The HIPAA Privacy Rule is a set of national standards established by the U.S. Department of Health and Human Services (HHS) that governs how covered entities may use and disclose protected health information (PHI). Enacted under the Health Insurance Portability and Accountability Act of 1996 and implemented through the Privacy Rule effective in April 2003, these standards represent the first comprehensive federal protection for the privacy of health information in the United States.
Before the Privacy Rule, health information could flow relatively freely between doctors, hospitals, insurers, and other parties without explicit patient consent. The Privacy Rule changed that by establishing that patients have rights over their health information and that organizations handling that information must follow strict rules about what they can share, with whom, and under what circumstances. Non-compliance carries significant civil and criminal penalties, making the Privacy Rule one of the most consequential federal healthcare regulations for any organization that handles patient data.
The Privacy Rule works in concert with the HIPAA Security Rule, which covers electronic PHI specifically, and the Breach Notification Rule, which governs what organizations must do when PHI is improperly disclosed. Together, these three rules form the core of HIPAA's patient protection framework. Understanding the Privacy Rule thoroughly is essential for anyone working in healthcare, health insurance, or any organization that handles patient information.
The Privacy Rule's passage was controversial at the time, with some healthcare providers arguing that its requirements would disrupt care coordination and impose unsustainable compliance burdens on small practices. More than two decades later, most healthcare organizations have integrated Privacy Rule requirements into standard operating procedures, though compliance remains an active and evolving area requiring ongoing attention โ particularly as healthcare delivery increasingly moves to digital platforms, telehealth, and cloud-based record systems that create new channels for PHI access and disclosure.
Covered entities must use or disclose PHI only for treatment, payment, or healthcare operations (TPO), with patient authorization, or as specifically permitted by the Privacy Rule. All other uses require explicit written patient authorization.
Every covered entity must give patients a written Notice of Privacy Practices (NPP) explaining how their PHI will be used, patients' rights, and the entity's privacy obligations. The NPP must be given at first service contact.
Patients have the right to access their PHI, request amendments to incorrect records, receive an accounting of disclosures, request restrictions on certain uses, and request confidential communications.
When using or disclosing PHI, covered entities must make reasonable efforts to limit access to the minimum amount of information necessary to accomplish the intended purpose. This applies to internal uses as well as external disclosures.
When sharing PHI with a business associate (a vendor or contractor who handles PHI on your behalf), a written Business Associate Agreement (BAA) must be in place specifying how the associate will protect the information.
All workforce members who handle PHI must receive Privacy Rule training. A designated Privacy Officer must oversee compliance, handle complaints, and implement policies and procedures.
The Privacy Rule applies to "covered entities" โ a specific legal category defined by HIPAA that includes three types of organizations. Understanding whether your organization qualifies as a covered entity is the foundational step in determining your HIPAA Privacy Rule obligations. The HIPAA overview explains the broader legislative context, but the Privacy Rule's scope is defined more precisely.
Health plans are the first category of covered entities. This includes individual and group health plans, health insurance companies, HMOs, Medicare and Medicaid programs, and employer-sponsored group health plans with more than 50 participants. Smaller self-funded group health plans administered by the employer may have more limited obligations, but most health plans that pay for medical care are covered entities for Privacy Rule purposes.
Health care providers that transmit any health information in electronic form in connection with a covered transaction are the second category. This includes physicians, hospitals, nursing facilities, pharmacies, dentists, chiropractors, psychologists, and virtually any other type of healthcare provider. The electronic transmission requirement is met by virtually all modern healthcare providers who submit electronic claims or use electronic health records, even those in small practices.
Health care clearinghouses that process health information from one format to another are the third category. These organizations convert non-standard data into standard formats (or vice versa) and are covered entities when they handle individually identifiable health information in this process.
Beyond covered entities, the Privacy Rule also indirectly covers business associates โ organizations or individuals who perform certain functions or activities on behalf of a covered entity that involve using or disclosing PHI. Examples include billing companies, EHR vendors, cloud storage providers, attorneys who handle PHI in litigation, and transcription services. Business associates must comply with Privacy Rule requirements under their Business Associate Agreements and can be held directly liable for violations since the 2013 HIPAA Omnibus Rule.
It's worth noting who is specifically not covered by the Privacy Rule. Employers who receive health information about employees from group health plans in their role as plan sponsors have limited obligations, but in their role as employers they are not covered entities. Workers' compensation carriers and state agencies are also not generally covered entities.
