Practical Guide to the HIPAA Privacy Rule for Covered Entities and Business Associates

Covered Entities Overview

The HIPAA Privacy Rule applies to covered entities: health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. If you operate a group health plan or provide clinical services and bill electronically, you are likely a covered entity.

Common examples include hospitals, physician practices, dental offices, pharmacies, health insurers, HMOs, Medicare and Medicaid programs, and some employer-sponsored group health plans. Hybrid entities may designate health care components subject to HIPAA while excluding non‑health care operations.

• Core obligations: maintain HIPAA compliance policies, designate a Privacy Official and a contact person, document procedures, and apply Workforce Training Standards with sanctions for violations.
• PHI Use and Disclosure: permitted for treatment, payment, and health care operations (TPO), and for specified public interest purposes; otherwise, you need a valid authorization.
• State Law Preemption: HIPAA generally preempts contrary state laws, except where a state law is more stringent or offers greater privacy protections; always check state-specific rules that may exceed the HIPAA floor.

Business Associates Responsibilities

Business associates (BAs) are vendors or subcontractors who create, receive, maintain, or transmit PHI on behalf of a covered entity. Examples include claims processors, EHR and cloud service providers, transcription and billing companies, consultants, TPAs, shredding vendors, and data analytics firms.

• Direct responsibilities: implement safeguards for PHI, limit PHI use and disclosure to contractually permitted purposes, conduct Risk Analysis Requirements for ePHI, train workforce members, and keep documentation current.
• Contractual duties: sign and comply with a Business Associate Agreement (BAA), flow down requirements to subcontractors, and follow Breach Notification Procedures by alerting the covered entity without unreasonable delay.
• Operational practices: apply the Minimum Necessary standard to routine requests, maintain audit trails where feasible, and cooperate with investigations by making relevant records available to the Secretary of HHS.

Protected Health Information Definition

Protected Health Information (PHI) is individually identifiable health information related to a person’s past, present, or future health, care, or payment, held or transmitted in any form—paper, electronic (ePHI), or oral. Identifiers that can make health information PHI include the following:

• Names; geographic details smaller than a state; all elements of dates (except year) related to an individual.
• Telephone and fax numbers; email addresses; Social Security, medical record, and health plan numbers; account and certificate/license numbers.
• Vehicle and device identifiers and serial numbers; URLs and IP addresses; biometric identifiers (e.g., fingerprints, voiceprints).
• Full-face photos and comparable images; any other unique identifying number, characteristic, or code.

• Not PHI: de-identified data (expert determination or removal of the 18 identifiers), education records covered by FERPA, employment records held by a covered entity in its role as employer, and decedent information after 50 years.
• Limited Data Set: still PHI but with fewer identifiers; requires a Data Use Agreement for specific purposes like research, public health, or operations.

Minimum Necessary Standard Implementation

The Minimum Necessary Standard requires you to limit PHI use, disclosure, and requests to the least amount needed to accomplish the purpose. It does not apply to disclosures to health care providers for treatment, to the individual, pursuant to a valid authorization, to HHS for compliance, or when required by law.

• Governance: adopt role‑based access controls, define workforce job-based needs, and embed the standard into HIPAA compliance policies and procedures.
• Workflows: standardize routine disclosures, use checklists for nonroutine requests, and document approvals for exceptions.
• Data strategies: prefer data segmentation, masking, and Limited Data Sets where feasible; maintain logs to verify adherence.
• Reasonable reliance: you may reasonably rely on another covered entity’s or a public official’s representation that a request is the minimum necessary when appropriate.

Individual Rights Under HIPAA

Individuals have specific rights you must support through clear procedures and timely responses.

• Right of Access: provide records within 30 days (one 30‑day extension allowed), in the requested format if readily producible; charge only reasonable, cost‑based fees.
• Right to Direct a Copy: send PHI to a designated third party at the individual’s request when requirements are met.
• Right to Amend: act within 60 days (one 30‑day extension allowed); append statements of disagreement if you deny the amendment.
• Accounting of Disclosures: supply an accounting for the prior six years, excluding TPO and other exempt disclosures, within 60 days.
• Restrictions: consider requests to restrict PHI use/disclosure; you must honor restrictions to health plans when an individual pays a covered service in full out‑of‑pocket.
• Confidential Communications: accommodate reasonable requests for alternative means or locations of communication.
• Notice of Privacy Practices: provide and post an NPP explaining PHI Use and Disclosure and complaint mechanisms.

Business Associate Agreements Requirements

A BAA defines permissible PHI activities and required safeguards. It must be in place before a BA handles PHI.

• Permitted uses and disclosures: specify what the BA may do with PHI and prohibit other uses/disclosures.
• Safeguards: require administrative, physical, and technical controls and compliance with the Security Rule for ePHI.
• Breach Notification Procedures: mandate reporting to the covered entity without unreasonable delay and describe the content of such notices.
• Subcontractors: require written agreements imposing the same restrictions and conditions on any downstream BA.
• Individual rights support: BA must help the covered entity provide access, amendments, and an accounting of disclosures.
• HHS access and audits: permit inspection of relevant records for compliance reviews.
• Return or destruction: require PHI return or destruction upon termination, if feasible; otherwise, extend protections.
• Termination clause: allow termination if the BA materially breaches the agreement.

Safeguards for PHI Protection

Apply reasonable safeguards under the Privacy Rule and comprehensive administrative, physical, and technical safeguards for ePHI under the Security Rule. Start with a documented Risk Analysis, then implement risk management plans and ongoing monitoring.

• Administrative: Privacy Official Designation; Workforce Training Standards and sanctions; role-based access; vendor due diligence; incident response and Breach Notification Procedures; contingency planning; documentation retention for at least six years.
• Physical: facility access controls; workstation security; device and media controls (encryption, secure disposal, chain of custody).
• Technical: unique user IDs, multi-factor authentication, automatic logoff, encryption at rest and in transit, audit logs and alerts, integrity controls, and secure APIs.
• Operational hygiene: data minimization, regular patching and vulnerability management, secure telework, and periodic tabletop exercises.

In practice, align policies, training, vendor contracts, and technology so that Minimum Necessary, PHI Use and Disclosure rules, and breach readiness all operate together. This integrated approach helps covered entities and business associates maintain continuous HIPAA compliance while protecting patient trust.

FAQs

What entities are considered covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard transactions. Examples include hospitals, clinics, pharmacies, dentists, health insurers, HMOs, Medicare, Medicaid, and many employer-sponsored group health plans.

How does the Minimum Necessary Standard affect PHI use?

It requires you to limit PHI use, disclosure, and requests to the least amount needed to achieve the purpose. It does not apply to treatment, disclosures to the individual, uses or disclosures authorized by the individual, disclosures to HHS for compliance, or those required by law. Implement role-based access, standardized workflows, and documentation to operationalize the standard.

What are the key elements of a Business Associate Agreement?

A BAA must define permitted PHI uses/disclosures, require safeguards and Security Rule compliance, mandate Breach Notification Procedures, bind subcontractors to the same terms, support individual rights (access, amendment, accounting), allow HHS access for audits, require PHI return or destruction at termination if feasible, and include a termination clause for material breach.

How should breaches of PHI be reported?

Notify affected individuals without unreasonable delay and no later than 60 days after discovery, include required content, and use appropriate methods (mail or electronic). For incidents affecting 500 or more residents of a state or jurisdiction, also notify prominent media. Report to HHS within 60 days for large breaches and annually for smaller ones; business associates must notify the covered entity so it can fulfill these obligations.