HIPAA Privacy Rule PHI Requirements Explained: Access, Disclosures, Authorizations, Safeguards

The HIPAA Privacy Rule sets national standards for how covered entities and business associates use, disclose, and protect Protected Health Information (PHI). This guide explains the core PHI requirements—access, disclosures, individual authorizations, and safeguards—so you can implement practical, defensible compliance.

Throughout, you will see the key terms you work with every day, including Designated Record Set, Treatment Payment and Healthcare Operations, Individual Authorization, and the Administrative, Technical, and Physical Safeguards that anchor your program.

Access to Protected Health Information

Scope of the right of access

You must provide individuals timely access to PHI in the Designated Record Set (DRS)—the medical and billing records you maintain and any other records used to make decisions about the individual. The right does not extend to psychotherapy notes or information compiled for legal proceedings.

Personal representatives generally have the same access rights as the individual, consistent with applicable state law. For minors or incapacitated adults, confirm representative status before releasing PHI.

Formats, delivery, and timelines

Fulfill requests in the form and format the individual requests if readily producible. If you maintain PHI electronically, you should provide an electronic copy upon request, and you must transmit PHI to a designated third party when the individual directs you in writing to do so.

Respond to access requests within 30 calendar days. If you cannot meet that timeframe, one written extension of up to 30 additional days is permitted, explaining the reason and the new due date.

Fees and identity verification

You may charge a reasonable, cost-based fee limited to labor for copying, supplies, and postage when applicable. Do not add retrieval or maintenance fees. Verify the requester’s identity using documented procedures proportional to the risk and the request channel.

Denials and review rights

Some denials are reviewable (for example, when a licensed professional determines that access would likely endanger life or physical safety). Others are not reviewable, such as requests for psychotherapy notes. When denying access, provide the basis for denial, how to request a review if available, and how to obtain other accessible portions or a summary.

Permitted Disclosures Without Authorization

Treatment, Payment, and Healthcare Operations (TPO)

You may use and disclose PHI for Treatment Payment and Healthcare Operations without written permission. Share only what is necessary for the purpose, except that the minimum necessary standard does not apply to disclosures for treatment.

Public interest and other permitted disclosures

• Public health activities, such as reporting certain diseases, adverse events, and product issues.
• Health oversight activities, including audits and inspections.
• Judicial and administrative proceedings, and specific law enforcement purposes, consistent with process and limits.
• To avert a serious threat to health or safety, using professional judgment.
• Decedents (e.g., to coroners, medical examiners, funeral directors) and organ, eye, or tissue donation organizations.
• Workers’ compensation and other specialized government functions as allowed by law.
• Limited Data Set disclosures under a Data Use Agreement for public health, research, or operations.

Apply the minimum necessary standard to these uses and disclosures unless an exception applies (for example, disclosures required by law or to the individual). Incidental disclosures that occur despite reasonable safeguards and minimum necessary policies are permitted.

Research disclosures with a waiver

You may disclose PHI for research without an Individual Authorization when an Institutional Review Board Waiver (or Privacy Board waiver) is in place and documented. Alternatively, use de-identified data or a Limited Data Set under a Data Use Agreement to reduce privacy risk.

Disclosures to family and others involved in care

With the individual’s agreement, or when the individual has the opportunity to agree or object, you may share relevant PHI with family members, friends, or caregivers involved in care or payment. When the individual is not available, rely on professional judgment and disclose only what is directly relevant.

Requirements for Written Authorizations

When you need an Individual Authorization

Obtain a valid Individual Authorization for uses and disclosures not otherwise permitted or required by HIPAA. Common situations include most marketing communications, the sale of PHI, disclosures of psychotherapy notes (with narrow exceptions), and many research uses when an IRB/Privacy Board waiver is not granted.

Core elements and required statements

• A specific description of the PHI.
• The name or other specific identification of who may disclose and who may receive the PHI.
• The purpose of the disclosure (or “at the request of the individual”).
• An expiration date or event.
• The individual’s signature and date (and representative authority, if applicable).

Include statements describing the right to revoke in writing, the potential for re-disclosure by the recipient, and whether signing is a condition of treatment, payment, enrollment, or eligibility (generally it is not, with limited exceptions such as research-related treatment or health plan underwriting).

Form, format, and revocation

Use plain language and provide a copy to the individual. Keep authorizations separate from the Notice of Privacy Practices and other routine forms unless a combination is explicitly permitted. Individuals may revoke an authorization at any time, except to the extent you already relied on it.

Special topics: marketing, fundraising, and underwriting

Marketing communications that are not face-to-face and involve financial remuneration typically require authorization. Fundraising has specific opt-out requirements. Health plans may not use genetic information for underwriting and must follow strict limits on any related authorizations.

Administrative Safeguards for PHI

Privacy Rule administrative requirements

Designate a privacy official, train your workforce, apply a sanction policy, and maintain a complaint process. Mitigate known harmful effects of improper uses or disclosures. Adopt and document policies, apply the minimum necessary standard, and execute Business Associate Agreements before sharing PHI with vendors.

