What the HIPAA Privacy Rule Regulates: PHI Uses, Disclosures, Access

The HIPAA Privacy Rule sets national standards for how Covered Entities and their business associates handle Protected Health Information (PHI). It governs when PHI may be used, when it may be disclosed, and how you can access and control your information.

This overview explains what the HIPAA Privacy Rule regulates across PHI uses and disclosures, the Minimum Necessary Standard, your individual rights, required Privacy Safeguards, disclosures allowed without Individual Authorization, the Accounting of Disclosures, and how enforcement works.

Use and Disclosure of PHI

“Use” means handling PHI inside an organization; “disclosure” means releasing it outside the organization. The Privacy Rule applies to Covered Entities—health plans, health care clearinghouses, and most health care providers—and to their business associates that handle PHI on their behalf.

PHI may be used or disclosed without Individual Authorization for treatment, payment, and health care operations (TPO). PHI may also be disclosed to you, the individual subject of the information, and as otherwise permitted or required by the rule (see “Disclosures Without Authorization”).

• Uses/disclosures requiring Individual Authorization: most marketing communications, sale of PHI, and non‑TPO research unless an IRB/privacy board grants a waiver.
• De‑identified data: information that no longer identifies an individual is not PHI and falls outside the Privacy Rule.
• Limited data set: a partially de‑identified set may be used for research, public health, or operations under a data use agreement.

Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the least amount needed to accomplish the purpose. Covered Entities implement role‑based access, policies, and workflows so staff see only what they need.

• Common practices: role definitions, need‑to‑know queries, data segmentation, and routine protocols for recurring disclosures.
• Exceptions: the standard does not apply to disclosures to a provider for treatment, to you as the individual, uses/disclosures made under a valid authorization, or those required by law or requested by HHS for compliance.
• Verification: before disclosing, verify the recipient’s identity and authority and limit the PHI accordingly.

Individual Rights

The Privacy Rule gives you clear rights over your PHI and obligates Covered Entities to respond within defined timeframes.

• Access and copies: receive access to PHI in the form and format requested if readily producible, including electronic copies where available, and direct a copy to a third party.
• Amendment: request corrections to incomplete or inaccurate PHI in your designated record set.
• Restrictions: request limits on certain uses/disclosures; providers must honor a restriction to a health plan when you pay out‑of‑pocket in full for an item or service.
• Confidential communications: receive communications at an alternative address, phone number, or via another reasonable means.
• Notice of Privacy Practices: receive a plain‑language notice describing uses/disclosures, rights, and how to exercise them.
• Complaint: file a privacy complaint with the organization or HHS without retaliation.

Safeguards for PHI

Privacy Safeguards protect PHI in any form—paper, electronic, or oral. Covered Entities and business associates must maintain administrative, physical, and technical measures appropriate to their size, complexity, and risks.

• Administrative: policies and procedures, workforce training, sanctions for violations, business associate agreements, risk assessments, and contingency planning.
• Physical: facility access controls, workstation positioning, device/media controls, and secure disposal of paper and hardware.
• Technical: unique user IDs, access controls, audit controls, transmission security, encryption where reasonable and appropriate, and session time‑outs.
• Incidental disclosures: minimize through reasonable safeguards (e.g., speaking quietly in waiting areas, limiting screen visibility).

Disclosures Without Authorization

The Privacy Rule permits or requires specific disclosures of PHI without Individual Authorization when public interests are at stake and defined conditions are met. Minimum necessary applies where required, and you must verify the recipient’s authority.

• Treatment, payment, and health care operations (TPO).
• Public Health Disclosures: to public health authorities for disease reporting, surveillance, immunizations, and product safety.
• Health Oversight: to oversight agencies for audits, inspections, licensure, and investigations.
• Judicial and administrative proceedings: in response to court orders or certain subpoenas with required safeguards.
• Law enforcement: for specific purposes such as locating a suspect or reporting certain injuries, consistent with rule conditions.
• Abuse, neglect, or domestic violence: to authorized agencies, subject to professional judgment and legal requirements.
• Decedents: to coroners, medical examiners, funeral directors, and for organ, eye, or tissue donation.
• Serious threats: to prevent or lessen a serious and imminent threat to health or safety.
• Research: under an IRB/privacy board waiver or as a limited data set with a data use agreement.
• Workers’ compensation and other disclosures required by law.

Accounting of Disclosures

You have the right to an Accounting of Disclosures—an itemized record of certain disclosures of your PHI made by a Covered Entity (and by business associates on its behalf) during a look‑back period, typically up to six years.

• What is included: date, recipient, a brief description of the PHI disclosed, and the purpose or a copy of the authorization/request.
• What is excluded: disclosures for TPO, to you, those authorized by you, incidental disclosures, certain national security/custodial situations, and disclosures of a limited data set under a data use agreement.
• Process: submit a request to the Covered Entity; the organization must respond within set timeframes and may charge a reasonable fee for additional requests within a 12‑month period.

Enforcement and Penalties

The HHS Office for Civil Rights (OCR) enforces the Privacy Rule through investigations, compliance reviews, and audits. Outcomes range from technical assistance and corrective action plans to civil monetary penalties based on a tiered system that considers culpability, harm, and efforts to correct.

• Civil enforcement: penalties scale with factors like the nature and extent of the violation and mitigation steps taken.
• Criminal enforcement: the Department of Justice may prosecute knowing and wrongful acquisition or disclosure of PHI, including offenses under false pretenses.
• State actions: state attorneys general can bring civil actions on behalf of residents.
• Practical risk management: documented policies, workforce training, prompt breach response, and regular risk assessments reduce exposure.

In short, the Privacy Rule defines how PHI may be used and shared, limits it through the Minimum Necessary Standard, empowers you with strong access and control rights, and requires robust safeguards—backed by meaningful enforcement when organizations fall short.

FAQs.

What is considered PHI under the HIPAA Privacy Rule?

PHI is individually identifiable health information—such as diagnoses, test results, prescriptions, billing details, or insurance data—that relates to your health, care received, or payment for care. It includes information in any form (paper, electronic, or oral) when held by a Covered Entity or its business associate.

When can PHI be disclosed without individual authorization?

PHI can be disclosed without Individual Authorization for treatment, payment, and health care operations; for specific public interest purposes like Public Health Disclosures and Health Oversight; when required by law; and in other situations defined by the rule (e.g., certain law enforcement, judicial proceedings, and serious threat scenarios).

How does the Minimum Necessary Standard protect PHI?

It limits access, use, and disclosure to only what is reasonably needed for the task. Organizations implement role‑based access, standardized protocols for routine disclosures, verification procedures, and audit controls so staff cannot view or share more PHI than necessary.

What rights do individuals have regarding their PHI?

You can access and obtain copies of your PHI, request amendments, ask for restrictions on certain disclosures, choose confidential communication methods, receive a Notice of Privacy Practices, obtain an Accounting of Disclosures, and file a complaint without fear of retaliation.