HIPAA Privacy Rule Protections and Restrictions for PHI: Explained

The HIPAA Privacy Rule sets national standards for how protected health information (PHI) is used and disclosed. This guide explains what counts as PHI, who must comply, when sharing is allowed, and how you can exercise your rights. You’ll also learn practical steps for minimum necessary use, safeguards, and new protections for reproductive health information.

Protected Health Information Definition

PHI is individually identifiable health information created or received by a covered entity or its business associate. It relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care, and it can exist in any form—paper, electronic, or oral.

What counts as PHI

• Medical records, diagnoses, treatment plans, test results, and billing details tied to an identifiable person.
• Identifiers such as names, addresses, full-face photos, device IDs, or other data that could reasonably identify someone when linked to health details.
• E-PHI stored in EHRs, patient portals, mobile apps operated by covered entities, or messages containing care information.

What is not PHI

• De-identified information that removes specified identifiers and cannot reasonably identify a person.
• Education records protected by FERPA and employment records held by a covered entity in its role as employer.
• Aggregated statistics that do not identify individuals and research datasets properly de-identified.

De-identification and limited data sets

De-identification can be achieved through expert determination or the Safe Harbor method. A limited data set excludes direct identifiers and may be used for research, public health, or operations under a data use agreement that sets strict permissible uses and safeguards.

Covered Entities Overview

Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. They must implement policies, train staff, and document compliance across their operations.

Business associates

Vendors that create, receive, maintain, or transmit PHI on behalf of covered entities are business associates. Written business associate agreements require safeguards, limit uses, and obligate reporting of incidents and breaches.

Hybrid entities and organized arrangements

Organizations with both covered and non-covered functions may designate themselves as hybrid entities, segmenting PHI to the covered components. Organized health care arrangements allow participants to share PHI for joint operations while preserving individual accountability.

Authorized Uses and Disclosures

Permitted without authorization

• Treatment, payment, and health care operations (TPO), including care coordination and quality improvement.
• Public interest and benefit activities, such as those required by law, health oversight, and the public health exception for disease control and reporting.
• Judicial and administrative proceedings, certain law enforcement purposes, organ and tissue donation, and workers’ compensation as permitted by law.
• Incidental disclosures that occur despite reasonable safeguards, and limited data set disclosures under a data use agreement.

Uses requiring written permission

When a use or disclosure is not otherwise permitted, individual authorization requirements apply. You must obtain a valid, signed authorization for marketing (with narrow exceptions), sale of PHI, most uses of psychotherapy notes, and research that lacks a waiver of authorization.

Opportunity to agree or object

You may provide a patient the chance to agree or object to facility directories, sharing with family or friends involved in care, or certain notification purposes. Document the patient’s preference and apply the minimum necessary use principle when relevant.

Individual Rights Under HIPAA

Right of access

You have the right to inspect and obtain a copy of your PHI in the format requested if readily producible, including electronic copies. Reasonable, cost-based fees may apply, and providers must respond within established timeframes.

Right to amend

You may request corrections to your records. If denied, you can submit a statement of disagreement that becomes part of the record set and must accompany future disclosures where relevant.

Accounting of disclosures

You can request an accounting of disclosures made for reasons other than TPO and certain other exceptions. Covered entities must track and provide the required details within set time limits.

Restrictions and confidential communications

You may request restrictions on uses or disclosures and ask to receive communications by alternate means or at alternate locations. If you pay a provider in full out-of-pocket, you can require that information not be shared with your health plan for that item or service.

Notice and complaints

You are entitled to a Notice of Privacy Practices explaining how your PHI is used, your rights, and how to file a complaint. Covered entities must not retaliate against you for exercising your rights.

Safeguards for PHI Protection

HIPAA’s Security Rule requires layered protections aligned to risk. Build controls across administrative safeguards, technical safeguards, and physical safeguards; monitor their effectiveness; and adjust as risks evolve.

Administrative safeguards

• Enterprise risk analysis, role-based access, sanction policies, and workforce training tailored to job functions.
• Vendor due diligence, business associate agreements, incident response plans, and contingency planning with tested backups.
• Policies for minimum necessary use, verification of requestors, and regular audit and review.

