What Is the HIPAA Privacy Rule? A Business Associate’s Guide to Permitted Uses, Disclosures, and BAAs

Overview of the HIPAA Privacy Rule

What the Privacy Rule does

The HIPAA Privacy Rule sets national standards for how Protected Health Information (PHI) may be used and disclosed. It establishes individual rights, defines the “minimum necessary” standard, and governs when you need an authorization. For business associates, it frames the boundaries within which you may handle PHI on behalf of a covered entity.

Who must comply

Covered entities—health plans, health care clearinghouses, and most providers—are directly regulated, and business associates are contractually and directly responsible when creating, receiving, maintaining, or transmitting PHI. While the Security Rule focuses on electronic PHI and safeguards, the Privacy Rule focuses on who may access PHI, why, and under what conditions.

Key principles for business associates

• Use and disclose PHI only as permitted by the Business Associate Agreement (BAA) or as required by law.
• Apply the minimum necessary standard to routine uses and disclosures, limiting PHI to what is needed.
• Honor individual rights by supporting access, amendment, and accounting requests that the covered entity routes to you.
• Document your decisions and maintain auditable records to demonstrate compliance.

Roles and Responsibilities of Business Associates

Who is a business associate

A business associate is any vendor or partner that performs functions or activities involving PHI for a covered entity. Common examples include billing services, cloud hosting providers, EHR and eFax vendors, analytics firms, Data Aggregation Services providers, and consultants who need PHI to deliver contracted services.

Core responsibilities

• Use PHI only to perform contracted services and as permitted by the BAA.
• Implement Administrative Safeguards, Technical Safeguards, and physical safeguards to protect PHI.
• Support the covered entity’s obligations, including responding to access, amendment, and accounting requests.
• Maintain policies, workforce training, and discipline to uphold Confidentiality Obligations.
• Flow down Privacy Rule obligations to subcontractors that handle PHI on your behalf.

Confidentiality Obligations

You must prevent unauthorized uses or disclosures of PHI, restrict workforce access to least-privilege, and ensure contractors commit to equivalent confidentiality. Reinforce obligations through training, sanctions, and ongoing monitoring.

Permitted Uses and Disclosures of PHI

To perform services for the covered entity

You may use and disclose PHI as necessary to perform the specific services described in your BAA, such as claims processing, data analysis, or quality improvement. Keep uses tightly aligned to the contract and apply minimum necessary.

For proper management and administration

You may use PHI for your own management and administration and disclose PHI if required by law or if you obtain reasonable assurances that the recipient will keep it confidential and use it only as permitted. Document these assurances and disclosures.

Data Aggregation Services

If your BAA allows it, you may use PHI to provide Data Aggregation Services to the covered entity—combining PHI from multiple sources to produce de-identified or comparative analyses that support health care operations. Ensure outputs do not re-identify individuals unless explicitly authorized.

De-identified data and limited data sets

With BAA permission, you may de-identify PHI using either the expert determination or safe harbor method, or create a limited data set under a data use agreement. De-identified information is not PHI, but you must avoid re-identification unless permitted.

Uses requiring authorization or restrictions

Activities like marketing, sale of PHI, or most disclosures not tied to the contract require an individual’s authorization unless a narrow exception applies. When in doubt, seek covered entity guidance and document the decision path.

Requirements for Business Associate Agreements

Required elements to include

• Permitted and required uses and disclosures of PHI by the business associate.
• Prohibition on uses or disclosures not authorized by the BAA or law.
• Obligation to implement Administrative Safeguards, Technical Safeguards, and physical safeguards to protect PHI.
• Security Incident Reporting and breach notification duties, including timelines and required content.
• Flow-down terms requiring subcontractors to agree to the same restrictions and conditions.
• Support for access, amendment, and accounting of disclosures when the covered entity requests assistance.
• Right of HHS (or applicable authority) to access your books and records related to PHI.
• Return or destruction of PHI at termination, if feasible, and continued protection if retention is required.
• Termination for cause if you materially breach the BAA.
• Optional but common: authorization to perform Data Aggregation Services and to de-identify PHI where appropriate.

Operational tips for stronger BAAs

• Define specific turnaround times for access, amendment, accounting, and incident reports.
• Set encryption, logging, and retention baselines; clarify evidence expected for audits.
• Identify named contacts for privacy, security, and incident escalation.
• Specify how you will handle subpoenas and disclosures required by law, including notice to the covered entity.

