or obtain a copy of their PHI in a designated record set, typically within 30 days (with a one-time 30-day extension if needed). If records are electronic, you should provide an electronic copy in the format requested when readily producible, or an agreed alternative. Only reasonable, cost-based fees are allowed for copies.

Right to Amendment

People can request corrections to their PHI if they believe it is inaccurate or incomplete. You must act on the request within standard time frames and, if you deny it, explain why and how the individual can submit a statement of disagreement.

Right to Request Restrictions

Individuals can ask you to limit certain uses or disclosures. While most requests are discretionary, you must accept a restriction when a patient pays in full out-of-pocket for a specific service and requests that information not be disclosed to a health plan, unless disclosure is required by law.

Right to Confidential Communications

Upon request, send communications by alternative means or to alternative locations (for example, a different mailing address or email) if reasonable.

Accounting of Disclosures

Individuals can request an accounting of certain disclosures of their PHI made in the prior six years, excluding common activities such as treatment, payment, and health care operations.

Notice of Privacy Practices

Covered entities must provide a clear notice of privacy practices that explains how PHI is used and disclosed, individual rights, your legal duties, and how to file a complaint. Display it prominently and make it available on request; providers generally present it at first service, and plans provide it at enrollment and upon material changes.

Uses and Disclosures of PHI

Required Disclosures

• To the individual (or personal representative) upon request.
• To the Department of Health and Human Services when it investigates compliance.

Permitted Without Patient Authorization

You may use or disclose PHI for treatment, payment, and health care operations (TPO) without obtaining patient authorization. You may also share limited information for facility directories and with family or friends involved in care when appropriate and allowed by the Rule.

When Patient Authorization Is Required

A valid patient authorization is generally required for uses and disclosures outside TPO, such as most marketing, the sale of PHI, and many uses of psychotherapy notes. Authorizations must describe the information, recipients, purpose, expiration, and include statements about the right to revoke.

Public Interest and Benefit Activities

The Rule permits disclosures for specific public interest purposes, subject to conditions:

• As required by law.
• Public health activities and reporting.
• Abuse, neglect, or domestic violence reporting.
• Health oversight activities.
• Judicial and administrative proceedings.
• Law enforcement purposes.
• Decedents, cadaveric organ donation, and coroners/medical examiners.
• Serious threats to health or safety.
• Specialized government functions and workers’ compensation.

Research and Data Minimization

Research access can occur with an Institutional Review Board or privacy board waiver, through a limited data set with a data use agreement, or using de-identified data. Use the least amount of PHI necessary for the research purpose.

Minimum Necessary Standard

Core Principle

Except for defined situations, you must limit PHI uses, disclosures, and requests to the minimum necessary to accomplish the purpose. This is a policy, process, and culture requirement—not just a technical setting.

Key Exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual (or personal representative).
• Uses or disclosures made pursuant to a valid authorization.
• Disclosures to HHS for compliance and enforcement.
• Uses or disclosures required by law.

Practical Controls

• Role-based access and need-to-know policies.
• Standardized request forms and approval workflows.
• Query filters, data masking, and minimum necessary defaults in systems.
• Use of limited data sets or de-identification methods whenever feasible.

Administrative Requirements

Privacy Official Designation

You must designate a privacy official to develop, implement, and oversee privacy policies and procedures, and to serve as a point of contact for questions and complaints.

Policies, Training, and Sanctions

Maintain written policies and procedures, train your workforce on them, and apply appropriate sanctions when policies are violated. Document all training and disciplinary actions.

Safeguards and Documentation

Implement administrative, physical, and technical safeguards to protect PHI from inappropriate uses or disclosures. Maintain required documentation, including the notice of privacy practices, policies, and acknowledgments, for at least six years from the last effective date.

Business Associate Management

Execute and manage business associate agreements that specify permitted uses and disclosures, require safeguards, and flow down obligations to subcontractors. Monitor for compliance and address incidents promptly.

Breach Notification

If unsecured PHI is compromised, HIPAA’s breach notification requirements apply. You must assess the incident, mitigate harm, and provide timely notifications to affected individuals and other parties as required.

Enforcement and Penalties

How Enforcement Works

The HHS Office for Civil Rights investigates complaints, conducts compliance reviews, and can require corrective action plans. State attorneys general may also bring civil actions on behalf of residents.

Civil Monetary Penalties

Penalties are tiered based on the level of culpability—from reasonable cause to willful neglect—with annual limits per violation type. Resolution agreements often include monetary payments and multi-year monitoring.

Criminal Penalties

Wrongful use or disclosure of PHI can trigger criminal liability, including fines and potential imprisonment, particularly when done under false pretenses or for personal gain or malicious harm.

Building a Culture of Compliance

Proactive risk assessments, strong governance, workforce engagement, and timely remediation significantly reduce enforcement risk while improving patient trust and data stewardship.

Conclusion

The HIPAA Privacy Rule defines how PHI may be used and disclosed, empowers individuals with clear rights, and mandates safeguards, accountability, and training. By applying the minimum necessary standard, honoring patient authorization when required, maintaining your notice of privacy practices, and preparing for breach notification, you create resilient, compliant processes that protect people and enable care.

FAQs.

What rights do individuals have under the HIPAA Privacy Rule?

Individuals have the right to access and receive copies of their PHI, request amendments, request restrictions in certain cases, choose confidential communication methods, and obtain an accounting of certain disclosures. They also have the right to receive a notice of privacy practices and to file a complaint if they believe their privacy rights were violated.

How does the minimum necessary standard protect PHI?

It limits PHI exposure to only what is needed for a task. By enforcing role-based access, standardized requests, and data minimization (such as limited data sets or de-identification methods), the standard reduces the likelihood and impact of improper uses or disclosures.

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care providers who transmit health information electronically in standard transactions, and health care clearinghouses. Each has direct obligations under the Privacy Rule, and they must ensure their business associates protect PHI, too.

What are the penalties for violating the HIPAA Privacy Rule?

Violations can lead to tiered civil monetary penalties and corrective action plans imposed by HHS’s Office for Civil Rights. Serious misconduct can also result in criminal penalties, including fines and potential imprisonment, especially for intentional misuse of PHI.