What Is the HIPAA Privacy Rule? A Clear Summary of Key Protections and Requirements

Overview of HIPAA Privacy Rule

What the Rule Covers

The HIPAA Privacy Rule sets national standards for how health information may be used and disclosed, defines who must comply, and grants individuals specific rights over their data. It applies to Protected Health Information (PHI) held or transmitted by Covered Entities—health plans, health care providers that conduct standard electronic transactions, and Health Care Clearinghouses—and to their Business Associates. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/introduction/index.html?utm_source=openai))

Core Principles

Core requirements include honoring patient rights, limiting uses and disclosures to the “minimum necessary,” maintaining Privacy Safeguards, and providing a clear Notice of Privacy Practices (NPP). These duties govern day‑to‑day decisions about when PHI may be used, shared, or withheld. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html?utm_source=openai))

Patient Rights Under the Privacy Rule

Right of Access

You can inspect, get copies of, or direct a copy of your PHI to another person or entity. Providers must generally respond within 30 calendar days (with one 30‑day extension allowed), and must provide records in the requested form and format if readily producible; only reasonable, cost‑based fees may be charged for copies. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?utm_source=openai))

Right to Amend and to an Accounting of Disclosures

You may request corrections to PHI in a designated record set; the entity must act within 60 days (with one 30‑day extension) and explain any denial. You also may request an accounting of certain disclosures made in the prior six years, with the first accounting in any 12‑month period provided at no charge. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.526?utm_source=openai))

Request Restrictions and Confidential Communications

You may ask a provider or plan to restrict certain uses and disclosures and to communicate with you by alternate means or at alternate locations. Providers must accommodate reasonable requests for confidential communications; plans must do so when non‑accommodation could endanger you. Providers must also agree to restrict disclosures to a health plan when you pay in full out‑of‑pocket for the item or service and disclosure is not otherwise required by law. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.522?utm_source=openai))

Responsibilities of Covered Entities

Administrative Duties and Privacy Safeguards

Covered Entities must designate a privacy official, train their workforce, mitigate violations, document policies for six years, apply sanctions when needed, and maintain appropriate administrative, technical, and physical safeguards to protect PHI and limit incidental disclosures. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.530?utm_source=openai))

Minimum Necessary and Business Associates

Except for certain situations (such as disclosures for treatment), entities must limit uses, disclosures, and requests to the minimum necessary to accomplish the purpose. When engaging Business Associates—vendors that create, receive, maintain, or transmit PHI on a Covered Entity’s behalf—entities must execute written agreements requiring appropriate protections and cooperation with HIPAA duties. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html?utm_source=openai))

Notice of Privacy Practices

Most providers and health plans must give individuals an NPP that explains how PHI may be used and disclosed, the individual’s rights, and the entity’s legal duties, and must update and redistribute the notice when practices materially change. Health Care Clearinghouses may be exempt in limited circumstances. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.520?utm_source=openai))

Permitted Disclosures Without Authorization

Treatment, Payment, and Health Care Operations (TPO)

Covered Entities may use or disclose PHI for their own or another entity’s treatment, payment, and health care operations without Patient Authorization when the rule’s conditions are met and other requirements (such as minimum necessary) are observed. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.506?utm_source=openai))

Public Interest and Other Purposes

HIPAA permits specified disclosures without authorization for purposes such as those required by law, public health activities, health oversight, judicial and administrative proceedings, certain law enforcement activities, to avert a serious threat, research under defined conditions, decedent matters, and workers’ compensation, among others. Separate provisions allow limited disclosures with an opportunity for the individual to agree or object (e.g., facility directories or persons involved in care). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.512?utm_source=openai))

When Authorization Is Required

HIPAA requires Patient Authorization for uses and disclosures that fall outside permitted categories, including most uses of psychotherapy notes, most marketing communications, and any sale of PHI. Authorizations must contain specific elements and may be revoked in writing. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.508?utm_source=openai))

