Is HIPAA a Privacy Rule? No—Here’s the Difference Between HIPAA and the HIPAA Privacy Rule

Overview of HIPAA Legislation

HIPAA is a federal law enacted in 1996 to improve portability of coverage, standardize healthcare transactions, and strengthen health information privacy. The HIPAA Privacy Rule is one of several regulations issued under HIPAA—it is not the law itself, but a core part of how HIPAA is implemented.

Think of HIPAA as the umbrella statute and its rules as the spokes. Key rules include:

• Privacy Rule: governs Health Information Privacy for Protected Health Information (PHI).
• Security Rule: sets safeguards for electronic PHI in Electronic Health Records and related systems.
• Breach Notification Rule: requires notices after certain PHI breaches.
• Transactions and Code Sets Rule: standardizes electronic Healthcare Transactions.
• Unique Identifiers Rule and Enforcement Rule: create identifiers and outline enforcement processes.

Bottom line: HIPAA is the overarching law; the HIPAA Privacy Rule is a specific regulation within it focused on how PHI may be used and disclosed.

Key Provisions of the HIPAA Privacy Rule

Scope and purpose

The Privacy Rule establishes national standards for how Covered Entities handle PHI in any form—paper, oral, or electronic. It balances patient control with the flow of information needed for safe, efficient care and operations.

Core standards

• Use and disclosure framework: when PHI may be used or shared without authorization and when Authorization Requirements apply.
• Minimum necessary: limit PHI to the least amount needed for the purpose.
• Notice of Privacy Practices: explain how PHI is used, rights, and contacts for questions or complaints.
• Administrative requirements: policies, workforce training, and designated privacy officials.

Authorizations and special situations

• Written authorization is generally required for uses beyond treatment, payment, and healthcare operations, and for marketing, sale of PHI, and most uses of psychotherapy notes.
• Research, public health, and other public interest activities have tailored pathways and conditions.

De-identification

Information that has been de-identified under HIPAA (via expert determination or safe-harbor removal of identifiers) is not PHI and is not subject to the Privacy Rule.

Covered Entities and Their Responsibilities

Covered Entities include healthcare providers that conduct standard electronic transactions, health plans, and healthcare clearinghouses. Business associates—vendors that handle PHI for these entities—must protect PHI under written agreements and applicable HIPAA provisions.

Core responsibilities include:

• Adopt and enforce Privacy Safeguards and written policies consistent with the Privacy Rule.
• Train the workforce and designate privacy and security leaders.
• Limit PHI access and use to the minimum necessary for job duties.
• Execute business associate agreements before sharing PHI with service partners.
• Standardize electronic Healthcare Transactions where required and maintain documentation.

Individual Rights Under the Privacy Rule

• Right of access: obtain and inspect copies of PHI, including information in Electronic Health Records, in the requested readable format when feasible.
• Right to request amendments: ask to correct or add to records when information is incomplete or inaccurate.
• Right to an accounting of disclosures: receive a record of certain disclosures made without authorization.
• Right to request restrictions: ask providers or plans to limit specific uses or disclosures; some requests must be honored when paid in full out-of-pocket.
• Right to confidential communications: receive communications at an alternative address or by alternative means.
• Right to a Notice of Privacy Practices and to file complaints without retaliation.

Safeguards for Protected Health Information

The Privacy Rule requires reasonable Privacy Safeguards for PHI in any form, and the Security Rule adds specific protections for electronic PHI. Together, they reduce risk across people, processes, and technology.

Administrative safeguards

• Risk analysis and risk management for PHI uses and disclosures.
• Policies, procedures, and workforce training aligned to roles.
• Contingency planning and vendor oversight for business associates.

Physical safeguards

• Facility access controls and visitor management.
• Workstation and device protections, including media disposal.

Technical safeguards

• Unique user IDs, access controls, and audit logs for systems housing Electronic Health Records.
• Encryption, transmission security, and integrity controls for ePHI.

Uses and Disclosures of Health Information

Permitted without authorization

• Treatment, payment, and healthcare operations.
• Public interest and legal purposes, such as public health reporting, health oversight, and as required by law.
• Incidental disclosures that occur despite reasonable safeguards and adherence to the minimum necessary standard.

When authorization is required

• Most uses outside the permitted purposes need written authorization specifying what PHI is shared, with whom, for what purpose, and expiration details.
• Marketing, sale of PHI, and most disclosures of psychotherapy notes require explicit authorization and clear revocation rights.

De-identified and limited data sets

• De-identified data is not PHI and may be used freely.
• Limited data sets can be shared for research, public health, or operations with a data use agreement.

Compliance and Enforcement

The HHS Office for Civil Rights enforces the Privacy, Security, and Breach Notification Rules through complaints, investigations, and audits. Outcomes may include corrective action plans, monitoring, and civil money penalties scaled by the severity and culpability of violations; criminal penalties may apply for intentional misuse of PHI.

Practical compliance steps

• Map PHI flows, including vendors, and apply the minimum necessary standard.
• Complete a documented risk analysis covering people, processes, and technology.
• Maintain current policies, workforce training, and incident response plans.
• Test breach response and ensure timely notifications when required.
• Periodically review Notices of Privacy Practices, authorizations, and access request workflows.

Conclusion

HIPAA is the law; the HIPAA Privacy Rule is the regulation that sets the day-to-day rules for PHI. By understanding who must comply, what rights individuals have, and how uses, disclosures, and safeguards work, you can protect patient trust while enabling safe, compliant information sharing.

FAQs.

What is the main purpose of HIPAA?

HIPAA’s purpose is to improve the efficiency of the healthcare system—standardizing electronic Healthcare Transactions—while protecting Health Information Privacy through rules that govern how Protected Health Information is used, disclosed, and safeguarded.

How does the HIPAA Privacy Rule protect patient information?

The Privacy Rule limits when PHI can be used or shared, requires Authorization Requirements for non-routine uses, mandates the minimum necessary standard, and gives you rights to access and control your information. It also requires policies, training, and reasonable Privacy Safeguards.

Who must comply with the HIPAA Privacy Rule?

Covered Entities—healthcare providers that conduct standard electronic transactions, health plans, and clearinghouses—and their business associates must comply. Vendors that create, receive, maintain, or transmit PHI on behalf of these entities are also bound through agreements and applicable HIPAA provisions.

What rights do individuals have under the HIPAA Privacy Rule?

You have the right to access your PHI (including Electronic Health Records), request amendments, receive an accounting of certain disclosures, request restrictions and confidential communications, and receive a clear Notice of Privacy Practices with instructions on how to raise concerns.