Under HIPAA, the Privacy Rule Provides These Core Protections and Obligations

The HIPAA Privacy Rule sets nationwide standards for how Covered Entities and their Business Associates handle Protected Health Information (PHI). It defines what PHI is, when you may use or disclose it, which patient rights you must honor, and what PHI Safeguards you must implement. It also embeds the Minimum Necessary Standard and clear Authorization Requirements, with oversight through Office for Civil Rights Enforcement.

Protected Health Information Definitions

What counts as PHI

PHI is individually identifiable health information created or received by a Covered Entity or Business Associate that relates to a person’s health, care, or payment for care. It includes any data that can reasonably identify the individual—names, addresses, contact details, dates, medical record numbers, device identifiers, full-face photos, and similar elements—in any form: paper, verbal, or electronic (ePHI).

De-identified data and limited data sets

Information is not PHI if it is de-identified. De-identification may be achieved by removing specified identifiers (“safe harbor”) or by expert determination that the risk of re-identification is very small. A limited data set, which excludes direct identifiers but may retain some elements like dates or city, can be used or disclosed for research, public health, or health care operations with a data use agreement.

Permissible Uses and Disclosures

Treatment, payment, and health care operations (TPO)

You may use or disclose PHI without patient authorization for TPO activities. Treatment covers coordination and management of care among providers; payment covers billing, eligibility, and collections; operations include quality assessment, credentialing, auditing, and business management.

Public interest and other permitted disclosures

The Privacy Rule allows disclosures without authorization for specified purposes, provided you meet the conditions for each. Common examples include:

• Disclosures required by law or to public health authorities for disease reporting and surveillance.
• Reports of abuse, neglect, or domestic violence, and disclosures for health oversight activities.
• Judicial and administrative proceedings, and certain law enforcement purposes.
• Coroners, medical examiners, and organ procurement organizations.
• Averting a serious threat to health or safety, specialized government functions, and workers’ compensation.
• Research with an IRB or privacy board waiver, a limited data set with a data use agreement, or as otherwise permitted.

Authorization Requirements

For uses and disclosures not otherwise permitted or required, you must obtain a valid written authorization from the individual. Authorization is generally required for marketing communications that are not treatment-related, the sale of PHI, and most uses of psychotherapy notes. Authorizations must be specific and time-limited, and individuals may revoke them in writing, except to the extent action has already been taken.

Respecting patient preferences

When appropriate, you may share PHI with family or friends involved in the patient’s care if the patient agrees or does not object. Incidental disclosures are allowable when you have applied reasonable safeguards. Always consider the Minimum Necessary Standard for non-treatment disclosures.

Patient Rights and Access

Right of access

Individuals have the right to access and obtain copies of their PHI in a designated record set, in the requested form and format if readily producible, including electronic copies of ePHI. You must provide access within the required timeframe and may charge only reasonable, cost-based fees for labor, supplies, and postage when applicable.

Other individual rights

• Right to request amendment of PHI believed to be inaccurate or incomplete, with written notice if you deny the request.
• Right to request restrictions on disclosures; you must accept a restriction when an individual pays out-of-pocket in full and asks you not to disclose to a health plan for that item or service.
• Right to request confidential communications by alternative means or at alternative locations.
• Right to an accounting of certain disclosures not related to treatment, payment, or operations.
• Right to receive a Notice of Privacy Practices and to file a complaint with your organization or with federal authorities.

Safeguards for PHI Protection

Administrative safeguards

Establish governance for PHI Safeguards: conduct regular risk analyses, implement policies and procedures, assign workforce roles, train staff, and apply sanctions when needed. Maintain contingency plans, manage incident response, and document decisions and actions.

Physical safeguards

Control facility and workstation access, secure devices and media, and implement procedures for the disposal and reuse of hardware containing PHI. Limit physical exposure of PHI in clinical and administrative areas.

Technical safeguards

Use unique user IDs, role-based access, and strong authentication. Implement audit controls, integrity checks, and transmission security; encrypt ePHI at rest and in transit where feasible. Monitor for anomalous activity and maintain logs appropriate to your risk profile.

