Which of the Following Is True About HIPAA? Privacy, Security, and PHI Facts Explained

If you’ve ever asked, “Which of the following is true about HIPAA?”, the short answer is that HIPAA sets nationwide rules for how Covered Entities and their partners handle Protected Health Information. It defines what counts as Individually Identifiable Health Information, when it can be used or disclosed, and how it must be safeguarded—especially when it becomes Electronic Protected Health Information.

This guide clarifies the HIPAA Privacy Rule and Security Rule, explains the scope of Protected Health Information, outlines your individual rights, and details the Administrative, Physical, and Technical Safeguards organizations must implement.

HIPAA Privacy Rule Provisions

Scope and purpose

The Privacy Rule establishes national standards for how health plans, health care clearinghouses, and health care providers (when they conduct standard electronic transactions) use and disclose Protected Health Information. It also binds business associates through contracts that require Privacy Rule–compliant protections.

Permitted uses and disclosures without authorization

• Treatment, payment, and health care operations (TPO).
• Disclosures to the individual who is the subject of the PHI.
• Uses or disclosures required by law.
• Public health activities, health oversight, and certain law enforcement purposes.
• To avert a serious threat to health or safety.
• Research with an Institutional Review Board or privacy board waiver, or as otherwise permitted.

Other uses and disclosures generally require a valid, written authorization that clearly describes what information will be used, by whom, and for what purpose.

Minimum necessary standard

Except for treatment and a few other exceptions, you must limit uses, disclosures, and requests to the minimum necessary to accomplish the purpose. Organizations meet this by role-based access, standardized workflows, and data segmentation where appropriate.

Notice of Privacy Practices and authorizations

Covered Entities must provide a Notice of Privacy Practices that explains permitted uses and disclosures, individual rights, and how to file a complaint. When an authorization is required, it must be specific, time-limited, and revocable in writing.

De-identification and limited data sets

Health information that has been de-identified is no longer PHI. The Privacy Rule recognizes two methods: the Safe Harbor removal of specific identifiers and Expert Determination that the risk of reidentification is very small. Limited data sets, used under a data use agreement, exclude direct identifiers but remain regulated.

HIPAA Security Rule Requirements

Focus on ePHI and risk-based approach

The Security Rule applies to Electronic Protected Health Information. It requires a documented risk analysis and ongoing risk management so you can tailor protections to your systems, threats, and resources while still meeting core standards.

Required and addressable specifications

Security standards include both “required” and “addressable” implementation specifications. Addressable does not mean optional; you must implement them if reasonable and appropriate, or document an equivalent, effective alternative.

Core technical standards

• Access control: unique user IDs, emergency access procedures, automatic logoff, and encryption.
• Audit controls: system activity logs and monitoring.
• Integrity: safeguards to prevent improper alteration or destruction of ePHI.
• Person or entity authentication: verifying a user is who they claim to be.
• Transmission security: protecting ePHI in transit against unauthorized access or tampering.

Administrative, Physical, and Technical Safeguards work together

The Security Rule’s Administrative Safeguards guide policies and training; Physical Safeguards protect facilities and devices; Technical Safeguards secure systems and data. Together they create layered defenses around ePHI.

Definitions of Protected Health Information

What PHI covers

Protected Health Information is Individually Identifiable Health Information held or transmitted by a Covered Entity or its business associate that relates to a person’s past, present, or future physical or mental health condition, the provision of care, or payment for care. It includes demographic data when those data can identify the individual.

Common identifiers

PHI includes identifiers such as names, full addresses (smaller than a state), phone and email, Social Security and medical record numbers, account and certificate numbers, full-face photos and comparable images, biometric identifiers, IP or device identifiers linked to the person, and any other unique code that could identify them.

Electronic PHI vs. other formats

Electronic Protected Health Information (ePHI) is PHI that is created, received, maintained, or transmitted in electronic form. The Privacy Rule covers PHI in any medium, while the Security Rule specifically governs ePHI.

Exclusions and special cases

• De-identified information is not PHI.
• Education records under FERPA and employment records held by an employer are not PHI.
• Information about a decedent is PHI for 50 years following death; after that, it is no longer PHI.

Individual Rights under HIPAA

Right of access

You have the right to access, inspect, and obtain a copy of your PHI in the form and format requested if readily producible, including an electronic copy of ePHI. Covered Entities generally must respond within 30 calendar days, with one permissible 30-day extension if needed. Fees must be reasonable and cost-based.

