HIPAA Privacy Rule: Scope, Requirements, and Who Must Comply

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule establishes a national baseline for how health information is used and disclosed, and who must protect it. It governs “protected health information (PHI)” in any form—paper, verbal, or electronic—setting expectations for privacy safeguards and individual rights while permitting essential information flows for care and operations.

At its core, the Rule balances access and protection: you may use and share PHI for treatment, payment, and health care operations, and for specific public-interest purposes, but you must apply the minimum necessary standard, limit who sees what, and document why. The Privacy Rule works alongside the Security Rule (which protects ePHI) and the Breach Notification Rule, forming a unified privacy and security framework enforced by the Office for Civil Rights (OCR).

Covered Entities Defined

Covered entities are the organizations directly regulated by the HIPAA Privacy Rule. They include:

• Health plans: group and individual plans, employer-sponsored plans, insurers, HMOs, Medicare, Medicaid, and certain government programs.
• Health care clearinghouses: entities that process nonstandard health information into standard transaction formats or vice versa.
• Health care providers: any provider who transmits health information electronically in connection with standard transactions (for example, claims or eligibility checks).

Some organizations are “hybrid entities,” where only identified health care components are subject to HIPAA. Covered entities must identify their workforce, establish role-based access, train personnel, and designate a privacy official to oversee compliance with the Privacy Rule.

Business Associates Obligations

Business associates are vendors or partners who create, receive, maintain, or transmit PHI on behalf of a covered entity or another business associate. Examples include cloud service providers, billing companies, EHR vendors, data analytics firms, and certain consultants.

Business associates must sign business associate agreements (BAAs) that specify permitted uses and disclosures, require privacy safeguards, and incorporate the minimum necessary standard. They have direct HIPAA liability for impermissible uses or disclosures, failing to implement required safeguards, and failing to report breaches.

• Implement administrative, physical, and technical safeguards appropriate to the services provided.
• Use and disclose PHI only as allowed by the BAA or the Privacy Rule, and flow down requirements to subcontractors.
• Maintain policies, workforce training, and documentation; promptly report security incidents and breaches to the covered entity.

Protected Health Information Characteristics

What counts as PHI

Protected health information (PHI) is individually identifiable health information held or transmitted by a covered entity or business associate. It relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care, and identifies the individual or could reasonably be used to identify them.

What is not PHI

• De-identified data (either via expert determination or by removing the specified identifiers under the safe harbor method).
• Education records covered by FERPA and employment records held by a covered entity in its role as employer.
• Information about a person deceased for more than 50 years.

Limited data sets and identifiers

A limited data set excludes direct identifiers but may include certain dates and geographic data; it can be used for research, public health, and health care operations with a data use agreement. Always apply the minimum necessary standard when using or disclosing PHI outside of treatment.

Permitted Uses and Disclosures

Treatment, payment, and health care operations (TPO)

You may use and disclose PHI without authorization for treatment (including coordination among providers), payment (billing and reimbursement), and health care operations (quality improvement, audits, credentialing). Minimum necessary does not apply to disclosures for treatment but does apply to most other uses and disclosures.

With individual authorization

When a use or disclosure is not otherwise permitted, you must obtain a valid written authorization that clearly describes the information, purpose, recipients, expiration, and the individual’s right to revoke. Marketing, most sales of PHI, and many research uses require authorization.

Opportunity to agree or object

For certain routine disclosures—such as facility directories or sharing with family and friends involved in care—you must provide the individual an opportunity to agree, object, or restrict.

Public interest and benefit activities

• As required by law.
• Public health activities (e.g., reporting certain diseases, adverse events).
• Victims of abuse, neglect, or domestic violence, when conditions are met.
• Health oversight activities and audits.
• Judicial and administrative proceedings (with appropriate process).
• Law enforcement purposes.
• Decedents: disclosures to coroners, medical examiners, and funeral directors.
• Organ, eye, or tissue donation.
• Research under an IRB/Privacy Board waiver, limited data set, or with authorization.
• To avert a serious threat to health or safety.
• Specialized government functions (e.g., military, national security, correctional institutions).
• Workers’ compensation as permitted by state law.

