HIPAA Privacy Rule Requirements: Who Must Comply and Regulated Activities

The HIPAA Privacy Rule establishes national standards for how protected health information (PHI) is used and disclosed. Understanding who must comply and which activities are regulated helps you build Covered Entity Compliance programs that protect patients and reduce risk.

This guide explains the scope of the rule, the roles of covered entities and business associates, what counts as Individually Identifiable Health Information, and the rules governing PHI Use and Disclosure. It also outlines individual rights, operational requirements, training expectations, Breach Notification Requirements, and Privacy Rule Enforcement.

Covered Entities under HIPAA

Covered entities are required to comply with the HIPAA Privacy Rule. They include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. If you fit any of these categories, you must implement policies and controls that align with the Privacy Rule’s regulated activities.

• Health plans: insurers, HMOs, Medicare, Medicaid, employer-sponsored group health plans.
• Health care providers: hospitals, physicians, clinics, pharmacies, dentists, labs, durable medical equipment suppliers—when conducting standard electronic transactions.
• Health care clearinghouses: entities that translate or process nonstandard health information into standard formats.

Some organizations are hybrid entities that perform both covered and non-covered functions. In that case, you must designate the health care component and ensure PHI does not flow improperly to non-covered components. Organized Health Care Arrangements (OHCAs) may coordinate certain activities while maintaining appropriate boundaries.

Role of Business Associates

Business associates (BAs) are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity. Examples include billing services, cloud hosting providers, EHR vendors, TPAs, data analytics firms, law firms, and IT support providers. BAs—and their subcontractors—are directly liable for compliance with applicable HIPAA provisions.

Business Associate Agreements (BAAs) must define permitted PHI Use and Disclosure, require safeguards, mandate Breach Notification Requirements, flow obligations to subcontractors, and allow termination for cause. As a covered entity, you should evaluate BA security practices, limit access to the minimum necessary, and monitor performance throughout the engagement lifecycle.

Definition of Protected Health Information

Protected Health Information is Individually Identifiable Health Information created or received by a covered entity or business associate that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for care. PHI can exist in any medium—electronic, paper, or oral.

Identifiers that can make data individually identifiable include names, full-face photos, contact details, device identifiers, biometric data, and many others. De-identified data is not PHI if it meets safe harbor standards (removal of specified identifiers) or has expert determination that re-identification risk is very small. Employment records held by an entity in its role as employer and certain education records are not PHI.

Limited data sets, which exclude direct identifiers but retain some elements like dates and ZIP codes, may be used for research or public health under a data use agreement with defined safeguards.

Permitted Uses and Disclosures of PHI

Treatment, Payment, and Health Care Operations (TPO)

You may use and disclose PHI without an authorization for TPO: coordinating and delivering care, billing and collections, eligibility checks, quality improvement, utilization review, and other operations. Apply the minimum necessary standard to non-treatment functions, granting only the access needed to perform a task.

Required and Authorized Disclosures

• Required: to the individual upon request and to the Department of Health and Human Services for compliance review.
• Authorized: with a valid, written authorization that is specific, time-bound, and revocable, for uses beyond TPO (for example, certain marketing or research activities).

Public Interest and Benefit Activities

The Privacy Rule permits disclosures in defined situations, subject to conditions: public health reporting; abuse, neglect, or domestic violence reporting; health oversight activities; judicial and administrative proceedings; law enforcement requests; decedent, organ donation, and coroner purposes; research with IRB waiver or limited data set; averting a serious threat to health or safety; specialized government functions; and workers’ compensation programs.

Additional Limitations

Marketing communications, sale of PHI, and most fundraising activities are subject to heightened restrictions and, in many cases, individual authorization or opt-out rights. Always verify applicable state laws; more stringent state privacy protections are not preempted by HIPAA.

Individual Rights under the Privacy Rule

Individuals have robust rights you must honor promptly and consistently. These rights shape how you design intake, release-of-information, and customer service workflows.

• Right of access: obtain copies of PHI in designated record sets, including electronic copies of ePHI, typically within 30 days (with one 30-day extension) and for a reasonable, cost-based fee.
• Right to request amendment of inaccurate or incomplete PHI, with timely written responses and appropriate addenda when amendments are denied.
• Right to an accounting of disclosures (excluding most TPO disclosures) for a defined look-back period.
• Right to request restrictions on certain uses and disclosures; you must agree to restrict disclosure to a health plan when the individual pays in full out-of-pocket for the item or service.
• Right to request confidential communications (for example, alternative addresses or channels) and to receive a Notice of Privacy Practices explaining PHI Use and Disclosure.
• Right to opt out of fundraising communications and to revoke authorizations prospectively.
• Right to receive timely notices following certain breaches of unsecured PHI under Breach Notification Requirements.