Life insurers, many school districts, and consumer health companies fall outside the Privacy Rule unless they function as business associates for a covered entity. This matters because patients sometimes assume HIPAA applies to all health information โ a misconception that can affect how they understand their privacy rights across different contexts.
Any information about a patient's past, present, or future physical or mental health condition, including diagnosis, treatment, prognosis, medications, and test results โ in any format.
Information relating to payment for healthcare services, including insurance details, billing records, claim data, and payment history connected to an individual's healthcare.
Information becomes PHI when combined with any of 18 identifiers: name, address, dates, phone numbers, email, SSN, medical record numbers, account numbers, biometric identifiers, photos, or any other unique code.
Health information with all 18 identifiers removed (or certified by a statistician as having very small re-identification risk) is NOT PHI and is not subject to Privacy Rule protections.
The Privacy Rule allows disclosure of PHI without patient authorization in these situations:
The Privacy Rule requires disclosure of PHI in only two specific situations:
All other disclosures are permissive, not required.
These uses and disclosures require explicit written patient authorization:
One of the most significant aspects of the Privacy Rule is the set of rights it grants to individuals regarding their own health information. These rights apply to PHI maintained by covered entities in a designated record set โ a defined group of records including medical records, billing records, and other records used to make decisions about individuals. Understanding these rights is important both for patients seeking to exercise them and for covered entities obligated to honor them.
Right of access is the most foundational right. Patients can request access to their PHI in a designated record set, and covered entities must provide it within 30 days. The 2021 HIPAA update reinforced this right by clarifying that healthcare providers using electronic records must transmit PHI electronically upon patient request without adding excessive fees. Covered entities can charge a reasonable, cost-based fee for the cost of copying and mailing records, but cannot charge fees to retrieve or process the request itself.
Right to amend allows patients to request corrections to PHI they believe is incorrect or incomplete. The covered entity may deny the request if the PHI was not created by the covered entity, is not part of the designated record set, or is accurate and complete in the entity's judgment. If denied, the patient may submit a statement of disagreement, and the entity must note the amendment request in the record.
Right to an accounting of disclosures gives patients the ability to receive a list of certain disclosures of their PHI that the covered entity made in the six years prior to the request. This right has exceptions โ it does not apply to disclosures for treatment, payment, or operations, or disclosures the patient authorized. But it does apply to disclosures for public health, law enforcement, research, and other specific purposes.
Right to request restrictions lets patients ask covered entities to limit how their PHI is used or disclosed. The covered entity generally does not have to agree to the restriction โ with one exception: if the patient pays entirely out-of-pocket for a service and requests that information about that service not be disclosed to their health plan, the covered entity must honor that restriction.
The HIPAA violation page covers the consequences of failing to honor these patient rights โ which can trigger HHS investigations and significant civil penalties.
Right to request confidential communications allows patients to ask covered entities to use alternative means or locations to communicate with them. A patient fleeing domestic violence, for example, may ask that appointment reminders not be sent to a shared address. Covered entities must accommodate reasonable requests without requiring the patient to explain their reason. This right applies to health plans as well โ patients can request that the plan send explanation of benefits forms to an address other than the policyholder's home address.
The Office for Civil Rights (OCR) at HHS is the primary enforcement agency for the HIPAA Privacy Rule. OCR investigates complaints filed by patients and healthcare workers, as well as conducting proactive compliance audits. The 2013 HIPAA Omnibus Rule significantly strengthened enforcement by making business associates directly liable for Privacy Rule violations and increasing the penalty tiers for violations.
Civil monetary penalties are tiered based on the covered entity's or business associate's knowledge and culpability. The four tiers range from $100 per violation (up to $25,000 per year) for violations the entity did not know about and could not have avoided, to $50,000 per violation (up to $1.9 million per year) for willful neglect that is not corrected. This tiered structure means that organizations that act in good faith and correct discovered violations face meaningfully lower penalties than those that ignore known compliance problems.
Beyond civil penalties, HIPAA includes criminal provisions enforced by the Department of Justice. Knowingly obtaining or disclosing PHI in violation of HIPAA carries penalties of up to $50,000 and one year in prison. Obtaining PHI under false pretenses increases potential penalties to $100,000 and five years. Using PHI for commercial advantage, personal gain, or malicious harm carries penalties up to $250,000 and 10 years in prison. Criminal HIPAA prosecutions are less common than civil enforcement actions but are pursued in egregious cases.
The HIPAA law page provides additional context on the full statutory framework and the legislative history behind the Privacy Rule's development and subsequent amendments.
State attorneys general also have authority to bring civil actions for HIPAA violations affecting state residents, adding another layer of enforcement beyond federal OCR investigations. Since the HITECH Act granted this authority in 2009, several state AGs have filed significant HIPAA actions, including multi-state coordinated investigations into major health data breaches. This multi-layer enforcement environment โ federal OCR plus state AG plus potential class action civil litigation โ makes robust Privacy Rule compliance an essential risk management priority for any organization handling PHI.
Understanding the Privacy Rule in theory is necessary but not sufficient for compliance. Most violations occur not in deliberate data theft or egregious misuse, but in the daily workflow of healthcare organizations where well-meaning employees make poor decisions about PHI due to inadequate training, unclear policies, or workflow pressures. Recognizing the most common compliance pitfalls helps organizations proactively address them before an OCR complaint or breach investigation reveals them.
Improper access by workforce members is consistently one of the most reported Privacy Rule violations. Employees who access PHI out of curiosity โ looking up a neighbor's records, a coworker's diagnosis, or a celebrity patient's information โ violate the minimum necessary standard and the Privacy Rule's use and disclosure restrictions. Covered entities must implement technical access controls, conduct regular audit log reviews, and have clear policies with enforcement consequences for snooping. OCR has pursued enforcement actions against healthcare systems that failed to detect internal snooping even when the system had the technical capability to do so.
Inadequate Business Associate oversight creates significant risk. When a vendor with a BAA suffers a breach, the covered entity faces scrutiny for whether it performed adequate due diligence and monitoring. Simply having a signed BAA is necessary but not sufficient โ covered entities should conduct periodic vendor assessments, review security incidents reported by BAs, and update BAA terms as the relationship evolves or as the vendor's services change.
Responding incorrectly to patient access requests is a growing area of OCR enforcement focus. Excessive delays, improper fees, or denials that don't fall within the narrow exceptions allowed by the Privacy Rule can trigger complaints. Healthcare organizations should have a clear, documented process for receiving, tracking, and fulfilling access requests within the 30-day deadline, with escalation procedures for complex requests.
The HIPAA certification page covers training and credential programs that help healthcare professionals demonstrate Privacy Rule competency โ an important component of building a compliance culture within any covered entity.
Oversharing during care coordination is a subtler but common problem. When providers share entire medical records with referring physicians rather than the specific records relevant to the referral, or when hospital staff access records of patients they are not involved in treating, the minimum necessary standard is violated. Implementing role-based access controls, training staff on what constitutes a legitimate need-to-know, and periodically auditing access logs for unusual patterns are the most effective controls for this issue. Healthcare organizations should conduct formal minimum necessary standard analysis for each category of routine PHI use and document those analyses in their policies.
While the HIPAA Privacy Rule provides a baseline of protection for all PHI, certain categories of health information receive heightened protection under federal and state law due to their particularly sensitive nature. Understanding these special categories is important for any compliance program because violations involving them often carry greater penalties and reputational consequences.
Psychotherapy notes receive the strongest protection under HIPAA. Unlike other mental health records, psychotherapy notes โ the private notes a mental health provider takes during a therapy session for personal use โ are separated from the general medical record and require specific patient authorization for virtually every disclosure. Even TPO uses that justify sharing most PHI without authorization do not apply to psychotherapy notes. Covered entities must obtain separate authorizations for psychotherapy notes even when other PHI disclosures are already authorized.
Substance use disorder (SUD) treatment records are protected not only by HIPAA but also by 42 CFR Part 2, a separate federal regulation that imposes significantly stricter restrictions on disclosure than HIPAA. Part 2 requires patient consent for virtually all disclosures, including to other treating providers, and restricts redisclosure even after consent has been obtained. The intersection of HIPAA and Part 2 requirements creates a complex compliance landscape for organizations treating patients with substance use disorders.
Many states have enacted laws that provide additional privacy protections beyond HIPAA for categories like HIV/AIDS status, genetic information, reproductive health records, and mental health records. When state law provides stricter protection than HIPAA, the state law governs. Covered entities operating in multiple states must track the strictest applicable standard for each category of sensitive PHI they handle.
Genetic information also receives special protection under HIPAA through the Genetic Information Nondiscrimination Act (GINA). Health plans are prohibited from using genetic information as a basis for eligibility decisions or premium adjustments. The HIPAA Omnibus Rule aligned HIPAA with GINA by classifying genetic information as PHI and prohibiting health plans from using it for underwriting purposes. For covered entities handling genetic testing results or family health history information, this adds another layer of compliance consideration beyond the standard PHI protections that apply to other health information categories.