HIPAA Privacy Rule Requirements: What Covered Entities Must Do to Comply

The HIPAA Privacy Rule sets national standards for how Covered Entities handle protected health information (PHI). If you are a health plan, health care clearinghouse, or a health care provider that conducts standard electronic transactions, you must implement practical controls that limit uses and disclosures, respect individual rights, and safeguard PHI across your organization.

This guide walks you through the core Privacy Rule requirements—designating a Privacy Official, building policies, training your workforce, applying administrative, technical, and physical safeguards, managing Business Associates, honoring individual rights, documenting your program, handling complaints, and following the Breach Notification Rule.

Designate Privacy Officer

Role and authority

Appoint a Privacy Official (often called the Privacy Officer) with authority to develop, implement, and oversee your HIPAA Privacy Rule program. This leader coordinates policy design, monitors day-to-day compliance, and serves as the primary point of contact for privacy questions across clinical, operational, and IT teams.

You must also identify a contact person or office to receive privacy inquiries and complaints, and to provide information about your Notice of Privacy Practices. Ensure the Privacy Officer has independence and direct access to senior leadership for issue escalation.

Core responsibilities

• Draft, approve, and maintain privacy policies and procedures.
• Advise on permissible uses and disclosures, including minimum necessary.
• Coordinate workforce training and sanctions for noncompliance.
• Oversee Business Associate Agreements and vendor risk management.
• Lead incident response, breach risk assessments, and notifications.
• Monitor program metrics and report to governance or compliance committees.

Practical steps

• Define a written charter, authority, and reporting structure.
• Assign backups for continuity and coverage.
• Establish regular audits and compliance reviews with the Security Officer.

Implement Privacy Policies

Build a coherent policy framework

Create policies that define how PHI is used and disclosed for treatment, payment, and health care operations, and when authorization is required (for example, most marketing and sale of PHI). Embed the minimum necessary standard so staff access and disclose only what is needed for the task.

Publish and maintain your Notice of Privacy Practices (NPP), define processes for authorizations and revocations, and outline sanctions and mitigation steps for improper uses or disclosures. Include procedures for de-identification or use of limited data sets with data use agreements.

Core policies to adopt

• Use/disclosure rules, including role-based access and minimum necessary.
• Authorization, revocation, and verification of identity/authority.
• Notice of Privacy Practices issuance, posting, and updates.
• Mitigation and sanction procedures for violations.
• Retention and destruction of PHI and program documentation.

Conduct Workforce Training

Training scope and cadence

Train all workforce members—employees, volunteers, trainees, and contractors—on your privacy policies and procedures. Provide training upon onboarding and within a reasonable time after material policy changes, with refreshers to reinforce high-risk topics and role-based responsibilities.

Document attendance, dates, content, and assessment results. Use scenario-based modules (e.g., minimum necessary, disclosures to family, patient access requests) to make expectations practical and memorable.

Program essentials

• Role-specific modules that reflect real workflows and systems.
• Assessments to verify understanding; targeted remediation when needed.
• Ongoing awareness: quick tips, job aids, and leadership messaging.

Apply Privacy Safeguards

Right-sized protections for PHI

The Privacy Rule requires “appropriate” safeguards to prevent impermissible uses and disclosures. Align your protections with Administrative Safeguards, Technical Safeguards, and Physical Safeguards, and coordinate closely with the HIPAA Security Rule for electronic PHI (ePHI).

Administrative Safeguards

• Written policies, risk assessments, and minimum necessary controls.
• Workforce clearance, role-based access, and sanction processes.
• Vendor oversight, incident response, and contingency procedures.

Technical Safeguards

• Unique user IDs, authentication, automatic logoff, and access logging.
• Transmission protections (e.g., secure messaging); encryption of devices and media where feasible.
• Data loss prevention and auditing to detect inappropriate access or disclosures.

Physical Safeguards

• Facility access controls, secure workstations, and protected printer/fax areas.
• Locked storage for paper records; secure transport of PHI.
• Shredding or certified destruction of paper and media when no longer needed.

Manage Business Associates

Identify and contract

Vendors that create, receive, maintain, or transmit PHI on your behalf are Business Associates. Before sharing PHI, execute Business Associate Agreements that define permissible uses/disclosures, require safeguards, and mandate breach reporting to you without unreasonable delay.

What to include in Business Associate Agreements

• Allowed uses/disclosures and prohibition on unauthorized re-disclosure.
• Safeguard obligations, including subcontractor “flow-down” requirements.
• Prompt incident and breach notification with necessary details.
• Support for individual rights (access, amendment, accounting) when applicable.
• Return or destruction of PHI at termination and rights to audit/terminate for cause.

Oversight in practice

• Maintain an inventory of Business Associates and agreement versions.
• Risk-rate vendors; perform due diligence and periodic reviews.
• Require corrective action plans when deficiencies are identified.

Facilitate Individual Rights

Notice and transparency

Provide an NPP that explains how you use and disclose PHI, your duties, contact information, and how individuals can exercise their rights. Make it easily available and keep versions current when material changes occur.

Access, amendment, and accounting

• Access: Provide PHI in the requested form and format if readily producible, or in a readable alternative. You may charge a reasonable, cost-based fee.
• Amendment: Timely process requests to amend PHI and inform the individual of approvals or denials, including the right to submit a statement of disagreement.
• Accounting: Upon request, furnish an accounting of certain disclosures within required timeframes.

Additional rights

• Restrictions: Consider and document requested restrictions; certain payer restrictions apply when individuals pay in full out of pocket.
• Confidential communications: Accommodate reasonable requests for alternative addresses or contact methods.
• Complaints: Explain how to file complaints with you and with regulators, free from retaliation.

Maintain Documentation

What to keep and for how long

Maintain policies, procedures, NPP versions, training materials and logs, Business Associate Agreements, risk assessments, complaint files, sanctions, and breach analyses. Retain documentation for at least six years from the date of creation or the last effective date, whichever is later.

Documentation discipline

• Use version control and effective dates for every policy and form.
• Centralize records for audits and leadership oversight.
• Log decisions (e.g., minimum necessary determinations, approvals) to show due diligence.

Establish Complaint Procedures

Accessible intake and fair handling

Set up clear channels for individuals and workforce members to submit privacy complaints or concerns. Outline steps for prompt acknowledgment, impartial investigation, and written resolution, and prohibit intimidation or retaliation for filing a complaint or exercising rights.

Operationalize the process

• Publish how to submit complaints and the office to contact.
• Use standardized intake forms and tracking logs.
• Apply corrective actions and mitigation when violations occur.
• Analyze trends and share lessons learned with leadership.

Notify Breaches

When notification is required

Under the Breach Notification Rule, an impermissible use or disclosure of unsecured PHI is presumed to be a breach unless you demonstrate a low probability of compromise using a documented four-factor risk assessment (nature of PHI, recipient, whether PHI was actually viewed/acquired, and mitigation). PHI secured via strong encryption or proper destruction qualifies for safe harbor.

Who to notify and when

• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery; use first-class mail or email if the individual agrees.
• Media: If a breach involves 500 or more residents of a state or jurisdiction.
• Regulator: Report to the appropriate authority; for incidents under 500 individuals, submit annually; for 500 or more, submit contemporaneously.
• Business Associates: Must notify the Covered Entity promptly and supply the information needed for notices.

Content of the notice

• What happened and the date of the breach and discovery.
• Types of information involved (e.g., diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods for questions (toll-free number, email, address).

Special considerations

• Substitute notice if contact information is insufficient; include a toll-free number.
• Document any law enforcement delay requests before postponing notification.
• Maintain a breach log and incorporate lessons learned into training and safeguards.

By designating strong leadership, codifying policies, training your workforce, enforcing safeguards, and managing vendors and incidents, you can operationalize HIPAA Privacy Rule requirements and demonstrate accountable stewardship of PHI.

FAQs

What entities are covered under the HIPAA Privacy Rule?

Covered Entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. Business Associates are not Covered Entities, but they are contractually and directly obligated to safeguard PHI and to follow key HIPAA provisions.

How must covered entities train their workforce on privacy?

Provide training on your specific privacy policies and procedures to all workforce members upon onboarding and within a reasonable time after material changes. Reinforce with role-based refreshers, document attendance and content, and apply sanctions and remediation when staff fail to comply.

What are the required safeguards under the Privacy Rule?

You must implement appropriate Administrative Safeguards, Technical Safeguards, and Physical Safeguards to prevent impermissible uses or disclosures of PHI. Examples include role-based access and sanctions (administrative), access controls and secure transmission (technical), and secure facilities, workstations, and disposal (physical), coordinated with the Security Rule for ePHI.

How should breaches of health information be reported?

Follow the Breach Notification Rule: notify affected individuals without unreasonable delay and within 60 days of discovery; notify the regulator and, for incidents involving 500 or more individuals in a state or jurisdiction, prominent media. Business Associates must notify the Covered Entity promptly. Document your risk assessment, notices, and any law enforcement delay.