Required Privacy Policies and Procedures

Covered entities and business associates must implement written policies and procedures that operationalize the Privacy Rule. Assign a privacy official, designate a contact person for complaints, and document role-based access standards aligned with minimum necessary.

• Develop, publish, and distribute a Notice of Privacy Practices; maintain and apply sanctions for workforce violations.
• Mitigate harmful effects of improper uses or disclosures and maintain documentation for at least six years.
• Execute and manage BAAs; define verification, authorization, and disclosure workflows with auditable trails.
• Establish a complaint process with non-retaliation guarantees and periodic policy reviews that incorporate applicable state laws.

Privacy Rule Enforcement is led by the HHS Office for Civil Rights, which can investigate complaints, conduct compliance reviews, negotiate corrective action plans, and impose civil monetary penalties. State attorneys general may also bring actions for certain violations.

Training and Safeguards for PHI Protection

The Privacy Rule requires appropriate administrative, physical, and technical safeguards to protect PHI, and workforce training tailored to job duties. While the Security Rule focuses on ePHI, privacy safeguards apply to all formats and should be embedded in everyday operations.

Administrative Safeguards

• Role-based training on minimum necessary, authorization, verification, and incident reporting.
• Access provisioning and deprovisioning, sanctions for violations, and periodic risk assessments.
• Documented procedures for uses, disclosures, and release-of-information; vendor risk management for BA oversight.

Physical and Technical Safeguards

• Facility access controls, workstation security, clean desk and screen protections, and secure disposal of media.
• Access controls, unique user IDs, encryption for data in transit and at rest, audit logging, and intrusion detection.
• Secure messaging, verified identity processes, and approved devices for remote and telehealth workflows.

Incident Response and Breach Notification

Maintain an incident response plan that triages privacy events, performs risk assessments, and documents decisions. For breaches of unsecured PHI, provide notifications to affected individuals, HHS, and, when applicable, the media without unreasonable delay and no later than 60 calendar days after discovery. Keep records of investigations, notifications, and corrective actions.

Penalties and Accountability

Noncompliance can trigger civil monetary penalties tiered by culpability and corrective action efforts. Willful neglect that is not corrected carries higher penalties, and knowing misuse of PHI can lead to Criminal Penalties. Sustained compliance requires leadership endorsement, continuous training, internal auditing, and measurable remediation.

Conclusion

HIPAA Privacy Rule requirements define who must comply and how PHI may be used or disclosed. By clarifying covered entities and business associates, identifying PHI precisely, honoring individual rights, and implementing policies, training, and safeguards, you reduce risk and strengthen trust. Embed minimum necessary, accountability, and timely breach response into daily operations to sustain compliance.

FAQs

What types of entities are covered by the HIPAA Privacy Rule?

The rule covers health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. Hybrid entities must protect the designated health care component, and business associates that handle PHI on behalf of covered entities also have direct compliance obligations through Business Associate Agreements and applicable HIPAA provisions.

How does the Privacy Rule regulate the use and disclosure of PHI?

It permits PHI Use and Disclosure for treatment, payment, and health care operations; requires disclosures to individuals and HHS; allows specified public interest disclosures under conditions; and requires written authorization for uses beyond those bases. The minimum necessary standard applies to most non-treatment uses, and more stringent state privacy laws are not preempted.

What individual rights are protected under the HIPAA Privacy Rule?

Individuals have rights to access and obtain copies of their PHI, request amendments, receive an accounting of disclosures, request restrictions and confidential communications, obtain and understand a Notice of Privacy Practices, opt out of certain communications, revoke authorizations, and receive notifications following qualifying breaches.

What are the consequences of violating the HIPAA Privacy Rule?

Consequences include corrective action plans, civil monetary penalties scaled by the level of noncompliance, and potential Criminal Penalties for knowingly obtaining or disclosing PHI in violation of the rule. Reputational damage, operational disruption, and heightened oversight can accompany enforcement actions by HHS and state authorities.