Security Rule administrative safeguards for ePHI

For electronic PHI (ePHI), conduct a risk analysis and implement risk management, workforce security, information access management, security awareness and training, incident response, and contingency planning (backup, disaster recovery, emergency mode operation). Periodically evaluate your program and manage business associate security obligations.

Governance and accountability

Use role-based access, identity verification, and approval workflows to enforce minimum necessary. Maintain records of disclosures where required, and monitor adherence through audits and corrective action plans.

Technical Safeguards for PHI

Access controls and identity

Implement unique user IDs, emergency access procedures, automatic logoff, and role-based permissions. Encryption for data at rest is addressable but strongly recommended given modern threats and the potential to reduce breach risk.

Audit controls and integrity

Enable audit logs on systems housing ePHI. Review logs routinely and investigate anomalies. Use integrity controls—such as hashing, digital signatures, and write protections—to detect and prevent unauthorized alteration.

Authentication and transmission security

Authenticate users and systems before granting access. Protect ePHI in transit with modern encryption (for example, TLS for web traffic, secure messaging, and VPNs for remote access). Use message integrity and anti-replay protections to guard against tampering.

Application and API protections

Secure APIs and applications with least-privilege scopes, input validation, and regular patching. Segregate environments, rotate keys, and monitor for unusual access patterns to prevent data exfiltration.

Physical Safeguards for PHI

Facility access controls

Limit physical access to data centers, closets, and records rooms using badges, keys, or biometrics. Maintain visitor logs and escort procedures. Protect during emergencies with documented contingency operations and facility security plans.

Workstation use and security

Define acceptable use and placement for clinical and administrative workstations. Use screen privacy, automatic timeouts, and secured docking areas to minimize shoulder-surfing or unattended access.

Device and media controls

Inventory devices that store PHI, apply secure configuration baselines, and use tamper-evident procedures for movement. Sanitize or destroy media before reuse or disposal, and back up data prior to relocation.

Hybrid and remote environments

For telehealth and hybrid work, harden home offices with locked storage, encrypted devices, and secure connections. Prohibit local downloads of PHI unless business-justified and protected.

Compliance and Enforcement Measures

Documentation, training, and retention

Document policies, procedures, risk analyses, and decisions, and retain required records for at least six years. Provide role-specific training at onboarding and periodically thereafter, tracking completion and remediation.

Breach notification readiness

Establish a process to identify, assess, and respond to potential breaches. When a breach of unsecured PHI occurs, notify affected individuals and regulators as required, and implement corrective actions to prevent recurrence.

Investigations and penalties

The HHS Office for Civil Rights investigates complaints and breaches, issues corrective action plans, and may impose civil monetary penalties. State attorneys general may also enforce HIPAA. Although HIPAA does not create a private right of action, individuals may pursue remedies under other laws.

Continuous improvement

Integrate HIPAA controls into enterprise risk management. Perform periodic evaluations, vendor reassessments, and tabletop exercises. Use metrics—such as access review results and incident trends—to drive targeted improvements.

Conclusion

Effective HIPAA compliance balances patient rights with operational realities. By honoring access requests, limiting disclosures to what is permitted, using valid Individual Authorizations when needed, and sustaining Administrative, Technical, and Physical Safeguards, you create a resilient, patient-centered privacy program.

FAQs

What rights do individuals have regarding access to their PHI?

Individuals have the right to inspect and obtain a copy of PHI in the Designated Record Set, in the form and format requested if readily producible. You must respond within 30 days (with one permitted 30-day extension). Individuals can request electronic copies when you maintain ePHI and may direct you to transmit PHI to a designated third party. Reasonable, cost-based fees are allowed, and certain denials trigger a review process.

When is written authorization required for disclosing PHI?

Written Individual Authorization is required when a use or disclosure is not otherwise permitted or required by HIPAA—for example, most marketing communications, sale of PHI, disclosures of psychotherapy notes (with narrow exceptions), and many research disclosures without an Institutional Review Board Waiver. Authorizations must include specific elements, be in plain language, and be signed and dated.

What safeguards must covered entities implement to protect PHI?

Implement Administrative Safeguards (governance, training, minimum necessary, BAAs), Technical Safeguards (access control, audit and integrity controls, authentication, encryption in transit and at rest where appropriate), and Physical Safeguards (facility, workstation, and device/media protections). For ePHI, perform a risk analysis and manage risks through policies, controls, monitoring, and contingency planning.

How does the HIPAA Privacy Rule regulate disclosures for research purposes?

You may disclose PHI for research with a valid Individual Authorization or under an Institutional Review Board Waiver (or Privacy Board waiver) that documents why the research meets HIPAA criteria. You can also use de-identified data or a Limited Data Set under a Data Use Agreement, and you may share PHI for preparatory-to-research activities or research solely on decedents’ information under specific conditions.