Technical safeguards

• Unique user IDs, multifactor authentication, and least-privilege access to systems holding e-PHI.
• Encryption of data in transit and at rest, integrity controls, and audit logs with alerts for anomalous activity.
• Endpoint protection, secure configuration baselines, and data loss prevention for email and file sharing.

Physical safeguards

• Facility access controls, visitor management, and secured server rooms.
• Workstation and device protections, including screen privacy, cable locks, and secure storage.
• Media re-use and disposal procedures using approved destruction methods.

Responding to incidents and the Breach Notification Rule

Assess incidents promptly to determine if there is a breach of unsecured PHI. If so, the Breach Notification Rule requires timely notice to affected individuals, reporting to HHS, and for large breaches, notice to prominent media. Document risk assessments, decisions, and corrective actions.

Minimum Necessary Standard Compliance

The minimum necessary standard limits uses, disclosures, and requests to the least PHI needed to accomplish the purpose. Build policies, role-based access, and workflows that enforce minimum necessary use by default.

Key exceptions

The standard does not apply to disclosures to or requests by a health care provider for treatment, to disclosures made to the individual, uses or disclosures authorized by the individual, or those required by law or for HIPAA compliance reviews.

Operationalizing the standard

• Define routine disclosures with pre-approved data elements; require review for non-routine requests.
• Use data segmentation, masking, and templates to limit what staff see and share.
• Verify identity and authority of requestors; rely on professional judgment when permitted and document reasoning.
• Audit access and sharing patterns and remediate outliers quickly.

Specific Protections for Reproductive Health Information

HIPAA now includes targeted protections for reproductive health information. Covered entities and business associates are prohibited from using or disclosing PHI to investigate or impose liability for seeking, obtaining, providing, or facilitating reproductive health care that is lawful where provided or protected by federal law.

Attestation and request handling

Certain disclosures—such as those for law enforcement, health oversight, judicial proceedings, and others—require a signed attestation that the PHI is not sought for a prohibited purpose. Deny or narrow requests that lack proper authority or appear aimed at identifying or investigating lawful reproductive care.

Practical compliance steps

• Update policies, workforce training, and intake triage to spot and route sensitive requests.
• Revise Notices of Privacy Practices to reflect new rights and limits.
• Adopt templates for evaluating subpoenas and warrants, and implement data segmentation to constrain disclosures.
• Document determinations, retain attestations, and coordinate with counsel when requests cross state lines.

Conclusion

The HIPAA Privacy Rule protects PHI through clear boundaries on use and disclosure, strong individual rights, and layered safeguards. By enforcing minimum necessary use, honoring authorization requirements, and applying the new reproductive health protections, you can meet legal obligations while maintaining patient trust.

FAQs.

What types of information are protected under HIPAA's Privacy Rule?

Protected information includes any identifiable data about a person’s health status, care received, or payment for care, in any format. Examples are charts, lab results, insurance claims, and care messages tied to a person. De-identified data, FERPA education records, and employer-held HR files are not PHI.

How does the Minimum Necessary Standard limit PHI use?

It requires you to use, disclose, and request only the smallest amount of PHI needed for the task. Build role-based access, routing rules, and templates so staff see and share only essential elements. It does not apply to treatment, disclosures to the individual, uses with a valid authorization, or disclosures required by law.

What rights do individuals have regarding their health information?

Individuals can access and receive copies of their PHI (including electronic), request amendments, obtain an accounting of certain disclosures, ask for restrictions and confidential communications, receive a Notice of Privacy Practices, and file complaints without retaliation. They can also restrict sharing with a health plan when they pay out-of-pocket in full.

When is disclosure to law enforcement permitted?

Disclosures are allowed in specific circumstances, such as responding to a court order, warrant, or valid subpoena; reporting certain injuries or crimes; locating a suspect, fugitive, material witness, or missing person; or reporting a crime on the premises or in emergencies. You must limit information to what is permitted, verify authority, and—under new rules—decline requests aimed at investigating lawful reproductive health care unless an exception applies.