Minimum Necessary Standard Compliance

Core principle and key exceptions

For uses, disclosures, and requests other than treatment, disclose only the minimum PHI needed to accomplish the purpose. The Minimum Necessary Standard does not apply to disclosures to the individual, those pursuant to a valid authorization, disclosures required by law, or to the Department of Health and Human Services for compliance review.

Operationalizing minimum necessary

• Adopt role-based access and define the PHI each role may use or disclose.
• Standardize routine disclosures and requests through approved protocols; require case-by-case review for non-routine ones.
• Limit data fields in reports, use de-identified data or limited data sets when possible, and document justifications.
• Periodically reassess access rights and data flows as operations, systems, or partners change.

Business Associate Responsibilities

Who is a Business Associate

A Business Associate is any non-workforce person or entity that performs functions or services for a Covered Entity involving PHI—such as cloud hosting, EHR vendors, billing services, analytics, and claims processing. Business Associates’ subcontractors that handle PHI are also Business Associates.

Contractual and direct obligations

You must have a written business associate agreement (BAA) that limits permitted uses and disclosures, requires PHI Safeguards aligned with the Security Rule, mandates breach notification, and passes obligations to subcontractors. Business Associates are directly liable for compliance, including using or disclosing PHI beyond the BAA, failing to provide access or an accounting when delegated, or not implementing required safeguards.

Program expectations

Business Associates should conduct risk analyses, implement security and privacy controls, train their workforce, and maintain incident response and breach reporting procedures. Covered Entities should assess vendor risk before onboarding and monitor ongoing performance consistent with the Minimum Necessary Standard.

Enforcement and Penalties

Office for Civil Rights Enforcement

The HHS Office for Civil Rights investigates complaints, breaches, and targeted compliance reviews. Outcomes can include technical assistance, resolution agreements with corrective action plans, or civil monetary penalties. State attorneys general and, for criminal violations, the Department of Justice may also take action.

Penalty framework

Civil penalties scale by tier, considering the level of culpability (from lack of knowledge through willful neglect) and the organization’s mitigation efforts, size, and history. Annual penalty caps apply and are periodically adjusted for inflation. Criminal penalties can attach to knowing misuse of PHI, including obtaining or disclosing PHI under false pretenses or for personal gain.

Mitigation and continuous improvement

Prompt detection, containment, and remediation reduce risk and potential penalties. Maintain ongoing risk management, workforce training, vendor oversight, and documentation to demonstrate diligent compliance with the Privacy Rule, Authorization Requirements, and the Minimum Necessary Standard.

Key takeaways

• Know what constitutes PHI and when you may use or disclose it without authorization.
• Honor patient rights promptly and in the requested form and format when feasible.
• Implement layered administrative, physical, and technical PHI Safeguards and enforce role-based access.
• Limit PHI to the minimum necessary for the task and manage vendors through robust BAAs.
• Document decisions and actions—good records support compliance during investigations.

FAQs.

What types of information are protected under HIPAA Privacy Rule?

The Privacy Rule protects individually identifiable health information—PHI—held or transmitted by Covered Entities and Business Associates in any form. It includes data that can identify a person and relates to health status, care provided, or payment, such as names, contact details, dates, record numbers, images, and device IDs. De-identified information is not PHI, and a limited data set may be used for certain purposes with a data use agreement.

When is patient authorization required for disclosures?

You need a valid, written authorization for uses or disclosures not otherwise permitted or required by the Rule. Common cases include marketing communications not tied to treatment, the sale of PHI, and most uses of psychotherapy notes. Research typically requires authorization unless an IRB or privacy board grants a waiver, and individuals may revoke authorizations in writing.

What safeguards must covered entities implement?

Covered Entities must implement administrative, physical, and technical PHI Safeguards. That includes risk analysis, policies and training, facility and device controls, unique user access, audit logging, integrity and transmission protections, and incident response. Role-based access and data minimization operationalize the Minimum Necessary Standard across systems and workflows.