HIPAA Privacy Rule Requirements, Permitted Uses, and Patient Rights: A Guide

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule establishes national standards for how Covered Entities and their Business Associates may use and disclose Protected Health Information (PHI). It applies to PHI in any form—paper, oral, or electronic (ePHI)—and gives you enforceable rights over your health information.

Who must comply

• Covered Entities: healthcare providers, health plans, and healthcare clearinghouses.
• Business Associates: vendors or partners that handle PHI on behalf of a Covered Entity (for example, billing companies, cloud hosts, and certain analytics vendors) under a Business Associate Agreement.

What counts as Protected Health Information

PHI is individually identifiable health information that relates to your past, present, or future physical or mental health or condition, the provision of care, or payment for care. If data can identify you—alone or in combination—it’s likely PHI unless it has been properly de-identified.

Core obligations

• Minimum Necessary: limit PHI use and disclosure to the least amount needed to accomplish the purpose (with narrow exceptions, such as disclosures for treatment or to you).
• Reasonable Safeguards: implement administrative, physical, and technical measures to prevent inappropriate access or “Incidental Disclosures.”
• Policies, Training, and Documentation: define internal processes and train the workforce on the Privacy Rule requirements.

Permitted Uses and Disclosures

The Privacy Rule allows certain uses and disclosures of PHI without Patient Authorization and requires authorization for others. Understanding these categories helps you know when your information may be shared.

Without authorization for treatment, payment, and healthcare operations (TPO)

• Treatment: coordination or management of care among providers, consultations, and referrals.
• Payment: eligibility checks, billing, claims management, and collections.
• Healthcare Operations: quality assessment, improving care, credentialing, training, risk management, auditing, and business planning.

Without authorization for public interest and other specific purposes

• Required by law or to comply with court orders and certain subpoenas.
• Public health activities (for example, reporting certain diseases or adverse events).
• Health oversight activities (licensure or compliance investigations).
• Law enforcement purposes under defined conditions.
• Coroners, medical examiners, and funeral directors; organ and tissue donation.
• To avert a serious and imminent threat to health or safety.
• Workers’ compensation and similar programs.
• Research with an Institutional Review Board (IRB) or Privacy Board waiver, use of a limited data set with a data use agreement, or de-identified information.
• Specialized government functions (such as national security) and for certain correctional or custodial settings.

Uses and disclosures requiring Patient Authorization

For most other purposes, a valid written Patient Authorization is required. Examples include many marketing activities, the sale of PHI, and most uses of psychotherapy notes. You may revoke an authorization in writing at any time, unless a Covered Entity has already relied on it.

Incidental Disclosures

Limited, incidental disclosures that occur as a by-product of an otherwise permitted use (such as overheard names at a registration desk) are allowed if the Covered Entity employs reasonable safeguards and the Minimum Necessary standard.

Patient Rights Under HIPAA

The Privacy Rule gives you actionable rights over your PHI. At a high level, you can:

• Access and obtain copies of your health records and request them in a readily producible format.
• Request amendments to correct or clarify information in the designated record set.
• Request restrictions on certain uses and disclosures, including a special right to restrict disclosures to a health plan when you pay in full out of pocket for a specific item or service.
• Request confidential communications (for example, contact you at a different address or by email).
• Receive an Accounting of Disclosures made for certain purposes other than TPO.
• Receive and review a Notice of Privacy Practices explaining how your PHI may be used and your rights under the rule.

Notice of Privacy Practices

The Notice of Privacy Practices (NPP) explains how a Covered Entity uses and discloses PHI, your rights, and the entity’s responsibilities. It must be written in plain language and include a point of contact for privacy questions and complaints, the effective date, and statements about when authorization is required.

Distribution and availability

• Providers: present the NPP at the first service encounter, post it prominently at the site of care, and make it available on any public website. In direct treatment settings, providers must make a good-faith effort to obtain your written acknowledgment of receipt.
• Health Plans: provide the NPP at enrollment and notify members at least once every three years that the NPP is available and how to obtain it.

