HIPAA Privacy Rule Requirements: What You Must Do to Comply

The HIPAA Privacy Rule establishes national standards for how you use, disclose, and protect protected health information (PHI). This guide translates core HIPAA Privacy Rule requirements into practical actions so you can comply with confidence and reduce regulatory risk.

Covered Entities and Their Roles

Who is a covered entity?

Covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. If you electronically transmit claims, eligibility inquiries, remittance advice, or similar transactions, you are subject to the Privacy Rule.

Business associates and agreements

Vendors that create, receive, maintain, or transmit PHI on your behalf are business associates. You must execute business associate agreements (BAAs) that define permissible uses and disclosures, safeguard obligations, reporting duties, and flow-down terms to subcontractors.

Core privacy responsibilities

• Publish a Notice of Privacy Practices and honor individual rights.
• Designate a Privacy Official and a contact person to manage privacy operations.
• Limit uses and disclosures to the minimum necessary, except for treatment and other narrow exceptions.
• Train the workforce, apply sanctions for violations, and mitigate harmful effects.
• Maintain HIPAA compliance documentation and monitor business associate performance.

Defining Protected Health Information

What counts as PHI

PHI is Individually Identifiable Health Information related to an individual’s past, present, or future health, health care, or payment, when it identifies the person or could reasonably identify them. PHI can be oral, written, or electronic and spans the full patient “designated record set.”

Exclusions and de-identification

De-identified data is not PHI. You may de-identify using expert determination or the safe harbor method that removes specific identifiers (for example, names, full address, and medical record numbers). Limited data sets, when governed by a data use agreement, exclude direct identifiers and support research and public health uses.

Special considerations

• Education records covered by FERPA and employment records held in an employer capacity are not PHI.
• Psychotherapy notes and marketing/sale of PHI require individual authorization unless a narrow exception applies.

Developing Privacy Policies and Procedures

Notice of Privacy Practices (NPP)

Draft a clear NPP that explains your uses and disclosures, individual rights, your legal duties, and how to file a complaint. Make it available at the first service encounter and on request, and post it prominently in service areas.

Permitted uses and disclosures

Define when you may use or disclose PHI without authorization—primarily for treatment, payment, and health care operations (TPO), public health reporting, health oversight, and as required by law. Document processes for disclosures that require authorization and those that do not.

Minimum necessary standard

Adopt role-based access and procedures that limit PHI to what is reasonably necessary for the task. The standard does not apply to disclosures to a treating provider, to the individual, or when required by law, but it does apply broadly to most other uses and disclosures.

Individual rights

• Access and copies: Provide access within 30 days (with one permissible 30-day extension), in the requested format if readily producible.
• Amendment: Establish a process to accept or deny amendment requests with written rationale.
• Accounting of disclosures: Track non-routine disclosures and provide an accounting upon request.
• Restrictions and confidential communications: Enable reasonable restrictions and alternate contact methods; honor health plan restrictions when services are paid in full out of pocket.

Governance and enforcement

Include complaint handling, non-retaliation, sanctions for violations, and processes to mitigate any impermissible use or disclosure. Review and update policies whenever operations or law change.

Appointing Privacy Personnel

Privacy Official and contact person

Designate a Privacy Official to develop, implement, and oversee your privacy program. Name a contact person or office to receive complaints and provide information about privacy practices; these roles may be combined in smaller organizations.

Responsibilities and authority

• Lead risk-based program design and approve PHI uses and disclosures outside routine workflows.
• Coordinate with security, compliance, legal, and clinical operations to align obligations.
• Report to leadership on incidents, trends, and corrective actions.

Conducting Workforce Training

Scope and frequency

Provide Workforce Privacy Training to all workforce members “as necessary and appropriate” for their roles. Train new hires promptly, retrain when policies materially change, and refresh at regular intervals to reinforce requirements and culture.

Curriculum and evidence

• Curriculum: privacy principles, minimum necessary, individual rights, authorization rules, reporting obligations, and incident response.
• Evidence: attendance logs, assessments, training materials, and acknowledgments maintained as part of HIPAA compliance documentation.
• Accountability: apply graduated sanctions when staff violate policies and document remediation.

Implementing Safeguards for PHI

Administrative PHI safeguards

• Role-based access, workforce clearance, and identity verification before disclosure.
• Policies for secure sharing, faxing, mailing, and disposing of PHI.
• Vendor due diligence and BAA oversight for third parties handling PHI.

Physical and technical PHI safeguards

• Physical: locked storage, clean desk practices, privacy screens, controlled workspaces, and secure shredding.
• Technical: strong authentication, audit logs, encryption in transit and at rest for ePHI, and secure transmission channels.

Data minimization and alternatives

Use de-identified data or a limited data set whenever feasible to reduce privacy risk. Apply minimum necessary standards to disclosures and implement routine and non-routine disclosure workflows with clear approvals.

Maintaining Documentation and Breach Notification

HIPAA compliance documentation

Maintain written policies, procedures, NPPs, BAAs, training records, sanctions, complaints, mitigation steps, and disclosure logs. Retain documentation for at least six years from creation or last effective date, whichever is later.

Breach Notification Rule essentials

• Presumption: An impermissible use or disclosure is a breach unless a documented risk assessment shows a low probability of compromise.
• Assessment factors: the PHI’s nature and sensitivity, who received it, whether it was actually acquired or viewed, and the extent of mitigation.
• Individual notice: without unreasonable delay and no later than 60 calendar days after discovery; written notice with required content.
• Regulatory/media notice: notify HHS; if 500+ individuals in a state or jurisdiction are affected, also notify prominent media. For fewer than 500, report to HHS annually.
• Business associates: must notify the covered entity without unreasonable delay and no later than 60 days, providing details and affected individuals.

Incident response in practice

• Contain, investigate, and document the incident; perform the four-factor risk assessment.
• Decide on breach status, issue timely notifications, and implement corrective actions.
• Update policies, retrain staff, and strengthen controls to prevent recurrence.

Privacy enforcement penalties

OCR enforces the Privacy Rule through investigations, voluntary corrective action plans, resolution agreements, and civil monetary penalties. Penalties are tiered by culpability, escalate for willful neglect not corrected, and are adjusted annually for inflation.

Summary

To meet HIPAA Privacy Rule requirements, identify your covered entity and business associate roles, define and control PHI, implement clear policies, appoint accountable privacy leadership, deliver targeted training, apply robust PHI safeguards, and maintain thorough documentation with a disciplined breach response.

FAQs

What entities are covered under the HIPAA Privacy Rule?

Covered entities are health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. Business associates—vendors that handle PHI for these entities—are contractually and directly obligated for many Privacy Rule requirements through BAAs and applicable law.

How should organizations safeguard protected health information?

Implement administrative, physical, and technical PHI safeguards that match your risks. Use role-based access, minimum necessary, identity verification, secure transmission and storage (including encryption), workstation and facility controls, and proper disposal. Prefer de-identified data or limited data sets when possible.

What are the training requirements for the workforce under HIPAA?

You must provide role-based Workforce Privacy Training to all workforce members, train new staff promptly, and retrain when policies materially change. Keep evidence of attendance and materials, assess understanding, and apply sanctions when staff fail to follow policies.

When must a breach be reported under HIPAA Privacy Rule?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, and notify HHS as required. If 500 or more individuals in a state or jurisdiction are affected, also notify prominent media; smaller incidents are reported to HHS annually. Business associates must notify the covered entity within 60 days.