Safeguards for Protected Health Information

Privacy Safeguards

The Privacy Rule requires “appropriate administrative, technical, and physical safeguards” to protect PHI and to limit incidental uses and disclosures. Entities must implement reasonable measures commensurate with their size, activities, and risks. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.530?utm_source=openai))

Security Safeguards for ePHI

For electronic PHI (ePHI), the HIPAA Security Rule requires risk analysis and risk management plus administrative, physical, and technical controls to ensure the confidentiality, integrity, and availability of ePHI. Security practices and training reinforce Privacy Rule compliance. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

Enforcement and Penalties

Civil and Criminal Penalties

The HHS Office for Civil Rights (OCR) may impose tiered civil money penalties for violations, with amounts adjusted annually for inflation and caps set by regulation. The U.S. Department of Justice may bring criminal cases for wrongful disclosures, with penalties that escalate for false pretenses or disclosures for personal gain. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

How OCR Enforces the Rule

OCR enforces through investigations, compliance reviews, technical assistance, corrective action plans, resolution agreements, and, when warranted, civil penalties. Recent enforcement has emphasized the Right of Access, underscoring timely, affordable patient access to records. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html?utm_source=openai))

Recent Updates to the Privacy Rule

Reproductive Health Privacy

On April 22, 2024, HHS finalized changes intended to strengthen Reproductive Health Privacy under HIPAA. On June 18, 2025, a federal district court vacated most of that final rule nationwide. However, certain modifications to the NPP requirements remain, with compliance due February 16, 2026, while HHS evaluates next steps. Entities should monitor HHS updates and adjust notices and training as required. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/index.html?utm_source=openai))

Online Tracking Technologies Guidance

On June 20, 2024, a federal court vacated key portions of OCR’s bulletin on online tracking technologies as beyond the agency’s authority; HHS later withdrew its appeal. This ruling limits OCR’s position on when data from unauthenticated public webpages constitutes PHI, though regulated entities should still assess privacy risks and vendor practices. ([reuters.com](https://www.reuters.com/legal/biden-era-policy-against-hospital-web-trackers-unlawful-judge-rules-2024-06-20/?utm_source=openai))

Security Rule Modernization (Context)

In late 2024 and early 2025, HHS proposed significant Security Rule updates to address cyber threats (e.g., stronger risk analyses, MFA, encryption, vendor oversight). While these proposals target security, they will affect Privacy Rule operations (policies, training, vendor management) if finalized. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html?utm_source=openai))

Summary

The HIPAA Privacy Rule balances care coordination with confidentiality. Know your rights, use Patient Authorization when required, implement Privacy Safeguards and minimum‑necessary controls, and track legal developments—especially around Reproductive Health Privacy and digital technologies—to keep compliance current. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html?utm_source=openai))

FAQs

What information is protected under the HIPAA Privacy Rule?

PHI is individually identifiable health information created or received by a Covered Entity or Business Associate that relates to health, care, or payment and is maintained or transmitted in any form. Exclusions include education records under FERPA, employment records held in the employer role, and information about a person deceased for more than 50 years. De‑identified data (e.g., via the “safe harbor” removal of 18 identifiers) is not PHI. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

Who must comply with the HIPAA Privacy Rule?

Covered Entities—health plans, Health Care Clearinghouses, and certain health care providers that conduct standard electronic transactions—must comply, as do their Business Associates under written agreements. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/hipaa/covered-entities?utm_source=openai))

How can patients access and correct their health information?

Submit a written access request to your provider or plan; they generally must respond within 30 days and provide the records in the requested form and format if readily producible. You may also request amendments (the entity must act within 60 days) and an accounting of certain disclosures covering the prior six years. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?utm_source=openai))

What are the penalties for violating the HIPAA Privacy Rule?

OCR can impose tiered civil money penalties per violation, with annual caps that are adjusted for inflation, and may require corrective actions or settlement agreements; DOJ may pursue criminal penalties for knowing wrongful disclosures, with higher penalties for false pretenses or disclosures for personal gain. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))