What the HIPAA Privacy Rule Requires for PHI: A Compliance Guide

The HIPAA Privacy Rule sets national standards for how you handle Protected Health Information (PHI). This compliance guide explains who is covered, what counts as PHI, when you may use or disclose it, and the safeguards and individual rights you must honor. Use it to build practical policies that work day to day.

Covered Entities

Who is covered

Covered entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. If you fall into one of these groups, HIPAA applies to your uses and disclosures of PHI in any form—paper, verbal, or electronic.

Business associates and agreements

Vendors that create, receive, maintain, or transmit PHI on your behalf are business associates. Before sharing PHI, you must execute a Business Associate Agreement that defines permitted uses and disclosures, requires appropriate safeguards, mandates breach reporting, flows obligations to subcontractors, and addresses PHI return or destruction at termination.

Your privacy governance

• Designate a privacy official and establish a complaint process.
• Train your workforce on policies and sanctions for violations.
• Provide a clear Notice of Privacy Practices to individuals.
• Document policies and procedures and retain required records.

Definition of Protected Health Information

What counts as PHI

PHI is individually identifiable health information that relates to an individual’s past, present, or future physical or mental health or condition, health care, or payment for health care. It includes common identifiers (for example, name, address, full-face photos, device IDs) when linked to health data.

What is not PHI

De-identified Information is not PHI. You may de-identify either by removing specified identifiers (safe harbor) or via documented expert determination that the risk of reidentification is very small. A limited data set—with certain identifiers removed—remains regulated and typically requires a data use agreement.

Context matters

Employment records held in your role as employer and education records covered by FERPA are not PHI. The same data may be PHI in one context (a clinic chart) but not in another (a consumer wellness app that is not a covered entity or business associate).

Permitted Uses and Disclosures

Required disclosures

• To the individual (or their personal representative) upon request.
• To the Department of Health and Human Services for Compliance Investigations and reviews.

Without individual authorization

• Treatment, payment, and health care operations (TPO).
• Public health activities (for example, reporting certain diseases, adverse events).
• Health oversight activities (audits, inspections, licensure).
• Judicial and administrative proceedings and certain law enforcement purposes.
• Workplace-related disclosures as permitted (for example, workers’ compensation).
• Decedents, organ and tissue donation, and cadaveric donation purposes.
• To avert a serious threat to health or safety based on professional judgment.
• Research with an Institutional Review Board or privacy board waiver, or using a limited data set with a data use agreement.

With individual authorization

Uses and disclosures outside the permitted categories require a valid authorization. Marketing beyond limited exceptions and any sale of PHI generally require explicit authorization that discloses the financial benefit.

Incidental disclosures

Incidental disclosures may occur despite reasonable safeguards and compliance with the Minimum Necessary Standard. You must still reduce risk via practical controls, such as privacy screens and lowered voice volumes.

Minimum Necessary Standard

Scope and key exceptions

You must limit PHI uses, disclosures, and requests to the minimum necessary to achieve the purpose. This standard does not apply to disclosures to or requests by health care providers for treatment, uses or disclosures authorized by the individual, disclosures to the individual, disclosures required by law, or to HHS for oversight.

How to implement

• Define role-based access so workforce members see only what they need.
• Standardize routine disclosures with templates and approved data elements.
• Use De-identified Information or limited data sets when full PHI is not required.
• Review one-off requests individually and document your rationale.

Safeguards for PHI

Administrative Safeguards

• Perform risk analyses and implement risk management plans.
• Adopt written policies, workforce training, and sanction processes.
• Manage Business Associate Agreements and monitor vendors.
• Plan for incident response, complaint handling, and documentation retention.

Physical Safeguards

• Control facility and workstation access; protect paper and devices.
• Use secure storage, clean-desk practices, and privacy screens in shared areas.
• Dispose of PHI securely (for example, shredding, media destruction).

Technical Safeguards

• Enforce unique user IDs, strong authentication, and automatic logoff.
• Enable encryption in transit and at rest where reasonable and appropriate.
• Maintain audit logs, integrity checks, and access monitoring.
• Use data loss prevention to restrict downloads and mass exports.

Individual Rights under the Privacy Rule

Right of access

Individuals have the right to inspect and obtain copies of their PHI in the form and format requested if readily producible, including electronic copies. Fees must be reasonable and cost-based. You must respond within required timeframes and provide status updates when extensions apply.

Right to request amendment

Individuals may request amendments to PHI in designated record sets. If you deny a request, you must provide a written explanation and allow a statement of disagreement to be added to the record.

Accounting of Disclosures

Upon request, provide an accounting of disclosures of PHI for a defined look-back period, excluding most TPO disclosures and disclosures made with authorization. Your accounting must include dates, recipients, a brief purpose, and the PHI categories disclosed.

Restrictions and confidential communications

Individuals may request restrictions on certain uses or disclosures and may require confidential communications (for example, alternative address or phone). When a patient pays in full out of pocket, you generally must honor a restriction on disclosures to a health plan for that item or service.

Notice of Privacy Practices

You must supply and, when applicable, post a Notice of Privacy Practices that explains uses and disclosures, individual rights, your duties, and how to file complaints.

Enforcement and Penalties

How enforcement works

The HHS Office for Civil Rights (OCR) enforces the Privacy Rule through complaint intake, Compliance Investigations, breach reviews, and proactive compliance reviews. Outcomes range from technical assistance and corrective action plans to settlement agreements or civil money penalties.

Civil and criminal exposure

• Civil penalties scale by violation category and culpability, with higher tiers for willful neglect not corrected in time.
• Criminal penalties may apply for knowingly obtaining or disclosing PHI in violation of HIPAA, including for false pretenses or personal gain.
• State attorneys general may also bring civil actions on behalf of state residents.

Mitigation and documentation

• Demonstrate good-faith compliance: timely response to incidents, workforce remediation, and policy updates.
• Maintain evidence of training, risk analyses, BAAs, and decisions under the Minimum Necessary Standard.

Conclusion

Effective HIPAA privacy compliance rests on three pillars: knowing what PHI is and when you may use or disclose it, applying the Minimum Necessary Standard, and enforcing strong Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Align these pillars with clear individual rights practices and vigilant oversight to reduce risk and build trust.

FAQs.

What information is considered PHI under HIPAA?

PHI is any individually identifiable health information that relates to health, care provided, or payment for care. If a data element can identify a person (directly or indirectly) and is linked to health information, treat it as PHI unless it has been properly de-identified.

How does the Privacy Rule limit PHI disclosures?

Disclosures are permitted for TPO and specific public interest purposes, are required in limited cases (to the individual and to HHS), and otherwise require a valid authorization. Even when a disclosure is allowed, you must apply the Minimum Necessary Standard and reasonable safeguards.

What rights do individuals have regarding their PHI?

Individuals can access and obtain copies of their PHI, request amendments, receive an Accounting of Disclosures, request restrictions, and require confidential communications. They also must receive a Notice of Privacy Practices explaining these rights and how to exercise them.

What penalties apply for violating the HIPAA Privacy Rule?

OCR may require corrective actions, enter settlements, or impose tiered civil money penalties based on the nature of the violation and your compliance posture. Serious, knowing violations can lead to criminal prosecution, and state attorneys general may pursue civil remedies.