HIPAA Privacy Rule Requirements: Who Is Covered, With Examples and Risks

The HIPAA Privacy Rule sets national standards for how health information is used and shared. It protects Protected Health Information (PHI)—any individually identifiable health data held or transmitted by covered entities or their business associates. This guide explains who is covered, what uses and disclosures are allowed, and the real-world risks you should manage.

Throughout, you’ll see practical examples, common pitfalls, and steps to strengthen your privacy policies, workforce training, and technical safeguards so you can meet requirements confidently.

Covered Entities

Who is a covered entity

Covered entities include: (1) health care providers that transmit health information electronically in connection with standard transactions (e.g., claims), (2) health plans (insurers, HMOs, employer group health plans), and (3) health care clearinghouses that process nonstandard data into standard formats. If you operate in multiple lines of business, you may be a hybrid entity and must clearly designate your covered health care components.

Examples

• Providers: hospitals, clinics, physicians, dentists, therapists, pharmacists, telehealth providers.
• Health plans: commercial insurers, self-funded employer plans, Medicare Advantage plans.
• Clearinghouses: billing services and EDI gateways that translate data between systems.

Risks and boundary cases

• Assuming “small providers” are exempt—if you bill electronically, you are likely covered.
• Employers, life insurers, and many schools are not covered entities when acting in their non-health-plan roles; mixing functions without separation risks impermissible disclosures.
• Hybrid entities that fail to segregate non-covered components can accidentally expose PHI beyond permitted uses.

Business Associates

Definition and obligations

A business associate is any vendor or partner that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Common examples include EHR and cloud providers, billing and coding services, consultants, data analytics firms, transcription services, and secure messaging platforms. You must have a Business Associate Agreement (BAA) that limits uses, requires safeguards, and mandates breach notification.

Examples and risks

• Using file-sharing or email services without a BAA can turn a routine workflow into a reportable breach.
• Marketing or analytics vendors that track users on patient portals may receive PHI; vet them as business associates and document permitted disclosures.
• End-to-end responsibilities persist: you must perform vendor due diligence, monitor performance, and terminate access when contracts end.

Permitted Uses and Disclosures

Treatment, payment, and health care operations (TPO)

You may use and disclose PHI without patient authorization for treatment (care coordination, referrals), payment (claims, eligibility checks), and health care operations (quality improvement, auditing). Example: sharing medication history with a specialist for continuity of care is permitted.

With patient authorization

Any use or disclosure outside TPO and specific allowances generally requires a valid, written authorization describing what will be disclosed, to whom, and for what purpose. Individuals may revoke authorizations in writing.

Public interest and other allowances

• Required by law, public health reporting, health oversight activities, certain law enforcement requests, and specialized government functions.
• To avert a serious threat to health or safety, consistent with applicable standards.
• Disclosures to family or friends involved in care when the individual agrees or does not object, or when professional judgment supports it.
• Workers’ compensation programs as authorized by law.

De-identified data and limited data sets

De-identified data (via expert determination or removal of specified identifiers) is not PHI. A limited data set removes direct identifiers and may be disclosed for research, public health, or operations under a Data Use Agreement.

Common risks

• Overbroad responses to subpoenas—verify authority, scope, and protective measures before disclosing PHI.
• Confusing “required by law” with “permitted”—when optional, apply the minimum necessary standard.
• Relying on verbal permissions without documenting the individual’s agreement or opportunity to object.

Minimum Necessary Standard

What it requires

When using, disclosing, or requesting PHI, you must limit it to the minimum necessary to accomplish the purpose. Role-based access, standardized request forms, and data segmentation help operationalize this rule.

Key exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual or pursuant to a valid authorization.
• Uses or disclosures required by law.

Practical controls

• Implement technical safeguards such as access controls, audit logs, and automatic session timeouts.
• Adopt policies specifying typical “minimum necessary” elements for recurring tasks (e.g., claims review).
• Regularly review user access to ensure privileges match job duties.

Individual Rights

Right of access

Individuals can inspect or obtain copies of their PHI in the requested form and format if readily producible. You may charge only a reasonable, cost-based fee for copies and must respond within required timeframes.