Material changes

Covered Entities must promptly update and redistribute or repost the NPP when material changes occur and keep the current version readily accessible to you.

Requesting Amendments and Restrictions

Requesting an amendment

You may ask a Covered Entity to amend PHI in the designated record set if you believe it is inaccurate or incomplete. The entity generally must act within 60 days (with one 30‑day extension if needed) by making the amendment or denying it in writing with a clear reason and instructions for filing a statement of disagreement. If denied, you can submit a statement of disagreement that must be linked to the disputed information in future disclosures.

Requesting restrictions

You can request restrictions on the use or disclosure of your PHI for TPO or to family and friends involved in your care. Covered Entities are not required to agree, except they must accept a restriction on disclosure to a health plan for a specific item or service when you pay in full out of pocket, and the disclosure is only for payment or operations related to that item or service. If a restriction is accepted, the entity must honor and document it.

Confidential Communications

You may request that a provider or health plan communicate with you by alternative means or at alternative locations—for example, using a P.O. box, a different phone number, or secure email. Providers must accommodate reasonable requests. Health plans must accommodate reasonable requests if you state that disclosure could endanger you.

When you choose electronic communication, you can ask for emails or portal messages. Entities should discuss the risks and available safeguards so you can make an informed choice about how you want to receive information.

Accounting of Disclosures

You have the right to an Accounting of Disclosures—a record of certain disclosures of your PHI made by a Covered Entity in the past six years, excluding most disclosures for treatment, payment, and healthcare operations and other specified exceptions (such as disclosures to you or pursuant to your authorization). The accounting must include the date, recipient, a brief description of what was disclosed, and the purpose or legal basis.

Covered Entities generally must provide the accounting within 60 days (with one 30‑day extension if needed). You are entitled to one free accounting in a 12‑month period; reasonable, cost-based fees may apply for additional requests.

Conclusion

The HIPAA Privacy Rule sets clear requirements for protecting PHI, outlines when uses and disclosures are permitted, and gives you practical rights to access, correct, and control your information. Knowing how the Notice of Privacy Practices, amendments, restrictions, confidential communications, and the Accounting of Disclosures work helps you exercise those rights confidently.

FAQs.

What types of uses and disclosures are permitted without patient authorization?

Covered Entities may use or disclose PHI without authorization for treatment, payment, and healthcare operations; for certain public interest purposes (such as public health reporting, health oversight, and specific law enforcement needs); when required by law; to avert a serious threat; for organ donation and decedent-related purposes; and for approved research under defined safeguards. Limited incidental disclosures are allowed when reasonable safeguards and the Minimum Necessary standard are applied.

How can patients request restrictions on their health information?

You can submit a written request asking a Covered Entity to restrict certain uses or disclosures of your PHI for TPO or to individuals involved in your care. While entities are not required to agree, they must grant a restriction that prevents disclosure to a health plan for a particular item or service when you pay in full out of pocket and the disclosure is only for payment or operations for that item or service. If a restriction is accepted, it must be documented and followed.

What rights do patients have to access their health records?

You have the right to inspect and receive copies of PHI in the designated record set, including records maintained electronically. You can request your records in a specific format if readily producible and ask to have a copy sent to a designated person or entity. Covered Entities generally must respond within 30 days (with one 30‑day extension) and may charge only a reasonable, cost-based fee for copies.

What are the requirements for providing notice of privacy practices?

Covered Entities must provide a clear, plain-language Notice of Privacy Practices that describes permitted uses and disclosures, your rights and how to exercise them, and the entity’s duties and contacts. Providers present it at the first service encounter, post it in a prominent location and on any public website, and make a good‑faith effort to obtain written acknowledgment of receipt in direct treatment settings. Health plans deliver it at enrollment and periodically remind members of its availability.