HIPAA vs. the Privacy Rule: Key Differences, Requirements, and Examples

Overview of HIPAA and the Privacy Rule

HIPAA is the federal law that establishes national standards for protecting health information. The Privacy Rule is one of HIPAA’s core implementing regulations, setting boundaries on how Covered Entities and their Business Associates use and disclose Protected Health Information (PHI).

Think of HIPAA as the framework and the Privacy Rule as the rulebook for who may access PHI, for what purposes, and with what Health Information Privacy Safeguards. This guide explains HIPAA vs. the Privacy Rule: key differences, requirements, and examples so you can navigate obligations with confidence.

The Privacy Rule aligns with other HIPAA regulations, including the Security Rule for electronic PHI and the Breach Notification Rule. Together, they define permissible uses, individual rights, and required administrative practices.

Key Requirements of the Privacy Rule

Minimum Necessary Standard

You must limit uses, disclosures, and requests for PHI to the minimum necessary to accomplish the purpose. This standard does not apply to treatment, disclosures to the individual, or uses made pursuant to a valid authorization, but it governs most routine operations and data sharing.

Authorizations and Uses/Disclosures

Uses and disclosures generally fall into three buckets: permitted without authorization, permitted with opportunity to agree or object, and those requiring written authorization. Authorizations must be specific, time-bounded, and revocable, with plain-language descriptions of purpose and scope.

Notice of Privacy Practices (NPP)

Covered health care providers and health plans must give individuals a clear NPP explaining how PHI is used, your legal duties, and individual rights. You must distribute or post it appropriately and abide by its terms unless and until updated.

Business Associates

Vendors that create, receive, maintain, or transmit PHI on your behalf are Business Associates. You must execute Business Associate Agreements that set permitted uses, require safeguards, and mandate reporting of incidents and breaches.

Access, Amendments, and Accounting

Individuals have the right to access their PHI, request amendments to inaccurate or incomplete records, and obtain an accounting of certain disclosures. Provide access in the requested form and format when readily producible, including electronic copies where applicable.

Health Information Privacy Safeguards

The Privacy Rule requires administrative, technical, and physical safeguards to prevent impermissible uses and disclosures. Policies, workforce training, role-based access, and verification procedures are foundational controls that complement Security Rule measures for ePHI.

Administrative Obligations

You must designate a privacy official, train your workforce, document policies and procedures, apply sanctions for violations, mitigate known harm, and maintain records for required retention periods. Regular risk reviews keep practices aligned with evolving operations.

Methods for De-Identification of PHI

HIPAA De-Identification Standards allow you to use health data for analysis and sharing while protecting privacy. Two recognized methods are available; either one suffices when properly applied.

Safe Harbor Method

• Remove the 18 specified identifiers of the individual and of relatives, employers, or household members.
• Ensure you have no actual knowledge that remaining information could identify the individual.
• This method is prescriptive and straightforward, supporting consistent application across datasets.

Expert Determination

• A qualified expert applies accepted statistical or scientific principles to determine the risk of re-identification is very small.
• The expert documents methods, analysis, and results; controls are implemented to maintain the assessed risk level.
• This method enables utility beyond Safe Harbor by tailoring transformations to the data and context.

Limited Data Set (Not De-Identified)

A Limited Data Set removes direct identifiers but may include certain dates and city/ZIP information. It is not fully de-identified and may be used for research, public health, or health care operations only under a Data Use Agreement.

Compliance with State Laws and HIPAA

HIPAA establishes a nationwide baseline. Through State Preemption rules, HIPAA generally overrides contrary state laws unless a state law is more stringent in protecting privacy or grants greater individual rights. In those cases, the stricter state rule prevails.

More stringent state laws may limit disclosures, tighten access timelines, or provide extra consent requirements for sensitive data. You should map overlapping obligations and adopt the higher standard where conflicts arise.

Where state law requires reporting—such as certain public health or abuse reporting—HIPAA permits those disclosures. Document your legal basis for each disclosure to maintain consistent compliance.

Examples of Protected Health Information Identifiers

PHI is individually identifiable health information held or transmitted by a Covered Entity or Business Associate in any form. Examples of identifiers that can make information identifiable include:

• Names
• Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code) and equivalents
• All elements of dates (except year) related to an individual, and ages over 89
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (fingerprints, voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

Rights of Individuals under the Privacy Rule

Individuals have robust rights that you must enable and honor promptly. These rights strengthen transparency and individual control over PHI.

• Right of access to inspect or obtain copies of PHI in a designated record set, including electronic copies when maintained electronically.
• Right to request amendments to inaccurate or incomplete PHI, with written denials explaining reasons and appeal options.
• Right to an accounting of certain disclosures not made for treatment, payment, or health care operations.
• Right to request restrictions on uses or disclosures; required acceptance when an individual pays out-of-pocket in full and requests non-disclosure to a health plan for that item or service.
• Right to request confidential communications by alternative means or at alternative locations.
• Right to receive the Notice of Privacy Practices and to file complaints without retaliation.

Permitted Disclosures of PHI

The Privacy Rule permits certain disclosures without patient authorization when specific conditions are met. Your policies should define processes, approvals, and documentation for each category.

• Treatment, payment, and health care operations (TPO)
• Incidental disclosures when reasonable safeguards and the minimum necessary standard are applied
• Public interest and benefit activities, including:
  • Disclosures required by law
  • Public health activities and reporting
  • Reporting abuse, neglect, or domestic violence as authorized
  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes under defined criteria
  • Decedents and organ/eye/tissue donation
  • Research under IRB/Privacy Board waiver or via a Limited Data Set with a Data Use Agreement
  • To avert a serious threat to health or safety
  • Specialized government functions and workers’ compensation

Conclusion

HIPAA sets the national baseline, while the Privacy Rule details how PHI may be used and shared, what safeguards you must apply, and what rights individuals hold. By following the minimum necessary standard, honoring individual rights, and applying De-Identification Standards such as the Safe Harbor Method or Expert Determination, you can meet legal duties and responsibly unlock data value.

FAQs.

Is the Privacy Rule part of HIPAA?

Yes. The Privacy Rule is an implementing regulation under HIPAA. It operationalizes the statute by defining who may use or disclose PHI, under what conditions, and what rights and safeguards apply.

What types of entities must comply with the Privacy Rule?

Covered Entities—health plans, health care clearinghouses, and health care providers that conduct certain electronic transactions—must comply, along with their Business Associates. Business Associates must follow Privacy Rule requirements applicable to the services they perform and the PHI they handle.

How does the Privacy Rule protect electronic health information?

The Privacy Rule limits who may access ePHI and for what purposes, requires Health Information Privacy Safeguards, and mandates policies, training, and role-based access. It works alongside the Security Rule, which specifies detailed technical and physical protections for ePHI.

When can PHI be disclosed without patient authorization?

PHI may be disclosed without authorization for treatment, payment, and health care operations, for certain public interest and legal purposes (such as public health reporting or when required by law), and in limited, well-defined circumstances like research with an IRB waiver. All such disclosures must follow the minimum necessary and other applicable Privacy Rule requirements.