What Is the HIPAA Privacy Rule Intended to Protect? Your Protected Health Information (PHI)

Overview of the HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards for safeguarding Protected Health Information (PHI) while allowing the flow of health data needed to deliver care. It places clear boundaries on how PHI may be used and disclosed, sets patient rights, and requires Privacy Rule Compliance across the healthcare ecosystem.

The Rule applies to Covered Entities and, through contracts and direct liability, to their business associates. It protects PHI in any form—electronic, paper, or oral—and aligns with the HIPAA Security Rule for electronic PHI and the Breach Notification Rule. It also intersects with Electronic Health Transactions by defining who must comply when health information is transmitted for activities like claims and eligibility checks.

• Protect confidentiality of PHI using the Minimum Necessary Standard.
• Enable permitted sharing for treatment, payment, and healthcare operations.
• Empower individuals with concrete rights over their information.
• Hold organizations accountable through policies, training, and enforcement.

Definition of Protected Health Information

What counts as PHI

PHI is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of care, or payment for care. It is created or received by a Covered Entity or its business associate and identifies the individual or could reasonably do so.

• Clinical details (diagnoses, treatment plans, test results, medications).
• Billing and insurance data (claims, coverage, account numbers).
• Personal identifiers such as name, address, full-face photos, Social Security number, email, phone, medical record numbers, and IP/device identifiers.

What is not PHI

De-identified data, where identifiers are removed or an expert determines the risk of identification is very small, is not PHI. Education records covered by FERPA, employment records held by an employer, and information about individuals deceased for more than 50 years are also outside the definition.

Formats and locations

PHI can exist anywhere—EHRs, paper charts, voice messages, images, apps used by providers, and data moving through Electronic Health Transactions. The Privacy Rule protects PHI regardless of medium or storage location.

Covered Entities and Their Responsibilities

Covered Entities

• Healthcare providers who transmit health information in Electronic Health Transactions (for example, claims, eligibility, prior authorization).
• Health plans (insurers, employer group health plans, government programs).
• Healthcare Clearinghouses that translate or standardize health data.

Business associates and contracts

Vendors that create, receive, maintain, or transmit PHI on behalf of a Covered Entity (such as cloud services, billing firms, or Health Information Exchanges) are business associates. Covered Entities must execute Business Associate Agreements that bind these partners to Privacy Rule Compliance and safeguard obligations.

Core responsibilities

• Designate a privacy official; adopt, document, and retain policies and procedures.
• Train the workforce and apply appropriate sanctions for violations.
• Provide a clear Notice of Privacy Practices to patients.
• Apply the Minimum Necessary Standard to uses, disclosures, and requests, with defined exceptions.
• Follow Authorization Requirements for uses/disclosures not otherwise permitted.
• Honor patient rights (access, amendment, restrictions, confidential communications, and accounting of disclosures).
• Mitigate harmful effects of improper uses/disclosures and maintain safeguards to protect PHI.

Permitted Uses and Disclosures of PHI

Without individual authorization

• Treatment, payment, and healthcare operations (TPO). Minimum necessary does not apply to disclosures for treatment.
• To the individual, and for disclosures required by law or to HHS for enforcement.
• Incidental disclosures when reasonable safeguards are in place.
• Public interest and benefit activities: public health reporting, abuse/neglect reporting, health oversight, judicial and administrative proceedings, law enforcement, organ donation, averting serious threats, specialized government functions, and workers’ compensation.
• Research under an IRB/Privacy Board waiver or as a limited data set under a Data Use Agreement.

With individual authorization

Uses and disclosures not otherwise permitted require a valid written authorization. Key Authorization Requirements include a description of the PHI, purpose, recipient, expiration date or event, signature, and notice of the right to revoke. The Minimum Necessary Standard does not apply to disclosures made pursuant to an authorization or to disclosures to the individual.

Special limits and sensitive information

• Marketing typically requires authorization; limited exceptions apply (for example, face-to-face communications).
• Sale of PHI is prohibited without explicit authorization.
• Psychotherapy notes receive heightened protection and generally require separate authorization.
• Fundraising is limited to specific data elements and must include a clear opt-out.
• Disclosures to family or others involved in care may be allowed with the individual’s agreement or professional judgment consistent with the Rule.

