HIPAA Privacy Rule Requirements: Protections and Restrictions for Covered Entities

The HIPAA Privacy Rule sets national standards for how you handle protected health information (PHI). It balances patient autonomy with practical workflows so you can use information to deliver care while safeguarding confidentiality. This guide explains who is covered, what information is protected, when disclosure is allowed, and how to stay compliant.

Covered Entities

Covered entities include health plans, health care clearinghouses, and health care providers who transmit PHI in Standard electronic transactions such as claims, eligibility inquiries, or referrals. If you only handle paper records and never conduct those transactions electronically, you may not be a covered entity for Privacy Rule purposes.

Many organizations are “hybrid entities.” In that case, you must designate health care components subject to HIPAA and apply the Privacy Rule to those components. Affiliated providers may also form organized health care arrangements to streamline privacy notices and joint operations while preserving patient protections.

Protected Health Information Scope

PHI is Individually identifiable health information created or received by a covered entity or business associate that relates to a person’s past, present, or future physical or mental health, health care, or payment for care. The Privacy Rule protects PHI in any form—electronic, paper, or oral—with special emphasis on ePHI under the Security Rule.

Data is not PHI when it is de-identified so that individuals cannot reasonably be identified. De-identification can occur through expert determination or by removing specified direct identifiers (the “safe harbor” approach). Limited data sets may be shared for research, public health, or operations with a data use agreement, but you must still apply the minimum necessary standard.

Permitted Uses and Disclosures

You may use or disclose PHI without individual authorization for treatment, payment, and health care operations (TPO), provided you apply the minimum necessary standard when appropriate. Treatment includes coordination and management of care; payment covers billing and collections; operations include quality improvement, credentialing, and auditing.

The Privacy Rule also permits disclosures for public interest and benefit, including requirements of law, public health reporting, health oversight, judicial and administrative proceedings, certain law enforcement purposes, organ and tissue donation, coroners and medical examiners, workers’ compensation, and to avert a serious threat to health or safety. Incidental disclosures are permissible if you implement reasonable safeguards.

Individual authorization is generally required for uses beyond TPO, such as most marketing, the sale of PHI, and many research activities without waiver. Psychotherapy notes receive extra protection and typically cannot be used or disclosed without specific authorization.

Individual Rights and Access

Individuals have the right to receive a Notice of Privacy Practices—your plain-language Privacy policy documentation describing how PHI may be used and shared, their rights, and how to file a complaint. You must make the notice available at first service, post it prominently, and keep it up to date.

People have the right to access and obtain copies of their PHI, including electronic copies when you maintain records electronically. You generally must respond within a defined timeframe and may charge only reasonable cost-based fees. Individuals may request restrictions on certain disclosures, ask for confidential communications (for example, to an alternative address), and request an amendment when information is inaccurate or incomplete.

They also have the right to an Accounting of disclosures for certain non-routine disclosures. Your processes should clearly explain how to submit requests, how decisions are made, and what appeal options or complaint avenues are available.

Safeguards for PHI

The Privacy Rule requires reasonable safeguards to prevent unauthorized uses or disclosures, and the Security Rule adds specific protections for ePHI. Your program should combine Administrative safeguards (policies, workforce training, risk analysis, sanctions, and role-based access) with physical controls (facility access, workstation security) and Technical safeguards (unique user IDs, authentication, access control, audit logging, transmission security, and encryption at rest and in transit where appropriate).

Apply the minimum necessary standard to routine workflows, use de-identification or pseudonymization when feasible, and maintain contingency plans for availability. Monitor for breaches, investigate promptly, and follow breach notification procedures when an incident compromises unsecured PHI.

Business Associate Responsibilities

Business associates are vendors or partners who create, receive, maintain, or transmit PHI on your behalf—such as billing services, cloud hosts, EHR vendors, and analytics firms. They must implement safeguards, limit uses and disclosures to the contracted purpose, and report breaches without unreasonable delay.

You must execute a Business Associate Agreement (BAA) before sharing PHI. The BAA requires downstream subcontractors to meet the same obligations, mandates appropriate Administrative safeguards and Technical safeguards, and clarifies permissible uses, termination rights, and data return or destruction at contract end.

Compliance and Enforcement

Build a documented compliance program that includes governance, risk assessments, training, sanctions, complaint handling, and Non-retaliation procedures to protect individuals who exercise their rights or report concerns. Retain required documentation for the mandated period and keep policies synchronized with operational reality.

HIPAA is enforced primarily by the Office for Civil Rights (OCR). OCR may investigate complaints, perform compliance reviews, and negotiate resolution agreements with corrective action plans. Civil money penalties follow a tiered structure based on culpability, with annual caps adjusted periodically. Criminal penalties may apply for knowingly obtaining or disclosing PHI unlawfully, including potential fines and imprisonment, and state attorneys general may also bring actions.

Conclusion

Effective HIPAA Privacy Rule compliance means knowing what PHI you hold, limiting how it is used and shared, honoring individual rights promptly, and hardening your environment with layered safeguards. With clear policies, strong vendor management, and continuous monitoring, you protect patients and reduce organizational risk.

FAQs.

What entities are considered covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers who transmit PHI in Standard electronic transactions. Providers become covered entities when they conduct tasks like electronic claims or eligibility checks; organizations that never conduct such transactions electronically may fall outside this definition.

What are permitted uses of PHI without individual authorization?

You may use and disclose PHI without authorization for treatment, payment, and health care operations, and for specified public interest purposes such as public health reporting, health oversight, certain law enforcement needs, judicial proceedings, organ donation, and to avert serious threats. Apply the minimum necessary standard except when it does not apply, such as disclosures for treatment.

How can individuals request corrections to their PHI?

Individuals can submit a written request to amend PHI they believe is inaccurate or incomplete. You must review the request, act within the required timeframe, and either make the amendment or provide a written denial explaining why, along with instructions for submitting a statement of disagreement that becomes part of the record.

What are the penalties for HIPAA Privacy Rule violations?

OCR can impose civil money penalties using a tiered structure that scales with the level of negligence and is subject to annual caps. Violations may also result in resolution agreements and corrective action plans. In egregious cases, criminal penalties—including fines and potential imprisonment—may apply for knowingly obtaining or disclosing PHI unlawfully.