Is HIPAA About Confidentiality or Privacy? How the Law Addresses Both

HIPAA Privacy Rule Overview

What the Privacy Rule covers

The HIPAA Privacy Rule sets national standards for how Covered Entities use and disclose Protected Health Information (PHI). It focuses on your ability to control when, why, and with whom your health information is shared, while ensuring that care, billing, and operations can function smoothly.

PHI includes any individually identifiable information about your health status, care, or payment, in any format. The rule permits use and disclosure without authorization for treatment, payment, and healthcare operations, and in other specific situations allowed by law. Outside those purposes, your written authorization is generally required.

Core obligations

• Minimum necessary: limit PHI use and disclosure to what is reasonably needed for the purpose.
• Notice of Privacy Practices: inform you how your PHI is used and your options.
• Authorizations: obtain your permission for non-routine uses (for example, many forms of marketing).
• Safeguards: put reasonable measures in place to prevent improper uses or disclosures.

The Privacy Rule is also where your Patient Access Rights live. You can request access to your records, receive copies in paper or electronic form when available, and ask a provider to send information to a third party you designate.

HIPAA Security Rule Protections

Safeguarding Electronic Protected Health Information

The HIPAA Security Rule protects Electronic Protected Health Information (ePHI). While the Privacy Rule governs when PHI may be shared, the Security Rule specifies how ePHI must be protected against unauthorized access, alteration, or loss.

Three categories of safeguards

• Administrative safeguards: risk analysis, workforce training, security policies, contingency and incident response planning, and business associate oversight.
• Physical safeguards: facility access controls, workstation and device security, secure media disposal, and protections for mobile devices.
• Technical safeguards: unique user IDs, role-based access, audit logs, integrity controls, authentication, and transmission security (such as encryption in transit).

Together, these controls operationalize confidentiality, integrity, and availability for ePHI and complement the HIPAA Privacy Rule’s limits on use and disclosure.

Distinguishing Privacy and Confidentiality

Privacy is your right to decide how your health information is collected, used, and shared. Confidentiality is the duty of a Covered Entity and its workforce to keep your information secret once they have it, sharing it only as the law permits or you authorize.

Security is the toolbox that enforces confidentiality in the digital world. For example, your clinic may disclose PHI to a specialist for treatment (privacy permits this), but staff must not discuss your condition with unauthorized people (confidentiality), and the EHR must restrict access and log activity (security).

Role of Covered Entities

Covered Entities include healthcare providers that conduct standard electronic transactions, health plans, and healthcare clearinghouses. Many vendors that handle PHI—such as EHR platforms or billing services—are business associates and must follow relevant HIPAA requirements through written agreements.

As a patient, you should expect Covered Entities to maintain policies, train their workforce, apply the minimum necessary standard, manage business associate agreements, monitor access, and respond promptly to incidents or suspected breaches. These actions translate legal requirements into everyday privacy and confidentiality practices.

Rights of Patients Under HIPAA

• Patient Access Rights: inspect or receive copies of your PHI, including ePHI when it is maintained electronically, and direct a copy to a third party of your choice.
• Amendment: request corrections to inaccurate or incomplete information in your record.
• Accounting of disclosures: receive a listing of certain PHI disclosures made without your authorization.
• Restrictions: ask providers or plans to limit specific uses or disclosures; some requests must be honored in defined situations.
• Confidential communications: request that information be sent to you by alternate means or locations to enhance privacy.
• Transparency and complaints: receive a Notice of Privacy Practices and file complaints if you believe your rights were violated.

Exceptions for Public Health

HIPAA allows certain Public Health Disclosures without your authorization. Covered Entities may share PHI with public health authorities to prevent or control disease, report vital events, track exposures and adverse events, or carry out other activities authorized by law.

These disclosures must follow the minimum necessary standard and be limited to the purpose. When a disclosure is for treatment (for example, coordination among treating providers during an outbreak), the minimum necessary standard does not apply, but professional judgment and need-to-know access still do.

Enforcement and Compliance Mechanisms

The U.S. Department of Health and Human Services’ Office for Civil Rights enforces HIPAA through complaint investigations, breach reviews, audits, and settlement agreements that often include corrective action plans. Penalties are tiered and reflect factors such as the nature of the violation and the entity’s diligence.

Compliance is ongoing. Strong programs document risk analysis, implement safeguards, train staff, manage vendors, test incident response, and continually improve. Prompt breach notification and remediation are essential parts of a trustworthy privacy and security posture.

Conclusion

HIPAA addresses both confidentiality and privacy: the Privacy Rule defines when PHI can be used or shared, and the Security Rule requires controls that keep ePHI safe. Covered Entities operationalize these duties through policies, safeguards, and respectful practices that honor your Patient Access Rights and support responsible Public Health Disclosures.

FAQs.

What is the difference between HIPAA privacy and confidentiality?

Privacy is your right to control how your PHI is used and disclosed; confidentiality is the obligation of healthcare organizations and their partners to keep your information secret except as permitted by the HIPAA Privacy Rule or authorized by you.

How does HIPAA protect electronic health information?

The HIPAA Security Rule protects Electronic Protected Health Information through administrative, physical, and technical safeguards—risk management, workforce training, facility and device protections, access controls, audit logging, integrity checks, authentication, and secure transmission.

Which entities are covered under HIPAA?

Covered Entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions. Business associates that create, receive, maintain, or transmit PHI on their behalf must also follow applicable HIPAA requirements through binding agreements.

How does HIPAA handle disclosures for public health purposes?

HIPAA permits Public Health Disclosures to authorized public health authorities to prevent or control disease, report events, and support public health activities allowed by law. These disclosures follow the minimum necessary principle and do not require your authorization.