HIPAA Privacy Rule Summary and Checklist: Safeguards, Rights, and Examples

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards for how covered entities and their business associates may use and disclose Protected Health Information (PHI). It balances necessary information flow for care with strong individual privacy protections and clear accountability.

You are responsible for limiting PHI access to appropriate purposes, honoring patient rights, and documenting decisions. Day to day, this means training your workforce, applying role-based access, and maintaining policies that reflect current operations.

Minimum Necessary Standard

The Minimum Necessary Standard requires you to use, disclose, and request only the least amount of PHI needed for a task. It does not apply to disclosures to the individual, uses/disclosures for treatment, uses/disclosures made pursuant to an authorization, or those required by law.

• Define role-based access so each job has a clear PHI scope.
• Standardize routine disclosures with templates that pre-limit data.
• Implement request review for non-routine disclosures.
• Log and periodically audit access to verify minimum necessary.
• Provide just-in-time prompts in systems to discourage over-disclosure.

Authorization Requirements

When a use or disclosure is not otherwise permitted, you must obtain a valid written authorization. Authorizations must specify what information is used, who is disclosing and receiving it, the purpose, an expiration date or event, and the individual’s signature with a right to revoke.

• Use plain-language authorization forms and store them with the record.
• Exclude psychotherapy notes or marketing/sale of PHI unless expressly authorized.
• Verify identity before releasing records authorized to third parties.
• Document any revocation and cease further use/disclosure thereafter.

Breach Notification Rule

If unsecured PHI is compromised, you must assess the risk and notify affected individuals without unreasonable delay and no later than 60 days after discovery. You must also notify regulators and, for larger incidents, the media. Encryption and proper disposal reduce breach risk.

• Maintain an incident response plan with decision trees and contacts.
• Perform and retain documented risk assessments for each incident.
• Issue timely notices describing what happened, data involved, and mitigation.
• Track corrective actions and lessons learned to strengthen controls.

Protected Health Information Definition

PHI is individually identifiable health information related to a person’s health status, care, or payment for care, created or received by a covered entity or business associate. PHI can exist in any form—paper, electronic (ePHI), or oral.

What counts as PHI?

• Identifiers such as name, full address, contact details, Social Security and medical record numbers.
• Clinical data: diagnoses, lab results, imaging, prescriptions, and visit notes.
• Billing and insurance information tied to an identifiable individual.
• Biometric identifiers and full-face photographs or comparable images.

What is not PHI?

• De-identified data (via Safe Harbor removal of identifiers or expert determination).
• Limited Data Sets shared under a Data Use Agreement for specific purposes.
• Education records covered by FERPA and employment records held by an employer.

Examples

• PHI: A discharge summary emailed to a specialist about a named patient.
• Not PHI: A dataset with all 18 identifiers removed used for internal quality trends.
• Limited Data Set: City, state, and dates for research under a Data Use Agreement.

Patient Rights Under HIPAA

Individuals have clear rights that you must enable and document. These include access, amendment, an Accounting of Disclosures, restrictions, confidential communications, and the right to receive a Notice of Privacy Practices.

• Right of access: Provide copies (including electronic) within 30 days; one 30-day extension allowed with written notice.
• Amendment: Accept or deny in writing with reasons; append amendments to the record when granted.
• Restrictions: Honor reasonable requests, and you must restrict disclosures to a health plan for items paid in full out-of-pocket.
• Confidential communications: Accommodate alternate addresses or contact methods when reasonable.

Accounting of Disclosures

Upon request, provide an Accounting of Disclosures for the six years prior to the request date, excluding those for treatment, payment, and health care operations, disclosures to the individual, or those made pursuant to authorization. Include date, recipient, description, and purpose where applicable.

Examples

• A patient requests an electronic copy of their record be sent to a chosen app; you verify identity and transmit securely.
• A patient asks to amend a medication list; you add an addendum explaining the change or your reason for denial.
• A patient pays out-of-pocket and asks you not to bill their health plan for that service; you must honor this restriction.

Permitted Uses and Disclosures of PHI

You may use or disclose PHI without authorization for treatment, payment, and health care operations (TPO), and for specified public interest purposes. Always apply the Minimum Necessary Standard except where the rule exempts it (for example, disclosures for treatment).

Treatment, Payment, and Health Care Operations

• Treatment: Coordinating and delivering care among providers.
• Payment: Billing, claims management, eligibility and coverage determinations.
• Operations: Quality improvement, audits, compliance, and training.

