Understanding the HIPAA Privacy Rule: Definitions, Permitted Uses, and Examples

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards for how covered entities and their business associates may use and disclose protected health information (PHI). It balances two goals: protecting individually identifiable health information and ensuring that essential information flows to support care, payment, and operations.

The rule applies to health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. Their vendors and consultants—business associates—must also safeguard PHI under written agreements. Department of Health and Human Services enforcement is primarily carried out by the Office for Civil Rights (OCR).

Who must comply

• Covered entities: health plans, health care clearinghouses, and qualifying providers.
• Business associates: organizations that create, receive, maintain, or transmit PHI on a covered entity’s behalf.
• Hybrid entities: organizations with both covered and non-covered functions that designate their health care components.

Core principles

• Limit use and disclosure to what the rule permits or what an authorization allows.
• Apply the minimum necessary standard except in defined situations.
• Honor individual rights, including access, amendment, and an accounting of disclosures.
• Implement administrative, technical, and physical safeguards to reduce risk.

Protected Health Information Definitions

PHI is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of health care, or payment for care, and that identifies the person or could reasonably be used to identify the person. PHI can exist in any form—paper, electronic, or oral.

PHI does not include de-identified information, education records covered by FERPA, or employment records held by a covered entity in its role as employer. When information is de-identified, it is no longer subject to the Privacy Rule.

Common examples of PHI

• Names, addresses, and full-face photographs linked to diagnoses or treatments.
• Medical record numbers, account numbers, or health plan beneficiary numbers.
• Device identifiers, IP addresses, and biometric identifiers tied to health data.
• Any combination of data points that could identify a person in context.

De-identification and limited data sets

• Safe Harbor: removal of specified identifiers so that no reasonable basis exists to identify the individual.
• Expert Determination: a qualified expert certifies that the risk of re-identification is very small.
• Limited Data Set: certain identifiers removed (for example, names and full addresses), allowing dates and some geography to remain under a data use agreement.

Permitted Uses and Disclosures

Without obtaining written authorization, you may use or disclose PHI for treatment, payment, and health care operations (often called “TPO”). You may also disclose in other circumstances when the rule specifically permits or requires it, provided you meet applicable conditions.

Treatment, payment, and operations (TPO)

• Treatment: sharing medication lists with a specialist or coordinating post-acute care.
• Payment: submitting claims or obtaining prior authorization from a health plan.
• Operations: quality improvement, case management, auditing, and training programs.

Opportunity to agree or object

• Facility directories (name, location, general condition) unless the patient objects.
• Informing a family member or friend involved in care, when appropriate and the patient agrees or does not object.
• Disaster relief efforts to assist in locating individuals.

Public interest and other permitted disclosures

• Required by law (for example, certain reporting obligations).
• Public health activities such as reporting communicable diseases to a public health authority.
• Victims of abuse, neglect, or domestic violence, consistent with legal requirements.
• Health oversight activities, including audits and inspections.
• Judicial and administrative proceedings and certain law enforcement purposes.
• Decedents: to coroners, medical examiners, and funeral directors as needed.
• Organ and tissue donation facilitation.
• Research under documented waiver of authorization or through a limited data set.
• To avert a serious and imminent threat to health or safety.
• Specialized government functions (for example, military and national security) and workers’ compensation programs.

Required disclosures

• To the individual or personal representative, upon request.
• To the Department of Health and Human Services for compliance investigations or reviews.

Special cases that often require authorization

• Psychotherapy notes (with narrow exceptions).
• Marketing communications and any sale of PHI, with limited exceptions.

Minimum Necessary Standard Requirements

You must make reasonable efforts to limit the PHI you use, disclose, or request to the minimum necessary to accomplish the intended purpose. This is a practical, role-based rule: the right people access the right amount of data for the right task—no more, no less.

Key exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual who is the subject of the information.
• Uses or disclosures made pursuant to a valid authorization.
• Disclosures to HHS for investigations, compliance, or enforcement.
• Uses or disclosures required by law or needed to comply with standardized HIPAA transactions.

Operationalizing the standard

• Role-based access controls and “need-to-know” policies.
• Standardized request forms that pre-limit data fields.
• Data segmentation and masking in reports and dashboards.
• Minimum necessary check for routine disclosures; documented review for non-routine ones.

