Two Essential HIPAA Privacy Rule Terms: PHI and Covered Entities Explained

The HIPAA Privacy Rule revolves around two pillars: Protected Health Information (PHI) and covered entities. Understanding these terms helps you apply the Rule correctly, honor individual rights, and implement practical safeguards without slowing care or operations.

Protected Health Information Definition

PHI is Individually Identifiable Health Information created, received, maintained, or transmitted by a covered entity or its business associate in any form—paper, verbal, or electronic (ePHI). It relates to a person’s past, present, or future health condition, the provision of care, or payment for care.

• Includes common identifiers (for example, name, full address, dates, phone numbers, medical record and account numbers, photos, biometrics, and device identifiers) when linked to health data.
• Exists across systems and workflows—EHRs, claims files, call recordings, images, and even voicemails or faxes.

Not PHI: de-identified data (via safe harbor or expert determination), FERPA education records, employment records held in an employer capacity, and information about a decedent after 50 years. When disclosure is not otherwise permitted, a valid Data Use Authorization from the individual is required.

Covered Entities Classification

Covered entities are the organizations directly regulated by the Privacy Rule. They include three groups, defined largely by participation in Electronic Health Transactions using HIPAA standards (such as claims, eligibility, and referrals).

• Health care providers who transmit standard electronic transactions (for example, hospitals, physicians, dental and behavioral health practices, pharmacies, labs).
• Health plans (for example, group health plans, insurers, HMOs, Medicare, Medicaid, employer-sponsored plans).
• Healthcare clearinghouses that standardize or reformat nonstandard data—Healthcare Clearinghouses convert transactions between entities.

Related structures you may encounter include hybrid entities (only certain designated health care components are covered) and organized health care arrangements that coordinate privacy practices among participating providers.

Business Associates Role

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity—think EHR and billing vendors, cloud service providers, claims administrators, e-prescribing gateways, consultants, and certain law or accounting firms. Subcontractors that handle PHI are business associates, too.

A Business Associate Agreement (BAA) must spell out permitted uses and disclosures, safeguards, breach reporting, subcontractor flow-down terms, access and accounting support, and return or destruction of PHI. Business associates are directly subject to HIPAA Compliance Enforcement and can face penalties for noncompliance.

Privacy Rule Safeguards

The Privacy Rule requires policies and procedures that govern who may access PHI, when, and for what purpose; verification of requesters; workforce training; sanctions for violations; mitigation of harmful effects; and documentation. Individuals must receive a clear Privacy Practices Notice describing uses, rights, and how to exercise them.

While the Privacy Rule focuses on permissible uses and rights, the HIPAA Security Rule protects ePHI through administrative safeguards, as well as physical and technical controls. Aligning privacy policies with these administrative safeguards—role-based access, risk analysis, and workforce training—strengthens both privacy and security programs.

Enforcement is led by HHS’s Office for Civil Rights, which conducts investigations and compliance reviews, imposes corrective action plans, and may assess civil monetary penalties. Serious cases can be referred for criminal prosecution.

Individual Privacy Rights

Individuals have strong, actionable rights regarding their PHI. You must have processes to receive, verify, and fulfill requests within required timeframes.

• Right of access: obtain copies in the requested readily producible format, including electronic copies for ePHI, typically within 30 days (one 30‑day extension allowed).
• Right to request amendments: ask to correct or add to records; respond within 60 days (one 30‑day extension allowed) and explain any denial.
• Right to an accounting of disclosures: receive a record of certain disclosures made without authorization within the past period allowed by rule.
• Right to request restrictions: for example, restrict disclosure to a health plan when an individual pays in full out of pocket.
• Right to confidential communications: receive communications by alternative means or at alternative locations.
• Right to receive a Privacy Practices Notice and to file a complaint without retaliation.

Reasonable, cost-based fees may be charged for copies (labor, supplies, and postage), but not for searching or retrieval.

Permitted PHI Uses and Disclosures

HIPAA permits PHI uses and disclosures without an individual’s authorization for specific purposes, subject to the Minimum Necessary standard and any state law that is more protective.

• Treatment, payment, and health care operations (TPO).
• Disclosures to the individual, and when required by law.
• Public health activities (for example, reporting certain diseases, adverse events), health oversight, and certain law enforcement purposes.
• Judicial and administrative proceedings, and to avert a serious threat to health or safety.
• Organ and tissue donation, medical examiners and funeral directors, and certain specialized government functions.
• Research with an IRB/Privacy Board waiver, a limited data set under a data use agreement, or with a valid Data Use Authorization.
• Workers’ compensation as authorized by applicable law.

Minimum Necessary Standard

For most uses and disclosures, you must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose. Implement role-based access, standardized request workflows, and guidelines for typical disclosures to keep sharing proportionate.

• Exceptions: disclosures for treatment, to the individual, pursuant to an authorization, or as required by law are not subject to minimum necessary.
• Requests for an entire medical record require specific, documented justification.
• Prefer de-identified data or a limited data set when full identifiers are not needed.

Summary

PHI is the linchpin of the Privacy Rule, and covered entities—alongside their business associates—must safeguard it, honor individual rights, and share it only when permitted. By aligning policies, training, and security controls with the Minimum Necessary standard, you can enable compliant care coordination and operations while protecting privacy.

FAQs.

What is Protected Health Information under HIPAA?

Protected Health Information is Individually Identifiable Health Information created, received, maintained, or transmitted by a covered entity or business associate that relates to a person’s health, care provided, or payment for care. It includes identifiers like names, addresses, dates, medical record numbers, and images when linked to health data, in any medium—paper, verbal, or electronic.

Who qualifies as a Covered Entity?

Covered entities include health care providers that conduct standard Electronic Health Transactions (such as claims), health plans (insurers, HMOs, government programs, and group health plans), and healthcare clearinghouses that translate or standardize health data between parties.

What are the rights of individuals regarding their PHI?

Individuals can access and obtain copies of their PHI, request amendments, receive an accounting of certain disclosures, request restrictions and confidential communications, and obtain a Privacy Practices Notice. They can also file a complaint without retaliation if they believe their privacy rights were violated.

How is PHI permitted to be used without authorization?

PHI may be used or disclosed without authorization for treatment, payment, and health care operations; when required by law; for public health, health oversight, and certain law enforcement activities; for court or administrative orders; to avert serious threats; for organ donation and decedent-related purposes; for certain government functions; and for research with an IRB/Privacy Board waiver or limited data set agreement. Otherwise, a compliant Data Use Authorization is needed.