Public interest and other permitted uses

• Required by law and public health reporting (e.g., reportable diseases, immunizations with appropriate agreement).
• Health oversight, judicial/administrative proceedings, and certain law enforcement needs.
• To avert a serious threat, for decedents, organ and tissue donation, and workers’ compensation programs.
• Research with IRB/Privacy Board waiver, preparatory-to-research reviews, or Limited Data Sets with a Data Use Agreement.

Privacy Rule Compliance

• Maintain a current Notice of Privacy Practices and obtain acknowledgments where required.
• Execute and manage Business Associate Agreements before sharing PHI.
• Document non-routine disclosures and decisions that deviate from standard protocols.
• Train your workforce on permitted uses and Minimum Necessary decision-making.

De-identification and Limited Data Sets

• Safe Harbor: Remove enumerated identifiers that could reasonably identify a person.
• Expert determination: A qualified expert certifies very small re-identification risk.
• Limited Data Set: Share only specified fields under a Data Use Agreement for research, public health, or operations.

Examples

• Sending a referral packet to a specialist for ongoing care (treatment).
• Submitting claims information to a health plan (payment).
• Reporting a confirmed case to public health authorities as required by law.

Administrative Safeguards

Administrative safeguards are policies and procedures that manage the selection, development, and enforcement of security measures to protect ePHI and to manage workforce conduct. They operationalize Privacy Rule principles with Security Rule Integration.

• Risk analysis and risk management with documented remediation plans.
• Assigned security responsibility and clear governance.
• Workforce security: onboarding/offboarding, background checks, and sanctions policy.
• Information access management aligned to Minimum Necessary.
• Security awareness and training, including phishing and social engineering.
• Security incident procedures with breach escalation and investigation steps.
• Contingency planning: data backup, disaster recovery, and emergency mode operations testing.
• Ongoing evaluation and documented policies/procedures.

Security Rule Integration

Privacy defines why PHI may be used or disclosed; the Security Rule defines how you safeguard ePHI. Map privacy decisions to security controls—role-based access for Minimum Necessary, BAAs to vendor security requirements, and audit controls to monitor compliance.

Examples

• Quarterly access reviews to right-size permissions after role changes.
• Tabletop exercises for incident response and breach notification workflows.
• Vendor due diligence before signing a Business Associate Agreement.

Physical Safeguards

Physical safeguards protect the facilities, equipment, and media that store or process PHI. You must control who can enter spaces, how workstations are used, and how devices and media are secured throughout their lifecycle.

Examples

• Restricting server rooms to authorized staff and recording maintenance.
• Using privacy filters at registration desks to prevent shoulder surfing.
• Sanitizing or shredding media before reuse or disposal.

Technical Safeguards

Technical safeguards are technology and related policies that protect ePHI and control access. Focus on strong authentication, encryption, auditing, and integrity protections across systems and data flows.

Examples

• Encrypting laptops and mobile devices that store ePHI.
• Using secure portals or encrypted email to send records externally.
• Automated alerts for unusual access patterns in EHR audit logs.

Checklist Summary

To operationalize this HIPAA Privacy Rule Summary and Checklist, align your policies to permitted uses, enforce the Minimum Necessary Standard, honor patient rights on time, and integrate administrative, physical, and technical safeguards. Regular training, audits, and clear documentation keep Privacy Rule Compliance durable.

FAQs.

What are the key protections under the HIPAA Privacy Rule?

The rule limits how PHI can be used and disclosed, requires the Minimum Necessary Standard, mandates Notices of Privacy Practices, and grants individual rights such as access and amendment. It also requires Business Associate Agreements and coordinates with the Breach Notification Rule and Security Rule to ensure end-to-end protection.

How can patients exercise their rights under HIPAA?

Patients should contact the provider’s or health plan’s privacy office, submit written requests for access, amendments, restrictions, or confidential communications, and retain copies. You must respond within required timeframes and provide reasons for any denials, along with information on how to complain or appeal.

What types of safeguards are required to protect PHI?

HIPAA requires administrative safeguards (policies, training, risk management), physical safeguards (facility, workstation, and device controls), and technical safeguards (access control, encryption, auditing, and integrity protections). Together, these implement Security Rule Integration to support Privacy Rule obligations.

What penalties apply for noncompliance with HIPAA?

HIPAA allows tiered civil monetary penalties that increase with the level of culpability and whether violations are corrected, and amounts are adjusted annually. Serious, uncorrected violations can lead to significant penalties and corrective action plans, and criminal penalties may apply for knowingly obtaining or disclosing PHI.