Safeguards and Compliance Obligations

Administrative Safeguards

• Risk analysis and risk management tailored to your systems and data flows.
• Policies, procedures, workforce training, and sanctions tied to Confidentiality Obligations.
• Vendor management for subcontractors, including due diligence and ongoing oversight.
• Contingency planning, backups, and tested incident response playbooks.
• Formal process for Security Incident Reporting and breach assessment.

Technical Safeguards

• Access controls with unique IDs, role-based access, and multi-factor authentication.
• Encryption in transit and at rest, with robust key management.
• Audit controls: centralized logging, immutable logs, and regular review.
• Integrity and transmission security controls, including TLS and anti-tamper measures.
• Secure software development, vulnerability management, and timely patching.

Physical safeguards and privacy operations

• Facility access controls, secure workstations, and device/media sanitization.
• Clean-desk and secure disposal practices for paper and electronic media.
• Minimum necessary workflows, data mapping, and periodic access reviews.

Reporting and Breach Notification

When to report

A security incident is any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information. An impermissible use or disclosure of PHI is presumed a breach unless a documented risk assessment shows a low probability of compromise. Treat alerts seriously and trigger your Security Incident Reporting process promptly.

Timelines and required content

• Notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery.
• Provide what happened, dates, and the number of individuals affected.
• Describe the types of PHI involved, whether it was actually acquired or viewed, and any mitigation steps taken.
• Outline containment, investigation results, remedial actions, and measures to prevent recurrence.
• Coordinate on any individual or regulatory notifications; the covered entity typically leads unless your BAA delegates tasks.

Mitigation and documentation

• Stop, contain, and eradicate the issue; preserve evidence for forensics and legal review.
• Complete and retain the four-factor risk assessment and decision rationale.
• Track corrective actions and verify effectiveness through follow-up testing.

Special scenarios

For ransomware or cloud exposures, assume ePHI is compromised unless evidence supports otherwise. Validate backups, rotate keys, review access logs, and coordinate closely with the covered entity on communications and next steps.

Managing Subcontractor Compliance

Flow-down requirements

If a subcontractor will create, receive, maintain, or transmit PHI for you, they must sign a Business Associate Agreement BAA with terms at least as strict as yours. Require equivalent Administrative Safeguards, Technical Safeguards, and Confidentiality Obligations.

Risk-based vendor management

• Triage subcontractors by risk; gather security questionnaires and independent attestations where available.
• Define Security Incident Reporting obligations, notification windows, and evidence requirements.
• Include rights to audit, data return/destruction terms, and clear termination-for-cause clauses.

Ongoing oversight

• Monitor performance with metrics, periodic assessments, and targeted audits.
• Review access lists, validate encryption and logging, and test incident response.
• Require timely disclosure of control changes, suspected incidents, or regulatory inquiries.

Conclusion

The HIPAA Privacy Rule sets precise boundaries for how you, as a business associate, may use and disclose PHI. Strong BAAs, disciplined safeguards, timely reporting, and rigorous subcontractor oversight translate the rule into day-to-day practice and reduce risk for both you and your covered entity partners.

FAQs.

What uses and disclosures of PHI are permitted under the HIPAA Privacy Rule?

You may use and disclose PHI as necessary to perform services for the covered entity per your BAA, for your proper management and administration, and to fulfill legal obligations. With BAA authorization, you may perform Data Aggregation Services and create de-identified or limited data sets. Apply the minimum necessary standard and obtain individual authorization for activities outside these permitted purposes.

What are the key requirements of a Business Associate Agreement?

A BAA must define permitted/required PHI uses and disclosures; prohibit unauthorized uses; mandate Administrative Safeguards and Technical Safeguards; require Security Incident Reporting and breach notification; flow down obligations to subcontractors; support access, amendment, and accounting; allow regulatory access to relevant records; require return or destruction of PHI at termination; and authorize termination for cause. It may also allow de-identification and data aggregation where appropriate.

How must business associates safeguard protected health information?

Implement risk-based controls across people, process, and technology: Administrative Safeguards (policies, training, vendor management, contingency plans), Technical Safeguards (least-privilege access, MFA, encryption, logging, integrity and transmission security), and physical protections. Enforce Confidentiality Obligations, review access regularly, and test incident response.

What are the reporting obligations for breaches of PHI?

Report to the covered entity without unreasonable delay and no later than 60 days after discovery, provide details about the incident, PHI involved, affected individuals, mitigation, and corrective actions, and maintain documentation of your risk assessment. Coordinate on notifications to individuals and regulators as directed by the BAA.