Right to request amendments

You may request that a Covered Entity amend inaccurate or incomplete PHI. If denied, you can add a statement of disagreement, and the entity must include it in future disclosures where appropriate.

Right to request restrictions and confidential communications

You can ask for restrictions on certain uses or disclosures. While entities need not agree to most restrictions, they must agree not to disclose to a health plan information about services you paid for in full out of pocket. You can also request communications at an alternative address or by alternative means.

Right to an accounting and to be informed

You are entitled to an accounting of certain disclosures and to receive a Notice of Privacy Practices. You may file a complaint with the entity or the government, and you are protected from retaliation for doing so.

Covered Entities and Their Responsibilities

Who is a Covered Entity?

Covered Entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions (such as electronic claims). Business associates—vendors or partners who handle PHI on their behalf—must also safeguard PHI under contract.

Core responsibilities

• Adopt and enforce Privacy Rule and Security Rule policies and procedures.
• Designate privacy and security officials and train the workforce.
• Execute business associate agreements that require compliant protections.
• Conduct risk analyses and implement Administrative, Physical, and Technical Safeguards.
• Apply sanctions for violations and mitigate harmful effects of improper disclosures.
• Maintain required documentation for at least six years.

Breach notification and enforcement

Covered Entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI, and make additional notifications as required based on incident size and scope. Noncompliance can result in civil monetary penalties and, in egregious cases, criminal liability.

Administrative Safeguards in HIPAA

Security management process

Perform an accurate and thorough risk analysis, implement risk management, apply sanctions for violations, and review information system activity (such as audit logs and access reports).

Assigned security responsibility

Designate a security official who is accountable for developing and implementing security policies and procedures.

Workforce security and access management

Authorize and supervise workforce members, apply role-based access, and terminate access promptly when roles change. Use the “minimum necessary” principle to shape permissions.

Security awareness, training, and incident response

Provide periodic training, phishing awareness, and reminders; implement procedures for reporting, responding, and documenting security incidents and suspected breaches.

Contingency planning and evaluation

Maintain data backup, disaster recovery, and emergency mode operations plans; test them regularly. Periodically evaluate your security posture in light of environmental or operational changes.

Business associate oversight

Execute contracts that require business associates to safeguard ePHI and report incidents, and monitor compliance as part of vendor risk management.

Physical and Technical Safeguards for PHI

Physical Safeguards

• Facility access controls: badge systems, visitor management, and emergency access procedures.
• Workstation security and use: position screens to prevent shoulder surfing; lock sessions when unattended.
• Device and media controls: secure storage, inventory, and tracked disposal or re-use of drives and devices; shred or securely wipe media.

Technical Safeguards

• Access control: unique user IDs, strong authentication (ideally multi-factor), automatic logoff, and encryption at rest where reasonable and appropriate.
• Audit controls: log creation, retention, and review for systems housing ePHI.
• Integrity protections: hashing, checksums, and change-control to prevent unauthorized alteration.
• Transmission security: TLS or equivalent encryption and integrity checks for data in transit.

Conclusion

In practice, HIPAA asks two things of you: use or disclose only what is allowed under the Privacy Rule, and protect data—especially ePHI—through Administrative, Physical, and Technical Safeguards under the Security Rule. Understanding what counts as Protected Health Information and honoring individual rights completes the picture for compliant, trustworthy care.

FAQs.

What protections does the HIPAA Privacy Rule provide?

It limits how Covered Entities and their business associates may use and disclose Protected Health Information, requires the minimum necessary standard, mandates a Notice of Privacy Practices, and grants individuals rights such as access, amendment, and the ability to request restrictions and confidential communications.

How does the HIPAA Security Rule safeguard electronic health information?

It requires a risk-based program for Electronic Protected Health Information that includes Administrative Safeguards (policies, training, incident response), Physical Safeguards (facility and device protections), and Technical Safeguards (access control, audit logging, integrity, authentication, and transmission security).

What qualifies as Protected Health Information?

PHI is Individually Identifiable Health Information about health status, care, or payment that is created or received by a Covered Entity or business associate. It includes identifiers like names, contact details, medical record numbers, and device or biometric identifiers when they can identify the person.

What rights do individuals have under HIPAA?

You have the right to access and obtain copies of your PHI (including ePHI), request amendments, ask for restrictions and confidential communications, receive a Notice of Privacy Practices, obtain an accounting of certain disclosures, and file a complaint without retaliation.