HIPAA

HIPAA Privacy Rule

The HIPAA Privacy Rule governs the use and disclosure of protected health information, establishes patient rights, and sets the minimum necessary standard.
Browse HIPAA topics
Business Associate Agreements (BAA)HIPAA Breach Notification RuleHIPAA Compliance ChecklistHIPAA Privacy RuleHIPAA Security Rule

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards for the protection of individually identifiable health information. It defines who may access protected health information (PHI), under what circumstances PHI may be used or disclosed, and what rights patients have over their own health data.

Unlike the HIPAA Security Rule, which focuses exclusively on electronic PHI, the Privacy Rule covers PHI in any form — electronic, paper, or oral. It applies to all covered entities (healthcare providers, health plans, and healthcare clearinghouses) and, through the HITECH Act, to business associates as well.

For a complete overview of HIPAA compliance requirements, visit the main framework page. The HIPAA glossary entry provides foundational definitions of key terms.

Protected health information defined

PHI is any individually identifiable health information held or transmitted by a covered entity or business associate in any form. The Privacy Rule identifies 18 specific identifiers (names, dates, Social Security numbers, medical record numbers, email addresses, biometric identifiers, and others) that make health information individually identifiable. Removing all 18 identifiers through proper de-identification produces data that falls outside the Privacy Rule's scope.

The minimum necessary standard

One of the Privacy Rule's most consequential requirements is the minimum necessary standard. This principle states that covered entities and business associates must make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose.

The minimum necessary standard applies to:

  • Internal uses — workforce members should have access only to the PHI they need for their job functions. Role-based access policies are the most common implementation.
  • Routine disclosures — for recurring types of disclosures, organizations should establish standard protocols that limit the information shared.
  • Non-routine disclosures — for individual requests, the organization must review each request and limit the disclosure to what is reasonably necessary.
  • Requests to other entities — when requesting PHI from another covered entity, the organization must limit its request to what is reasonably necessary.

The minimum necessary standard does not apply to disclosures made to the individual who is the subject of the information, disclosures authorized by the individual, uses or disclosures required for treatment, disclosures required by law, or disclosures to HHS for compliance investigations.

Patient rights under the Privacy Rule

The Privacy Rule grants individuals significant control over their health information. These rights are enforceable, and organizations must have documented processes to honor them.

Right to access

Individuals may inspect and obtain copies of their PHI. The covered entity must respond within 30 days (one 30-day extension permitted) and may charge a reasonable, cost-based fee.

Right to request amendment

Individuals may request amendments to inaccurate or incomplete PHI. The entity must act within 60 days and provide written denial with an opportunity for the individual to submit a disagreement statement.

Right to an accounting of disclosures

Individuals may request a list of PHI disclosures made during the prior six years, excluding disclosures for treatment, payment, operations, and those authorized by the individual.

Right to request restrictions and confidential communications

Individuals may request restrictions on PHI use for treatment, payment, or operations. The entity must comply when the individual pays out of pocket and requests non-disclosure to a health plan. Individuals may also request alternative communication methods or locations.

Notice of Privacy Practices (NPP)

The Notice of Privacy Practices is a foundational document under the Privacy Rule. It must be provided to every individual at the first point of service (for healthcare providers with a direct treatment relationship) or upon request.

The NPP must include:

  • A description of how the entity may use and disclose PHI
  • The individual's rights regarding their PHI
  • The entity's legal duties with respect to PHI
  • Contact information for the entity's privacy official
  • Contact information for filing complaints with the entity and with HHS
  • The effective date of the notice

The NPP must be prominently posted at the entity's physical location and on its website if it maintains one. Any material change to privacy practices requires a revised NPP and updated distribution.

Permitted uses and disclosures

The Privacy Rule defines specific categories of permitted uses and disclosures. Understanding these categories is essential for compliance, as any use or disclosure that falls outside them requires written patient authorization.

Uses and disclosures without authorization

PHI may be used or disclosed without individual authorization for treatment, payment, healthcare operations, public health activities, health oversight, judicial and administrative proceedings, law enforcement purposes, research (with IRB approval), preventing serious threats to health or safety, essential government functions, workers' compensation, and reporting abuse or neglect.

Uses and disclosures requiring authorization

Any use or disclosure not covered by the permitted categories above requires a valid written authorization from the individual. Authorizations must include a description of the information, the persons authorized to make and receive the disclosure, an expiration date, and the individual's signature. Marketing communications, the sale of PHI, and psychotherapy notes almost always require authorization.

Business associates and the Privacy Rule

The Privacy Rule requires covered entities to obtain satisfactory assurances from business associates that they will appropriately safeguard PHI. These assurances are formalized through Business Associate Agreements (BAAs). The HITECH Act extended many Privacy Rule requirements directly to business associates, making them independently liable for compliance.

Enforcement

The HHS Office for Civil Rights enforces the Privacy Rule through investigations triggered by complaints or compliance reviews. Penalties mirror those of the Security Rule, ranging from $100 to $50,000 per violation with annual maximums of $1.5 million per category. State attorneys general may also bring actions for Privacy Rule violations under the HITECH Act.

For healthcare organizations establishing or strengthening their privacy program, the HIPAA compliance checklist includes a complete walkthrough of Privacy Rule obligations alongside Security Rule and Breach Notification Rule requirements.

Practical steps for compliance

Organizations building a Privacy Rule compliance program should designate a privacy official, conduct a PHI inventory across all systems and workflows, develop and distribute the Notice of Privacy Practices, implement minimum necessary policies with role-based access controls, train all workforce members at onboarding and regularly thereafter, establish documented procedures for patient rights requests, execute BAAs with all business associates before sharing PHI, and implement a complaint process allowing individuals to report privacy concerns without retaliation.

Related topics

security-rulebreach-notificationbusiness-associate-agreementscompliance-checklist

Related terms

What is Access Control?What is an Audit Trail?What is a Business Associate Agreement (BAA)?What is Breach Notification?What is a Business Associate?What is a Covered Entity?What is Encryption?What is Evidence Collection?What is GRC?What is HIPAA?What is the HITECH Act?What is Incident Response?What is the Minimum Necessary Rule?What is Protected Health Information (PHI)?What is Security Awareness Training?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough