HIPAA Privacy Rule Requirements: What It Recognizes, Requires, and Prohibits

Recognized Protected Health Information

The HIPAA Privacy Rule recognizes Protected Health Information (PHI) as individually identifiable health information created or received by Covered Entities and their business associates. PHI can be in any form—paper, electronic, or oral—and links a person to past, present, or future health status, care, or payment for care.

Identifiers that make health information “individually identifiable” include, for example, names, addresses, full-face photos, contact details, Social Security and medical record numbers, device and account identifiers, biometric data, and precise dates or locations. If information cannot reasonably identify an individual, it is not PHI.

De-identified data falls outside the Rule when either an expert determines the re-identification risk is very small or when the “safe harbor” method removes specified identifiers. A limited data set—where certain identifiers remain—is still PHI but may be used for research, public health, or health care operations under a data use agreement.

Some PHI receives heightened protections. Psychotherapy notes, for instance, generally require a patient’s Authorization for Disclosure. Genetic information is treated as PHI, and its use for certain underwriting purposes by health plans is prohibited.

Required Safeguards and Privacy Policies

You must implement reasonable administrative, physical, and technical safeguards to protect PHI from impermissible uses or disclosures. While the Security Rule details ePHI controls, the Privacy Rule still requires safeguards that fit your size, complexity, and risks.

Administrative, physical, and technical safeguards

• Administrative: workforce training, role-based access, sanction policies, risk-aware procedures, and incident response to mitigate harmful effects of improper uses or disclosures.
• Physical: facility controls, workstation security, and secure disposal of paper and media that contain PHI.
• Technical: access controls, authentication, transmission protections, and audit awareness for systems that handle PHI.

Core privacy policies you must maintain

• Privacy Official Designation and a contact person responsible for receiving complaints and providing information about privacy practices.
• Notice of Privacy Practices that clearly explains how you use and disclose PHI, your duties, and how individuals can exercise their rights; you must provide it at the first service encounter and make it readily available thereafter.
• Minimum Necessary Standard policies that limit uses, disclosures, and requests for PHI to the least amount needed to accomplish the purpose, with role-based access and standardized request procedures.
• Business associate oversight through written agreements that bind vendors to HIPAA-compliant uses, disclosures, and safeguards.
• Documentation, retention, and review: keep your policies, procedures, amendments, and required communications for at least six years from their last effective date and review them periodically.

Permitted Uses and Disclosures of PHI

HIPAA permits certain uses and disclosures without an Authorization for Disclosure and requires an authorization for most others that are not part of routine care or operations. Always apply the Minimum Necessary Standard unless an exception applies.

Without individual authorization

• Treatment, payment, and health care operations (TPO), including care coordination, billing, and quality improvement.
• To the individual, to HHS for compliance, and when required by law or court order.
• Public interest and benefit activities: public health reporting, health oversight, judicial and administrative proceedings, certain law enforcement purposes, to avert a serious threat, for specialized government functions, workers’ compensation, and for decedents as permitted.
• For research under an IRB/Privacy Board waiver, as a limited data set with a data use agreement, or for activities preparatory to research.
• Incidental disclosures that occur despite reasonable safeguards and minimum necessary policies.
• Disclosures to family, friends, or caregivers involved in care or payment when the patient agrees or you can reasonably infer permission, or based on professional judgment if the patient is incapacitated.

With individual authorization

• Most non-TPO purposes require a valid Authorization for Disclosure that is specific, time-bound, and revocable.
• Marketing communications, sale of PHI, and most uses of psychotherapy notes require explicit authorization and are otherwise prohibited.

How the Minimum Necessary Standard applies

• Applies to most uses, disclosures, and requests for PHI—limit to what is needed to achieve the purpose.
• Does not apply to disclosures to or requests by a health care provider for treatment, to the individual, to HHS for enforcement, or where another law requires the disclosure, and generally not to uses/disclosures made pursuant to an authorization.

Individual Rights and Requests

The Privacy Rule grants individuals actionable rights. You must have clear, timely processes to respond and document outcomes.

Access, copies, and format

• Individuals have the right to access and obtain a copy of their PHI, including an electronic copy when you maintain it electronically. Requests should be fulfilled promptly, generally within 30 days, with limited extensions allowed.
• Reasonable, cost-based fees may cover labor, supplies, and postage; avoid per-page fees for electronic copies.

Amendments and corrections

• Individuals can request amendments to PHI in your designated record set. If you deny a request, provide a written reason and allow a statement of disagreement to be added to the record.

Restrictions and confidential communications

• Individuals can request restrictions on uses and disclosures. You must agree to a restriction on disclosures to a health plan for payment or operations when the individual pays in full out of pocket for the relevant item or service.
• Honor reasonable requests to receive communications by alternative means or at alternative locations to enhance privacy.

Accounting of Disclosures

• Upon request, provide an Accounting of Disclosures for certain non-routine disclosures, generally covering the prior six years and excluding TPO and other specified categories.

Notice of Privacy Practices

• Give each individual your Notice of Privacy Practices, explain rights and complaint processes, and post the notice prominently at service sites and online when applicable.

Enforcement and Compliance Measures

The HHS Office for Civil Rights (OCR) enforces the Privacy Rule. You should anticipate oversight and be prepared to demonstrate compliance.

Investigations, audits, and corrective action

• OCR investigates complaints, breach reports, and conducts targeted audits. You may need to provide policies, training records, risk assessments, and logs.
• When violations occur, OCR may require corrective action plans, monitoring, and reporting to verify sustained compliance.

Penalties and liability

• Civil penalties are tiered based on the level of culpability, with annual caps. Willful neglect that is not corrected carries the highest penalties.
• Criminal penalties can apply for knowingly obtaining or disclosing PHI in violation of HIPAA, with potential fines and imprisonment.
• Retaliation against individuals for exercising their rights or filing complaints is prohibited.

Breach notification and mitigation

• If unsecured PHI is breached, notify affected individuals and, when thresholds are met, HHS and the media. Implement mitigation steps to reduce harm and prevent recurrences.

Limitations and Exemptions from the Rule

HIPAA sets a national floor for privacy, but it does not reach every entity or every type of information. Understanding the limits prevents over- or under-applying the Rule.

Who is not covered

• HIPAA applies to Covered Entities—health plans, most health care providers who conduct standard transactions, and health care clearinghouses—and their business associates. Many entities, such as life insurers, employers acting in their employer role, and many consumer health apps operating independently of Covered Entities, are not covered.
• Schools and educational institutions are generally governed by FERPA for student records rather than HIPAA.

What information is not PHI

• De-identified data and aggregated statistics are not PHI.
• Employment records held by a covered entity in its role as employer and educational records under FERPA are not PHI.
• PHI of a decedent is protected for 50 years after death.

Preemption and stricter state laws

• HIPAA preempts contrary state laws, but states may impose stricter protections. When state law is more protective, you must follow the stricter rule.

Additional prohibitions and conditions

• Sale of PHI without authorization is prohibited, with narrow exceptions.
• Marketing typically requires authorization, except for limited communications (for example, face-to-face conversations or nominal promotional gifts).
• Certain uses of genetic information for underwriting by health plans are prohibited.

Conclusion

In practice, HIPAA Privacy Rule requirements center on recognizing what counts as PHI, limiting its use via the Minimum Necessary Standard, implementing robust safeguards and policies, honoring individual rights, and understanding where the Rule permits, requires, or prohibits disclosures. By embedding these expectations into daily workflows, you reduce risk, support trust, and meet your compliance obligations.

FAQs.

What information does the HIPAA Privacy Rule protect?

The Rule protects Protected Health Information (PHI)—any information that identifies an individual and relates to health status, care provided, or payment. It covers paper, electronic, and oral forms maintained or transmitted by Covered Entities and their business associates. De-identified data and certain non-health records (like employment files) are not PHI.

How must covered entities safeguard PHI?

You must implement reasonable administrative, physical, and technical safeguards; designate a privacy official; train your workforce; apply the Minimum Necessary Standard; manage business associate agreements; and keep required documentation. Your Notice of Privacy Practices and procedures must be current, followed, and retained for the required period.

What are the permitted disclosures without authorization?

Disclosures for treatment, payment, and health care operations; to the individual; to HHS; when required by law; for specified public interest purposes; certain research pathways; and incidental disclosures with safeguards are permitted. Most other uses require a valid Authorization for Disclosure.

How can individuals exercise their privacy rights under HIPAA?

Individuals can request access to and copies of PHI (including electronic copies), ask for amendments, request restrictions and confidential communications, receive a Notice of Privacy Practices, and obtain an Accounting of Disclosures. You must provide clear processes, respond within required time frames, and document outcomes.