What Is the HIPAA Privacy Rule? Definition, Key Standards, and Examples

The HIPAA Privacy Rule establishes national standards for how covered entities and their business associates use, disclose, and safeguard Protected Health Information (PHI). It gives you enforceable rights over your health data, sets the Minimum Necessary Standard, and requires reasonable administrative, physical, and technical safeguards to protect privacy.

HIPAA Privacy Rule Overview

The Privacy Rule governs PHI in any form—paper, verbal, or electronic—and applies to covered entities: health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically for certain transactions. Business associates that handle PHI on behalf of covered entities must also comply through Business Associate Agreements.

Core objectives are to limit unnecessary uses and disclosures, standardize permissible sharing for treatment, payment, and healthcare operations, and ensure you can access and control your health information. Where state law is more protective of privacy, it typically prevails over the federal baseline.

Examples

• A hospital shares PHI with a specialist for treatment without your written authorization.
• A health plan uses PHI for payment and healthcare operations subject to the Minimum Necessary Standard.
• A clinic provides a Notice of Privacy Practices explaining how your PHI may be used and your rights.

Protected Health Information Definition

PHI is individually identifiable health information that relates to your past, present, or future physical or mental health or condition, the provision of care, or payment for care. It includes common identifiers such as name, address, full-face photos, and account numbers when linked to health data. Electronic PHI (ePHI) is PHI in electronic form and is also subject to the Security Rule.

Information is not PHI if it is de-identified. De-identification can be achieved through expert determination or by removing specific identifiers (often referred to as the “safe harbor” method). A limited data set—where certain direct identifiers are removed—may be used for research, public health, or healthcare operations with a data use agreement.

Examples

• PHI: A lab result tied to your name and date of birth.
• Not PHI: Aggregate statistics with all identifiers removed per de-identification standards.
• Limited Data Set: Dates of service and ZIP code (no direct identifiers) used for health system analytics under a data use agreement.

Permitted Uses and Disclosures

Without your written authorization, PHI may be used or disclosed for treatment, payment, and healthcare operations (TPO). The Privacy Rule also permits or requires disclosures for specified public interest and benefit purposes, and it allows disclosures to you, to those involved in your care when you agree or do not object, and for certain facility directories.

Public interest and benefit examples

• Public health activities (e.g., disease reporting, adverse event tracking).
• Health oversight (e.g., audits, inspections).
• Judicial and administrative proceedings, and limited law enforcement purposes.
• Reporting about decedents to coroners and funeral directors.
• Organ and tissue donation, research with IRB/Privacy Board waiver, or limited data set with agreement.
• To avert a serious threat to health or safety; specialized government functions; workers’ compensation.

Authorization required

• Most marketing communications, sale of PHI, and many research uses without a waiver.
• Psychotherapy notes (with narrow exceptions).

Patient Rights under HIPAA

You have the right to access, inspect, and obtain a copy of your PHI in the form and format requested if readily producible. Covered entities must respond generally within 30 days (with one permissible 30‑day extension and written notice) and may charge a reasonable, cost-based fee for copies.

You may request amendments to inaccurate or incomplete PHI, receive an accounting of certain disclosures for up to six years (excluding TPO and other exceptions), request restrictions on uses or disclosures, and choose confidential communications (for example, an alternate address). If you pay a provider in full out-of-pocket, you can require that the provider not disclose related information to your health plan for payment or operations.

Examples

• Requesting an electronic copy of your medical record via a patient portal.
• Asking a clinic to correct an incorrect allergy entry.
• Directing a provider to send your records to a third party you designate.

Minimum Necessary Standard Application

The Minimum Necessary Standard requires covered entities and business associates to limit PHI uses, disclosures, and requests to the least amount needed to accomplish the purpose. Organizations implement role-based access, policies, and procedures to operationalize this standard.

The standard does not apply to disclosures for treatment, to you as the individual, uses or disclosures authorized by you, disclosures to HHS for compliance, or uses/disclosures required by law. For routine requests, entities can rely on standard protocols; for non-routine requests, they must review case by case.

Examples

• Front-desk staff see only scheduling and demographic fields, not full clinical notes.
• A billing team receives encounter codes and dates of service but not full narratives.
• A researcher receives a limited data set rather than fully identifiable PHI.

Safeguards to Protect PHI

The Privacy Rule requires appropriate safeguards to prevent impermissible uses and disclosures, and the Security Rule specifies protections for ePHI. Effective programs blend Administrative Safeguards, Physical Safeguards, and Technical Safeguards to reduce risk.

Administrative Safeguards

• Policies and procedures, workforce training, sanction processes, and risk assessments.
• Role-based access controls and procedures for incident response and breach notification.

Physical Safeguards

• Facility access controls, workstation security, and device/media controls (secure storage, destruction).
• Visitor management and clean-desk practices to prevent casual viewing of PHI.

Technical Safeguards

• User authentication, unique IDs, automatic logoff, and audit logs.
• Integrity and transmission security measures, such as encryption in transit and at rest where appropriate.

Examples

• Encrypting laptops that may store ePHI and enabling remote wipe.
• Using audit trails to monitor access to patient records.
• Shredding paper records and securely disposing of media that contain PHI.

Role of Business Associates

Business associates are vendors or partners that create, receive, maintain, or transmit PHI for a covered entity—for example, cloud hosts, billing companies, or analytics providers. They must enter into Business Associate Agreements that define permitted uses and disclosures, require safeguards, and mandate reporting of breaches or security incidents.

Business associates are directly liable for compliance with applicable Privacy Rule provisions and the Security Rule for ePHI. They must ensure subcontractors that handle PHI agree to the same restrictions, return or destroy PHI at termination when feasible, and support the covered entity’s Minimum Necessary Standard and patient rights processes.

Examples

• A cloud service provider signs a Business Associate Agreement to host ePHI with access controls and encryption.
• A claims processor limits data feeds to the minimum necessary and reports incidents promptly.
• An analytics firm uses a limited data set under a data use agreement for operations reporting.

In practice, you should map data flows, vet vendors, and align Business Associate Agreements with your actual operational needs and safeguards to ensure PHI remains protected end to end.

FAQs

What information does the HIPAA Privacy Rule protect?

It protects Protected Health Information—any individually identifiable health information related to care or payment in any form (paper, verbal, or electronic). Names, addresses, contact details, account numbers, and full-face photos are examples of identifiers that make health data PHI. De-identified information is not PHI.

How do patient rights affect access to health records?

You can access and obtain a copy of your PHI in the requested form and format if readily producible, generally within 30 days. You can request amendments, receive an accounting of certain disclosures, ask for restrictions, and choose confidential communications, including directing a copy to a third party.

When can PHI be disclosed without authorization?

PHI may be disclosed without your written authorization for treatment, payment, and healthcare operations; to you; for specific public interest and benefit purposes (such as public health, oversight, and certain law enforcement); when required by law; and as allowed with your agreement or opportunity to object (for care involvement and facility directories).

What safeguards are required by the HIPAA Privacy Rule?

Covered entities and business associates must implement reasonable Administrative Safeguards (policies, training, role-based access), Physical Safeguards (facility and device protections), and Technical Safeguards (access controls, audit logs, encryption where appropriate) to prevent impermissible uses or disclosures and to protect ePHI.