Patient Rights Under the Privacy Rule

Right of access

You may inspect or obtain copies of your PHI in a designated record set (for example, medical and billing records) and, when available, receive it in an electronic format or direct it to a third party.

Right to request amendment

If you believe information is inaccurate or incomplete, you can request an amendment. Covered Entities must respond, document decisions, and, when accepted, make reasonable efforts to provide the amendment to relevant parties.

Right to an accounting of disclosures

You may receive an accounting of certain disclosures made without authorization, excluding routine TPO activities and other defined exceptions, for a specified look-back period.

Right to request restrictions

You can ask to limit certain uses or disclosures. While Covered Entities are not required to agree to most restrictions, they must honor a request to restrict disclosure to a health plan when you pay an item or service in full out of pocket.

Right to confidential communications

You may request communications by alternative means or at alternative locations (for example, a different mailing address or phone number), and plans/providers must accommodate reasonable requests.

Notice and complaints

You have the right to receive a Notice of Privacy Practices and to file a complaint with the provider, plan, or HHS without fear of retaliation.

Enforcement and Penalties for Violations

Who enforces

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces the Privacy Rule. State attorneys general may also bring actions for certain violations.

Consequences

• Investigations, resolution agreements, and corrective action plans.
• Civil monetary penalties tiered by the organization’s level of culpability.
• Potential criminal penalties for knowingly obtaining or disclosing PHI in violation of the Rule, enforced by the Department of Justice.

Breach considerations

When unsecured PHI is breached, separate breach-notification duties apply. OCR evaluates both the incident and the entity’s overall Privacy Rule Compliance, including safeguards and response.

Safeguards to Protect PHI

Covered Entities must implement reasonable administrative, physical, and technical safeguards to prevent impermissible uses and disclosures. For electronic PHI, the HIPAA Security Rule adds detailed requirements that complement the Privacy Rule’s standards.

Administrative safeguards

• Policies and procedures reflecting the Minimum Necessary Standard and role-based access.
• Workforce training, sanctions, and ongoing risk assessments.
• Business Associate Agreements that flow down Privacy Rule Compliance duties.
• Secure processes for authorizations, patient requests, and incident response.

Physical safeguards

• Facility access controls, visitor management, and workstation privacy.
• Locked storage, secure printing and mail handling, and proper media disposal.
• Protections for mobile devices and remote work environments.

Technical safeguards

• Unique user IDs, strong authentication, and role-based permissions.
• Encryption in transit and at rest, audit logs, and intrusion monitoring.
• Secure interfaces and transactions for Electronic Health Transactions and system integrations.

Conclusion

The HIPAA Privacy Rule protects your Protected Health Information by defining PHI, setting strict rules for use and disclosure, empowering your rights, and requiring organizations to implement robust safeguards. When entities follow the Minimum Necessary Standard, meet Authorization Requirements, and maintain Privacy Rule Compliance, healthcare can share information responsibly while preserving your privacy.

FAQs

What types of information does the HIPAA Privacy Rule protect?

It protects individually identifiable health information—clinical, billing, and demographic details that identify you or could reasonably identify you—created or received by Covered Entities or their business associates, in any form (electronic, paper, or oral).

Who must comply with the HIPAA Privacy Rule?

Healthcare providers that conduct Electronic Health Transactions, health plans, and healthcare clearinghouses must comply, along with their business associates through binding agreements and direct liability for safeguarding PHI.

How does the Privacy Rule regulate the use and disclosure of PHI?

It permits uses/disclosures for treatment, payment, and healthcare operations; for certain public interest purposes; and to the individual. Other uses require written authorization that meets specific Authorization Requirements. The Minimum Necessary Standard limits the amount of PHI used, disclosed, or requested, with defined exceptions.

What rights do patients have under the HIPAA Privacy Rule?

Patients can access and obtain copies of PHI, request amendments, receive an accounting of certain disclosures, ask for restrictions (including for services paid in full out of pocket), request confidential communications, obtain a Notice of Privacy Practices, and file complaints without retaliation.