What Does the HIPAA Privacy Rule Apply To? Covered Entities, Business Associates, and PHI Explained

The HIPAA Privacy Rule sets national standards for how health information is used and disclosed. It governs Covered Entities and their Business Associates, and it protects Protected Health Information (PHI) in any form. This guide explains scope, roles, disclosure limitations, individual privacy rights, and core requirements for HIPAA compliance.

Covered Entities Defined

Covered Entities are the organizations directly regulated by the HIPAA Privacy Rule. They include: (1) health care providers that transmit health information electronically in connection with standard transactions (such as claims and eligibility checks), (2) health plans (for example, insurers, HMOs, Medicare Advantage plans, employer-sponsored group health plans), and (3) health care clearinghouses that process nonstandard data into standard formats.

Only the components of a hybrid organization that perform covered functions are subject to the rule. Employers, life insurers, and most schools are not Covered Entities when acting in those capacities, though a group health plan they sponsor can be. Organized Health Care Arrangements may share PHI for joint operations, but each participant remains responsible for HIPAA compliance.

Business Associate Responsibilities

A Business Associate is any vendor or partner that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. Examples include billing services, practice management and EHR vendors, cloud and data-hosting providers, legal and accounting firms handling PHI, and analytics or quality-improvement contractors.

Business Associate Agreements (BAAs) must be in place before PHI is shared. A BAA defines permissible uses and disclosure limitations, requires safeguards, mandates breach reporting, and flows HIPAA obligations to subcontractors. Business Associates have direct liability for impermissible uses or disclosures of PHI and for failing to implement required safeguards or honor the minimum necessary standard.

Protected Health Information Scope

PHI is individually identifiable health information related to a person’s health status, care, or payment for care that is created or held by a Covered Entity or Business Associate. It includes data in any medium—verbal, paper, or electronic (ePHI)—such as names, addresses, dates, medical record numbers, diagnoses, test results, images, and billing details.

Not all health-related data is PHI. De‑identified information (via expert determination or removal of specified identifiers) is outside the rule’s scope, as are education records under FERPA and employment records held by an employer in its employer role. PHI of decedents is protected for 50 years after death. Limited Data Sets may be used or disclosed for research, public health, or operations with data use agreements that further restrict re‑identification.

Privacy Safeguards Requirements

Covered Entities and Business Associates must implement reasonable safeguards to prevent inappropriate uses or disclosures of PHI. Core expectations include written policies and procedures, workforce training, mitigation of known violations, sanctions for noncompliance, and procedures to verify requestors’ identity and authority before disclosing PHI.

Organizations must provide a Notice of Privacy Practices that explains permitted uses and disclosure limitations, individual rights, and how to file complaints. While technical protections for ePHI are the focus of the Security Rule, the Privacy Rule still requires practical, role-based controls and processes to minimize incidental disclosures in everyday operations.

Individual Rights under HIPAA

Individuals have strong privacy rights. You can access and obtain copies of your PHI in a readily producible form, direct a copy to a third party, and request timely responses. You may ask to amend PHI, and the organization must explain denials in writing and let you add a statement of disagreement.

Additional individual privacy rights include requesting restrictions on certain disclosures (including limiting disclosures to a health plan when you pay a provider in full out of pocket), requesting confidential communications, receiving an accounting of certain disclosures, and obtaining the Notice of Privacy Practices. You may file a complaint without retaliation.

Minimum Necessary Standard

Except for specific situations, organizations must limit uses, disclosures, and requests to the minimum necessary information to accomplish the intended purpose. This standard drives role-based access, need-to-know workflows, and data segmentation to reduce risk.

Common exceptions include disclosures for treatment, disclosures to the individual, disclosures required by law, and uses or disclosures to the Department of Health and Human Services for investigations. Policies should translate the minimum necessary standard into practical disclosure limitations for routine operations, research, and analytics.

Enforcement and Compliance

The Office for Civil Rights enforces the HIPAA Privacy Rule through complaints, investigations, and audits. Outcomes can include corrective action plans, resolution agreements, and civil monetary penalties. The Department of Justice may pursue criminal cases for intentional misuse of PHI.

Effective HIPAA compliance integrates governance and day-to-day practice: designate a privacy official; maintain BAAs; document policies, training, and sanctions; implement role-based access and minimum necessary controls; verify requestors; manage incidents and provide breach notifications when required; and periodically review and improve your program.

In summary, the Privacy Rule applies to Covered Entities and their Business Associates, regulates how Protected Health Information is used and disclosed, enforces disclosure limitations through the minimum necessary standard, and empowers individuals with meaningful privacy rights—all foundational pillars of HIPAA compliance.

FAQs.

What types of entities must comply with the HIPAA Privacy Rule?

Health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses are Covered Entities and must comply. Business Associates that create, receive, maintain, or transmit PHI for a Covered Entity must also comply under their Business Associate Agreements and are directly liable for violations.

What is considered Protected Health Information under HIPAA?

PHI is individually identifiable health information related to a person’s health, care, or payment for care that is created or held by a Covered Entity or Business Associate. It spans any medium—verbal, paper, or electronic—and includes identifiers such as names, medical record numbers, and full-face photos, along with clinical and billing details. De‑identified data is not PHI.

How do business associates relate to HIPAA compliance?

Business Associates perform services involving PHI for Covered Entities and must follow the Privacy Rule’s requirements. A Business Associate Agreement sets permitted uses, disclosure limitations, safeguards, breach reporting, and subcontractor obligations. Business Associates are directly accountable for compliance and may face enforcement for violations.

What rights do individuals have over their PHI?

Individuals have the right to access and receive copies of PHI, request amendments, obtain an accounting of certain disclosures, request restrictions and confidential communications, receive a Notice of Privacy Practices, and file complaints without retaliation. These individual privacy rights ensure transparency and control over PHI.