Right to request amendment

Individuals may request corrections to their PHI. If you deny a request (e.g., because information is accurate and complete), document the rationale and allow a statement of disagreement to be added to the record.

Right to request restrictions

Individuals may request restrictions on certain uses or disclosures. If an individual pays a provider in full out of pocket, the provider must honor a requested restriction on disclosure to a health plan for that service, unless disclosure is otherwise required by law.

Confidential Communications

Individuals can request that you communicate with them by alternative means or at alternative locations (for example, a different mailing address or secure email). You must accommodate reasonable requests to protect privacy.

Notice of Privacy Practices and complaints

You must provide a clear Notice of Privacy Practices describing uses and disclosures, individual rights, and how to file a complaint. Maintain accessible channels for questions and complaints and document your responses.

Administrative Requirements

Governance and documentation

Designate a privacy official, adopt and maintain privacy policies, and keep required documentation for at least six years. Establish a sanctions policy and document workforce training and disciplinary actions as needed.

Workforce training and awareness

Conduct initial and periodic workforce training tailored to job roles. Reinforce minimum necessary practices, secure messaging, and incident reporting so staff can recognize and escalate issues quickly.

Safeguards and security

Apply administrative, physical, and technical safeguards to protect PHI. Technical safeguards—such as encryption, unique user IDs, multi-factor authentication, and audit controls—reduce breach risks and demonstrate due diligence.

Business associate management

Inventory vendors, execute BAAs before sharing PHI, review security practices, and terminate access at contract end. Keep an updated vendor risk register and test incident response with key partners.

Breach notification readiness

Develop an incident response plan that includes risk assessment, mitigation, timely notifications to affected individuals and regulators, and documentation of decisions. Test your plan with tabletop exercises.

Enforcement and Penalties

How enforcement works

The HHS Office for Civil Rights (OCR) investigates complaints and breach reports, conducts compliance reviews, and can require corrective action plans and ongoing monitoring. State attorneys general may also bring actions under HIPAA.

Civil Monetary Penalties

Civil monetary penalties are tiered based on culpability (from reasonable cause to willful neglect), assessed per violation, and may include settlement agreements with corrective action. Factors include the nature and extent of the violation, the number of individuals affected, and mitigation efforts.

Criminal Penalties

Knowingly obtaining or disclosing PHI in violation of HIPAA can result in criminal penalties. Penalties increase for false pretenses and for offenses committed for personal gain, malicious harm, or commercial advantage, with potential imprisonment.

Examples and risk scenarios

• Lost or stolen unencrypted devices containing PHI.
• Unauthorized “snooping” into records of coworkers, family members, or public figures.
• Misdirected emails or faxes that include unnecessary identifiers.
• Using a cloud service or marketing tracker without a BAA or proper configuration.
• Over-disclosing PHI in response to subpoenas without verifying scope and safeguards.

Conclusion

HIPAA compliance hinges on knowing who is covered, limiting uses and disclosures, honoring individual rights, and operationalizing safeguards through solid privacy policies, workforce training, and technical controls. Treat common risks as preventable: define processes, document decisions, and test your response before incidents happen.

FAQs

Who Are Considered Covered Entities Under HIPAA?

Covered entities include health care providers that transmit health information electronically in standard transactions, health plans (such as insurers and employer group health plans), and health care clearinghouses that convert data between nonstandard and standard formats. Some organizations are hybrid entities and must separate covered health care components from non-covered functions.

What Role Do Business Associates Play in HIPAA Compliance?

Business associates perform services for covered entities that involve PHI. They must sign Business Associate Agreements, use PHI only as permitted, implement safeguards, and report breaches. Covered entities must vet and monitor these vendors to ensure ongoing compliance.

What Are the Consequences of Violating the HIPAA Privacy Rule?

Consequences range from corrective action plans and oversight to civil monetary penalties that scale with culpability, plus potential criminal penalties for intentional misuse of PHI. Organizations may also face reputational damage, contract termination, and costly remediation efforts.

How Can Individuals Exercise Their Rights Under HIPAA?

Individuals can request access to their PHI, ask for amendments, seek an accounting of certain disclosures, request restrictions in defined situations, and ask for confidential communications (such as using a different address or email). They also receive a Notice of Privacy Practices and can file complaints with the organization or regulators if they believe their rights were violated.