What Are HIPAA Privacy Rules? A Practical Guide for Covered Entities

Overview of HIPAA Privacy Rule

HIPAA privacy rules set national standards for how health information is used and shared. If you are a covered entity or a business associate, the Privacy Rule guides when you may use or disclose protected health information (PHI) and how you safeguard it while enabling care, payment, and operations.

PHI is individually identifiable health information in any form—electronic, paper, or oral—relating to a person’s health, care, or payment. De-identified data is not PHI; you may remove identifiers under the Safe Harbor method or use expert determination so data cannot reasonably identify an individual.

Responsibilities of Covered Entities

Covered entities include healthcare providers conducting standard transactions, health plans, and healthcare clearinghouses. You are responsible for complying with the Privacy Rule and for ensuring your business associates protect PHI under written business associate agreements.

• Publish and distribute a clear notice of privacy practices that explains how you use PHI, patients’ rights, and how to file complaints.
• Designate a privacy official, implement policies and procedures, apply the minimum necessary standard, and enforce role-based access to PHI.
• Train your workforce, document attendance, and apply sanctions for violations consistently.
• Execute, monitor, and periodically review business associate agreements to ensure vendors limit uses, protect PHI, and report incidents.
• Perform ongoing risk analysis and risk management to identify privacy risks in workflows, EHRs, and data-sharing arrangements.
• Maintain processes to receive, track, and fulfill patient requests (access, amendments, restrictions, confidential communications).
• Establish incident response and meet breach notification requirements to individuals, regulators, and when applicable, the media.
• Retain required documentation for at least six years, including policies, NPP versions, training logs, and complaints with outcomes.

Patient Rights under HIPAA

Patients have strong, actionable rights that you must enable and honor within set timeframes.

• Access: Patients may inspect or receive copies of PHI in the requested readily producible format, including electronic copies of EHR data, for a reasonable, cost-based fee.
• Amendment: Patients may request corrections to inaccurate or incomplete PHI; if you deny a request, you must provide a written rationale and allow a statement of disagreement.
• Restrictions: Patients may request restrictions on certain disclosures; if they pay out-of-pocket in full, you generally must honor a restriction on disclosures to health plans for that service.
• Confidential communications: Patients can request alternative addresses or contact methods to protect privacy.
• Accounting of disclosures: Upon request, provide an accounting for certain disclosures made in the past six years (excluding treatment, payment, and operations).
• Authorizations and revocation: Uses such as most marketing, sale of PHI, or psychotherapy notes require patient authorization; individuals may revoke authorizations in writing.

Use and Disclosure of Protected Health Information

The Privacy Rule defines when you may use or disclose PHI without patient authorization and when you must obtain it.

• Permitted without authorization: Treatment, payment, and healthcare operations; limited public interest activities (public health reporting, health oversight, certain law enforcement requests, judicial proceedings, organ donation, serious threat mitigation, and workers’ compensation, as allowed by law).
• Required disclosures: To the individual upon request and to the Department of Health and Human Services for compliance reviews.
• Requires patient authorization: Most marketing communications, sale of PHI, research uses not otherwise permitted, and most uses of psychotherapy notes. Obtain a valid patient authorization before proceeding.
• Minimum necessary: For most non-treatment uses and disclosures, limit PHI to the minimum necessary to accomplish the purpose.
• De-identification and limited data sets: Use de-identified data whenever possible; for limited data sets, execute a data use agreement that restricts use and disclosure.

Safeguards and Compliance Requirements

Implement layered safeguards and governance to operationalize HIPAA privacy rules and reduce risk.

• Administrative safeguards: Policies and procedures, workforce training, role-based access, sanction policies, contingency planning, vendor oversight via business associate agreements, and continuous risk analysis with remediation.
• Technical safeguards: Unique user IDs, strong authentication, encryption in transit and at rest, automatic logoff, audit logs and monitoring, secure messaging, and endpoint protection.
• Physical safeguards: Facility access controls, workstation security, device and media controls, and secure disposal of paper and electronic media.
• Program operations: Privacy-by-design reviews for new projects, standardized forms for patient requests, and routine internal audits of disclosures and access.
• Incident response and breach notification requirements: Triage incidents promptly, conduct a risk assessment of impermissible uses or disclosures, mitigate harm, notify affected individuals and regulators without unreasonable delay, and document decisions.
• Documentation and retention: Keep policies, NPPs, BAAs, training records, risk assessments, and breach files for the required retention period.

Penalties for HIPAA Violations

Noncompliance can trigger civil and criminal penalties and significant corrective obligations. The civil penalty structure escalates with the level of culpability and can result in substantial fines per violation, capped annually. Criminal penalties apply when someone knowingly obtains or discloses PHI unlawfully, with heightened penalties for false pretenses or intent to sell or harm.

• Administrative outcomes: Resolution agreements, corrective action plans, monitoring, and required policy, training, and technology upgrades.
• Aggravating and mitigating factors: OCR considers the nature and extent of harm, organization size, cooperation, prior history, and remediation.
• Risk reduction: Strong encryption, rigorous access controls, thorough training, and complete business associate agreements markedly reduce enforcement exposure.

State Law Considerations

HIPAA sets a federal floor; more protective state laws are not preempted. Where state law is stricter—such as rules for mental health, HIV, genetic data, reproductive health, or minors’ records—you must follow the stricter standard.

States also impose separate breach notification timelines and consumer privacy obligations. Map applicable state requirements, reflect them in your notice of privacy practices, update business associate agreements as needed, and train staff on location-specific rules.

Bottom line: Understand what HIPAA permits, build processes that honor patient rights, lock down PHI with layered safeguards, and align federal and state requirements to keep your program compliant and trustworthy.

FAQs.

What information is protected under HIPAA privacy rules?

Protected health information includes any individually identifiable health information about a person’s health status, care, or payment that is created or received by a covered entity or its business associate. PHI can be electronic, paper, or oral; de-identified data is not PHI.

Who must comply with HIPAA Privacy Rule?

Healthcare providers that conduct standard transactions, health plans, and healthcare clearinghouses must comply, as must their vendors and service providers that handle PHI under business associate agreements. These organizations must implement policies, safeguards, and workforce training that align with the rule.

What are the penalties for violating HIPAA Privacy Rule?

Penalties range from civil monetary penalties based on culpability to criminal charges for intentional misuse of PHI. Enforcement often includes corrective action plans, monitoring, and potentially large fines; severe, willful violations can also carry criminal penalties.

How can patients access their health information under HIPAA?

Patients submit a request to the covered entity to inspect or receive a copy of their PHI in the requested readily producible format, including electronic copies of EHR data. You may charge only a reasonable, cost-based fee and must respond within required timeframes; patients may also direct you to send records to a designated third party.