HIPAA Privacy Rule: Three Core Provisions, Requirements, and Compliance Examples

Establishing National Standards for PHI Protection

What the Privacy Rule establishes

The HIPAA Privacy Rule sets national standards for protecting Protected Health Information (PHI) in any form—paper, electronic, or oral. It defines when PHI may be used or disclosed, requires safeguards and documentation, and grants individuals control over their health information.

Its three core provisions are: (1) rules for permitted uses and disclosures with PHI Disclosure Limitations and Patient Authorization Requirements; (2) enforceable patient rights; and (3) administrative requirements that include policies, training, documentation, and the Minimum Necessary Standard.

Key requirements

PHI includes any individually identifiable health information linked to a person’s past, present, or future health or payment for care. The rule permits use and disclosure for treatment, payment, and health care operations without authorization, while imposing limits for other purposes unless a valid authorization is obtained.

De-identification and limited data sets help reduce privacy risk. Where authorization is not required (for example, certain public health or required-by-law disclosures), you must still apply PHI Disclosure Limitations—sharing only what is appropriate and tracking disclosures when required.

Compliance examples

• Provide the Notice of Privacy Practices at first service, post it prominently, and keep records of acknowledgment.
• Use role-based access so billing staff see only billing details, not entire clinical histories.
• Obtain written authorization for marketing communications that are not face-to-face and for any sale of PHI.
• Use de-identified data for population analytics; where identifiers are needed, apply a limited data set with a data use agreement.

Defining Covered Entities and Business Associates

Who is covered

Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard transactions. If you fall into one of these categories, the Privacy Rule applies to your workforce and operations.

Business associates and accountability

Business associates are vendors or partners that create, receive, maintain, or transmit PHI for a covered entity. Subcontractors that handle PHI are also business associates. They have direct HIPAA responsibilities and must implement safeguards that align with your privacy program and Electronic PHI Safeguards.

Business Associate Agreements (BAAs)

Business Associate Agreements define permitted uses and disclosures, prohibit unauthorized uses, require reporting of incidents and breaches, flow down obligations to subcontractors, and mandate return or destruction of PHI when services end. BAAs help operationalize PHI Disclosure Limitations across your vendor ecosystem.

Compliance examples

• Execute BAAs with your EHR vendor, cloud hosting provider, e-fax service, remote scribes, and revenue cycle firms.
• Review each BAA annually to confirm current services, data flows, and Patient Authorization Requirements where applicable.
• Require vendors to document access controls, encryption, and audit logging as part of Electronic PHI Safeguards.

Implementing the Minimum Necessary Standard

What “minimum necessary” means

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the least amount needed to accomplish the intended purpose. It does not apply to disclosures to or requests by a provider for treatment, disclosures to the individual, uses or disclosures authorized by the individual, or disclosures required by law or to the Department of Health and Human Services.

Operationalizing the standard

Translate the principle into role-based access rules, data segmentation, and “need-to-know” workflows. Standardize routine disclosures with templates that pre-limit fields, and use limited data sets where full identifiers are not needed. Review reports and exports to ensure they exclude extraneous data.

Compliance examples

• Claims staff receive only subscriber demographics, dates of service, CPT/ICD codes, and balances—not full clinical notes.
• Population health reports present aggregated metrics or a limited data set, with identifiers stripped unless justified.
• Research support uses a data use agreement and fields tailored to protocol requirements instead of entire charts.
• Contact center scripts restrict visible PHI to what’s necessary to resolve the caller’s request.

Enforcing Patient Rights and Access

Right of access

Individuals have the right to inspect and obtain a copy of PHI in a designated record set, including electronic copies where readily producible. You must respond within required timeframes, provide a cost-based fee only where allowed, and accommodate secure electronic delivery when requested.

Amendments and accounting

Patients may request an amendment to correct or add information; you must act within required timelines and, when granted, link the amendment to the record and notify relevant parties. Patients may also request an accounting of certain disclosures for a specified period, subject to rule criteria.

Restrictions, confidential communications, and authorizations

Patients can request restrictions on certain disclosures; one mandatory restriction is withholding information from a health plan when the patient pays in full out of pocket for that service. Patients may also request confidential communications via alternative means or locations. Patient Authorization Requirements apply to uses or disclosures outside the rule’s permissions, including many marketing activities and the sale of PHI.

Compliance examples

• Offer a portal for e-copies, identity verification, and the option to direct records to a third party at the patient’s request.
• Document access denials with the specific reason and, when required, a review process.
• Flag out-of-pocket services in your EHR so staff do not disclose related PHI to a health plan.
• Publish a plain-language Notice of Privacy Practices and train staff to answer questions about patient rights.

Applying Compliance Safeguards and Auditing

Administrative requirements and governance

Designate a privacy official, implement policies and procedures, train your workforce, and apply sanctions for violations. Maintain a complaint process, mitigate known risks, and retain required documentation for at least six years. Coordinate privacy reviews with security risk management for coherent oversight.

Electronic PHI Safeguards

While the Security Rule governs ePHI, aligning its controls is essential for Privacy Rule compliance. Use encryption in transit and at rest, strong authentication and least-privilege access, session timeouts, device protections, and comprehensive audit logging to deter inappropriate access and support PHI Disclosure Limitations.

Privacy Rule Compliance Audits

Conduct internal Privacy Rule Compliance Audits to test real workflows—authorizations, right-of-access requests, minimum necessary checks, and vendor oversight. Validate that BAAs match current services, disclosures are tracked where required, and staff can demonstrate policy understanding during interviews.

Compliance examples

• Quarterly chart-access reviews to spot excessive viewing and remediate through coaching or sanctions.
• Walkthrough tests of right-of-access timelines and fee calculations to confirm they meet policy and regulatory limits.
• Vendor due diligence that samples tickets, logs, and incident reports against BAA obligations.
• Drills for privacy incidents that practice containment, investigation, and communication steps.

Conclusion

The HIPAA Privacy Rule anchors national protections for PHI through clear use-and-disclosure limits, enforceable patient rights, and disciplined administrative practices. By applying the Minimum Necessary Standard, executing robust Business Associate Agreements, and auditing real-world workflows, you can sustain compliant, patient-centered privacy operations.

FAQs

What are the main provisions of the HIPAA Privacy Rule?

The rule’s core provisions are: (1) permitted uses and disclosures of PHI with PHI Disclosure Limitations and Patient Authorization Requirements; (2) enforceable patient rights, including access, amendment, accounting, restrictions, confidential communications, and notice; and (3) administrative requirements, such as policies, training, documentation, and the Minimum Necessary Standard.

How does the minimum necessary standard impact PHI usage?

It requires you to limit PHI uses, disclosures, and requests to the least amount needed for the task. You implement it through role-based access, templated disclosures, and data minimization. It does not apply to treatment, disclosures to the individual, authorized disclosures, or those required by law, but it applies broadly to most other activities.

Who must comply with the HIPAA Privacy Rule?

Covered entities—health plans, health care clearinghouses, and certain health care providers—and their business associates must comply. Subcontractors that handle PHI on behalf of a business associate are also bound by the rule and require appropriate Business Associate Agreements and safeguards.

What rights do patients have under the Privacy Rule?

Patients have rights to access and obtain copies of PHI, request amendments, receive an accounting of certain disclosures, request restrictions (including limiting plan disclosures for services paid in full out of pocket), request confidential communications, and receive a Notice of Privacy Practices explaining how their information is used and protected.