Required disclosures

You must disclose PHI to the individual (or personal representative) upon request and to the Office for Civil Rights (OCR) when it investigates or reviews compliance.

Individual Rights Under HIPAA

• Right of access: obtain copies of PHI in a designated record set in the requested form and format if readily producible, including electronic copies of ePHI; reasonable, cost-based fees only.
• Right to request restrictions: ask to limit certain uses or disclosures; you must honor a request to restrict disclosures to a health plan for services paid in full out of pocket, if feasible.
• Right to amend: request corrections to PHI in the designated record set; provide written denials with the right to submit a statement of disagreement if you decline.
• Right to an accounting of disclosures: receive a record of certain non-TPO disclosures over a defined period.
• Right to request confidential communications: receive communications at an alternative address or by alternative means.
• Right to notice: receive a clear Notice of Privacy Practices explaining how you use PHI and the individual’s rights.
• Right to complain: file a complaint with the covered entity or OCR without retaliation.

Compliance and Enforcement Measures

Core compliance practices

• Governance: appoint a privacy official, conduct risk and gap assessments, adopt policies applying the minimum necessary standard.
• Workforce management: train staff, manage role-based access, and enforce sanctions for violations.
• Third-party oversight: execute and manage BAAs; monitor business associates’ adherence to privacy safeguards.
• Process controls: maintain a robust authorization process, respond to access and amendment requests timely, and track disclosures where required.
• Incident response: investigate, mitigate, and document privacy incidents; provide breach notifications to individuals and HHS when required.
• Documentation: maintain policies, procedures, and related records for at least six years and review regularly.

Enforcement and penalties

OCR enforces the Privacy Rule through complaints, investigations, and audits. Outcomes may include technical assistance, voluntary compliance, resolution agreements with corrective action plans, or civil monetary penalties. Penalties follow a tiered structure that considers culpability (from reasonable cause to willful neglect), the nature and extent of the violation, harm caused, mitigation efforts, and the entity’s compliance history.

State attorneys general may also bring civil actions for violations affecting residents, and certain egregious, knowing misconduct can trigger criminal liability. Proactive governance, continuous training, and strong vendor management materially reduce enforcement risk and penalty exposure.

Conclusion

The HIPAA Privacy Rule: Scope, Requirements, and Who Must Comply centers on protecting PHI while enabling care delivery. If you identify whether you are a covered entity or business associate, apply privacy safeguards and the minimum necessary standard, honor individual rights, and maintain vigilant oversight of vendors, you will meet core obligations and substantially reduce the risk of OCR findings or civil monetary penalties.

FAQs

Who qualifies as a covered entity under the HIPAA Privacy Rule?

Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. Examples include insurers, employer-sponsored health plans, hospitals, physicians, pharmacies, labs, and billing services that meet the definition. Hybrid organizations can designate only their health care components as covered.

What are the responsibilities of business associates regarding PHI?

Business associates must sign BAAs, use and disclose PHI only as allowed, implement appropriate privacy safeguards, follow the minimum necessary standard, train their workforce, and report incidents and breaches. They must also bind subcontractors to the same obligations and are directly liable under HIPAA for impermissible uses/disclosures and failure to safeguard PHI.

How does HIPAA define protected health information?

PHI is individually identifiable health information held or transmitted by a covered entity or business associate that relates to health status, care provided, or payment, and can identify the individual. It excludes de-identified information, education records under FERPA, employment records held in the employer role, and information about individuals deceased for more than 50 years.

What penalties apply for HIPAA Privacy Rule violations?

OCR can impose tiered civil monetary penalties based on culpability and other factors, ranging from lower amounts for reasonable-cause violations to substantially higher penalties for willful neglect, with annual caps. Enforcement may also require corrective action plans, and state attorneys general can seek remedies. Severe, knowing violations can carry criminal consequences in addition to civil penalties.