Practical examples

• A billing team receives codes and dates of service, not full clinical notes.
• A researcher uses a limited data set under a data use agreement.
• Two providers sharing details for direct treatment are not constrained by this standard.

Incidental Uses and Disclosures

Incidental uses and disclosures are unintended by-products of an otherwise permitted use or disclosure. They are allowed only when you apply reasonable safeguards and adhere to the minimum necessary standard for the underlying activity.

Incidental disclosure safeguards

• Speak quietly in semi-public areas and avoid discussing sensitive details unnecessarily.
• Use privacy screens, auto-locking devices, and secure printers or workstations.
• Verify fax numbers and email addresses; use secure messaging where feasible.
• Limit visible information on sign-in sheets and patient calling procedures.

Allowed versus not allowed

• Allowed example: a name overheard at a nurse’s station despite speaking softly.
• Allowed example: announcing a patient’s first name in a waiting room with limited detail.
• Not allowed: sending PHI to the wrong recipient or losing an unencrypted device—those are potential breaches, not incidental disclosures.

Individual Rights Under HIPAA

The Privacy Rule empowers individuals with clear, actionable rights. You must provide processes to exercise these rights and respond within defined timeframes.

Access and copies

• The right to inspect and obtain a copy of PHI in the designated record set, including electronic copies when readily producible.
• Provide access promptly; limited, reasonable, cost-based fees may apply for copies.

Amendment

• The right to request an amendment to PHI. If you deny a request, you must explain why and allow a statement of disagreement to be added.

Restrictions and confidential communications

• The right to request restrictions on certain uses or disclosures; you may agree or decline, except you must honor a request to restrict disclosures to a health plan for an item or service paid in full out of pocket.
• The right to receive communications by alternative means or at alternative locations (for example, a different mailing address).

Accounting of disclosures

• The right to an accounting of disclosures made without authorization for purposes other than treatment, payment, and health care operations, typically for the prior six years.

Notice and complaints

• The right to receive a Notice of Privacy Practices and to file a complaint with the covered entity or with HHS OCR without fear of retaliation.

Enforcement and Penalties

Department of Health and Human Services enforcement is led by OCR, which investigates complaints, conducts compliance reviews, and may assess civil money penalties. OCR often resolves cases through corrective action plans and monitoring when appropriate.

Civil and criminal penalties vary by the nature and extent of the violation and the level of culpability. Civil penalties are tiered and subject to annual caps that are adjusted for inflation. Criminal penalties, enforced by the Department of Justice, may include fines and imprisonment for knowingly obtaining or disclosing PHI, with higher penalties for offenses committed under false pretenses or for personal gain or malicious harm.

Reducing risk of enforcement

• Maintain current policies, training, and role-based access aligned to the minimum necessary standard.
• Use administrative, technical, and physical safeguards to limit incidental disclosures.
• Honor individual rights promptly, including access, amendment, and accounting of disclosures.
• Document risk analyses, business associate agreements, and breach response processes.

Summary and key takeaways

• PHI includes any individually identifiable health information in any form.
• Use and disclose PHI primarily for TPO or where specifically permitted or required.
• Apply minimum necessary, and implement incidental disclosure safeguards.
• Respect individual rights and prepare for Department of Health and Human Services enforcement.

FAQs

What does the HIPAA Privacy Rule protect?

It protects PHI—individually identifiable health information—held or transmitted by covered entities and their business associates in any form. PHI includes data that can identify a person when linked to health care, conditions, or payment, and it excludes de-identified data, certain education records, and employment records held by an employer.

How does the minimum necessary standard work?

You must limit PHI to the least amount needed to accomplish the task. Build role-based access, streamline forms and reports, and review non-routine disclosures. The standard does not apply to disclosures for treatment, to the individual, to HHS, to uses under a valid authorization, or when disclosure is required by law.

What are permissible disclosures without authorization?

Key categories include treatment, payment, and health care operations; facility directories and involvement in care with an opportunity to agree or object; and specific public interest or legal purposes such as required-by-law reporting, public health activities, health oversight, certain law enforcement needs, judicial proceedings, decedent-related purposes, organ donation, research under defined conditions, and threats to health or safety.

How are HIPAA violations penalized?

OCR can impose tiered civil money penalties per violation with annual caps, often accompanied by corrective action plans. The Department of Justice may pursue criminal penalties for knowing misuse of PHI, with higher penalties for offenses involving false pretenses or intent for personal gain or harm.