HIPAA Privacy Rule Requirements: The Five Core Components Compliance Guide

Privacy Standards for Protected Health Information

What counts as Protected Health Information (PHI)

PHI is individually identifiable health information—past, present, or future—maintained or transmitted by a covered entity or business associate. It includes medical records, billing details, lab results, and any data that ties health information to identifiers like names, addresses, or account numbers.

Core privacy principles you must apply

Limit uses and disclosures to what the Privacy Rule permits; otherwise, obtain a valid authorization. Give individuals clear, plain-language information about your practices through a Notice of Privacy Practices. Maintain policies that define when staff may access PHI and how it is shared.

The Minimum Necessary Standard

When using or disclosing PHI—or requesting it from others—you must limit the information to the minimum necessary to accomplish the purpose. This standard does not apply to disclosures for treatment, to the individual, or when a valid authorization or legal requirement compels disclosure.

Authorization Requirements

When a use or disclosure is not otherwise permitted, you need an authorization that specifies the information, the recipient, the purpose, an expiration or event, and the individual’s right to revoke. You must keep copies and honor any limitations stated in the authorization.

De-identification and limited data sets

You may remove 18 identifiers (safe harbor) or rely on expert determination to de-identify data. For limited data sets, use a data use agreement and share only the minimum elements needed for research, public health, or operations.

Covered Entities and Business Associates

Who is a covered entity?

Covered Entities include health plans, health care clearinghouses, and providers who transmit health information electronically in standard transactions. If you fall into these categories, the Privacy Rule governs how you use, disclose, and safeguard PHI.

Who is a business associate?

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a Covered Entity. Common examples include billing services, cloud hosts, e-prescribing tools, analytics firms, and consultants handling PHI.

Business Associate Agreements (BAAs)

You must execute BAAs that define permitted uses and disclosures, require appropriate safeguards, mandate breach reporting, flow obligations to subcontractors, and allow contract termination for material breaches. Keep BAAs current and accessible.

Accountability across the chain

Covered Entities must vet vendors, document due diligence, and monitor performance. Business Associates must implement controls, train their workforce, and follow the Minimum Necessary Standard when handling PHI for agreed purposes.

Use and Disclosure Limitations

Permitted uses and disclosures without authorization

You may use or disclose PHI for treatment, payment, and health care operations. Additional permitted categories include public health reporting, health oversight, certain judicial and law enforcement purposes, decedent matters, and to avert serious threats when conditions are met.

Applying the Minimum Necessary Standard

For most non-treatment disclosures, disclose only what is reasonably necessary. Use role-based access, standardized request forms, and decision matrices so staff consistently limit PHI to the smallest workable amount.

Marketing, fundraising, and sale of PHI

Marketing generally requires an authorization if it involves financial remuneration. Fundraising may use limited demographics; honor opt-out requests. The sale of PHI requires express authorization unless an exception applies.

Research pathways

For research, rely on individual authorization, an IRB/Privacy Board waiver, de-identified data, or a limited data set with a data use agreement. Document your legal basis and apply Minimum Necessary controls.

Notice of Privacy Practices

Provide your Notice of Privacy Practices at the first service encounter and make it readily available thereafter. The notice must explain permitted uses and disclosures, individual rights, and how to exercise those rights.

Individuals’ Rights under the Privacy Rule

Right of access

Individuals have the right to inspect or receive copies of their PHI, including electronic copies when maintained electronically. Respond promptly, within required timeframes, and use the format requested when feasible.

Right to request amendments

Individuals may request corrections to PHI in the designated record set. Evaluate the request, document your decision, and, if approved, append or link the amendment so future users see the corrected information.

Right to request restrictions and confidential communications

Individuals can ask you to restrict certain disclosures. You must honor requests to withhold information from a health plan when the individual pays the full charge out of pocket. Provide reasonable accommodations for alternative contact methods or locations.

Right to an accounting of disclosures

Upon request, provide an accounting of certain disclosures made in a defined lookback period, excluding uses for treatment, payment, and operations and other exempt categories. Keep logs so you can respond accurately.

Right to receive the Notice of Privacy Practices and to complain

Individuals are entitled to your current Notice of Privacy Practices and may file complaints without retaliation. Document your complaint handling process and outcomes.

Safeguards and Security Measures

Administrative Safeguards

Conduct risk analyses, assign a privacy official, adopt policies and procedures, and train your workforce. Apply sanctions for violations, manage vendor risk, and maintain documentation for the required retention period.

Physical and technical safeguards

Control facility access, secure devices and records, and implement technical controls such as unique user IDs, role-based access, encryption where appropriate, and audit logging. Align privacy policies with your Security Rule program for ePHI.

Operational controls and incident response

Use standardized minimum-necessary workflows, verify identities before disclosures, and follow a documented incident response plan. Investigate suspected incidents promptly and apply lessons learned to strengthen controls.

Ongoing monitoring and improvement

Perform periodic audits, validate access patterns, and test contingency plans. Update BAAs, policies, and training when workflows or laws change, and keep evidence of compliance activities.

Conclusion

To comply with the HIPAA Privacy Rule, center your program on five components: clear privacy standards for PHI, defined roles for Covered Entities and Business Associates, strict use and disclosure limits, strong individual rights processes, and robust safeguards. Build repeatable, documented practices that apply the Minimum Necessary Standard and honor Authorization Requirements.

FAQs.

What are the five major components of the HIPAA Privacy Rule?

The five components are: (1) privacy standards for Protected Health Information (PHI); (2) roles and responsibilities of Covered Entities and Business Associates; (3) limitations on uses and disclosures, including the Minimum Necessary Standard and Authorization Requirements; (4) individuals’ rights to access, amend, restrict, and receive notices and accountings; and (5) safeguards—administrative, physical, and technical—to protect PHI.

Who must comply with the HIPAA Privacy Rule?

Health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions must comply, as must their Business Associates that create, receive, maintain, or transmit PHI on their behalf. Subcontractors handling PHI are also bound through Business Associate obligations.

How does the Privacy Rule protect patient information?

It restricts uses and disclosures of PHI to defined purposes, requires the Minimum Necessary Standard, mandates Authorization Requirements for non-permitted uses, and obligates entities to publish a Notice of Privacy Practices. It also requires Administrative Safeguards and other controls to prevent unauthorized access or disclosure.

What rights do individuals have under the HIPAA Privacy Rule?

Individuals can access and obtain copies of their PHI, request amendments, ask for restrictions and confidential communications, and receive an accounting of certain disclosures. They are entitled to a Notice of Privacy Practices and may file complaints without fear of retaliation.