Health plans
Health insurers, HMOs, employer-sponsored group health plans, government programs like Medicare and Medicaid, and similar entities that pay for the cost of medical care.
Compliance guide · ~12 min read · Updated June 2026
The HIPAA Privacy Rule
The HIPAA Privacy Rule is a US federal regulation that sets national standards for protecting personal health information. Issued by the Department of Health and Human Services and codified at 45 CFR Part 160 and Part 164, it limits how covered entities and their business associates may use and disclose protected health information (PHI), and it gives individuals rights over their own records.
- Issued by
- HHS / OCR
- Effective
- 2003
- Citation
- 45 CFR Part 164
- Protects
- PHI
01 · Definition
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule is the federal regulation that sets national standards for the protection of individually identifiable health information. It was issued by the US Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996, and most provisions reached their compliance date in April 2003.
Its purpose is a balance: protect the privacy of people's health information while still allowing the flow of information needed to provide high-quality care. To do that, the rule defines what counts as protected health information, who is bound by the rule, the limited circumstances in which that information may be used or disclosed, and the rights individuals hold over their own records. It is enforced by the HHS Office for Civil Rights (OCR).
"A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care."
The statute
HIPAA, the Health Insurance Portability and Accountability Act of 1996, the law that authorized the rule.
The regulation
45 CFR Part 160 and Subparts A and E of Part 164, the Privacy Rule text HHS issued under HIPAA.
The enforcer
The HHS Office for Civil Rights (OCR), which investigates complaints and imposes penalties.
02 · Scope
Who must comply with the Privacy Rule
The Privacy Rule binds two groups: covered entities and their business associates. If you are neither, the rule does not apply to you, which is why scoping your status correctly is the first step of any compliance program.
Health care clearinghouses
Entities that process nonstandard health information into a standard format (or vice versa) on behalf of others, such as billing services and value-added networks.
Health care providers
Doctors, hospitals, clinics, pharmacies, and other providers, but only those who transmit health information electronically in connection with a HIPAA-covered transaction (such as a claim).
Business associates
Vendors and subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity, including cloud hosts, billing firms, and SaaS vendors. Directly liable since the 2013 Omnibus Rule.
03 · What it protects
Protected health information (PHI)
The Privacy Rule protects protected health information: individually identifiable health information held or transmitted by a covered entity or business associate, in any form, oral, paper, or electronic.
Information is "individually identifiable" when it relates to a person's physical or mental health, the care they received, or payment for that care, and it either identifies the person or could reasonably be used to identify them. Strip the identifiers correctly and the data is no longer PHI.
HIPAA recognizes two ways to de-identify data. The Safe Harbor method requires removing 18 specific identifiers (listed opposite). The Expert Determination method relies on a qualified statistician certifying that the risk of re-identification is very small. De-identified data falls outside the Privacy Rule entirely.
Note the boundaries. Employment records an employer holds in its role as employer, and education records covered by FERPA, are excluded from PHI. The rule applies to information in the hands of covered entities and business associates acting in their health-care capacity.
04 · Uses and disclosures
When PHI may be used or disclosed
The default is restraint: a covered entity may not use or disclose PHI except as the Privacy Rule permits or requires. The permitted categories below are the exceptions, and most everything else needs a written authorization.
No authorization needed
Treatment, Payment, and Operations (TPO)
A covered entity may use and disclose PHI for its own treatment, payment, and health care operations without patient authorization. This is the everyday backbone of care delivery and billing.
No authorization needed
To the individual
Disclosure of PHI back to the individual who is the subject of it is always permitted, and access is a guaranteed right (see individual rights below).
No authorization needed
Public interest and benefit activities
Twelve national priority purposes are permitted without authorization, including required-by-law disclosures, public health activities, victims of abuse, health oversight, judicial proceedings, law enforcement under conditions, and serious threats to health or safety.
Authorization required
Everything else
Most other uses and disclosures, notably marketing, sale of PHI, and most psychotherapy notes, require a valid written authorization from the individual that meets the Privacy Rule's content requirements.
The minimum necessary standard
When PHI is used or disclosed, a covered entity must make reasonable efforts to limit it to the minimum necessary to accomplish the purpose. The standard does not apply to disclosures for treatment, to the individual, or under an authorization, but it governs most routine operational access and is implemented through role-based permissions.
05 · Patient rights
The rights the Privacy Rule gives individuals
The Privacy Rule does not only restrain organizations; it grants individuals enforceable rights over their own health information. The right of access is the most frequently litigated and the most common subject of OCR enforcement.
Right of access
Individuals can inspect and obtain a copy of their PHI in a designated record set. Covered entities must act within 30 days (with one 30-day extension) and may only charge a reasonable, cost-based fee.
Right to amend
Individuals may request corrections to PHI they believe is inaccurate or incomplete. The covered entity must respond, and either make the amendment or explain the denial.
Right to an accounting of disclosures
Individuals can request a list of certain disclosures of their PHI made in the prior six years, outside of treatment, payment, operations, and a few other exceptions.
Right to request restrictions
Individuals may ask a covered entity to restrict uses and disclosures. One restriction is mandatory: when an individual pays out of pocket in full, they can bar disclosure to a health plan.
Right to confidential communications
Individuals can ask to receive communications by alternative means or at alternative locations, for example a specific phone number or address, and providers must accommodate reasonable requests.
Notice of Privacy Practices
Individuals have the right to a clear notice describing how their PHI is used and disclosed and their rights under the rule. Most providers must make a good-faith effort to obtain written acknowledgment.
07 · Enforcement
Enforcement and penalties
The HHS Office for Civil Rights enforces the Privacy Rule. Civil penalties are tiered by the entity's level of culpability, and the per-violation amounts and annual caps are adjusted for inflation each year. The most serious knowing misuse can also be prosecuted criminally by the Department of Justice.
Tier 1
Did not know
The entity was unaware of the violation and could not reasonably have known. Lowest per-violation range.
Tier 2
Reasonable cause
A violation due to reasonable cause and not willful neglect. Mid per-violation range.
Tier 3
Willful neglect, corrected
Willful neglect that the entity corrected within 30 days of discovery. Higher per-violation range.
Tier 4
Willful neglect, uncorrected
Willful neglect that was not timely corrected. Highest per-violation range and annual cap.
Annual caps for a category of violations can reach into the millions of dollars, and OCR publishes its current inflation- adjusted figures each year, so always confirm the live numbers before quoting them. Criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA range up to $250,000 in fines and up to 10 years in prison for offenses committed with intent to sell or use PHI for personal gain or malicious harm.
Beyond the dollar figures, OCR resolution agreements almost always require a multi-year corrective action plan, and the reputational cost of appearing on the public HHS breach portal (the "Wall of Shame") often exceeds the fine itself.
08 · Implementation
How to comply with the Privacy Rule
Seven steps that take a covered entity or business associate from uncertain to defensible. The documented risk analysis (step 6) is the artifact OCR asks for first, so do not skip it.
- 1
Confirm your status and map your PHI
Determine whether you are a covered entity, a business associate, or both, then inventory every system, vendor, and workflow where PHI is created, received, maintained, or transmitted. You cannot protect data you have not located.
- 2
Appoint a Privacy Officer
The Privacy Rule requires a designated Privacy Official responsible for developing and implementing policies and procedures, plus a contact person for complaints. Smaller organizations can combine this with the Security Officer role.
- 3
Write policies, procedures, and the Notice
Document your uses and disclosures, minimum-necessary practices, authorization handling, and patient-rights procedures, then publish a compliant Notice of Privacy Practices. Policies must be retained for six years.
- 4
Execute Business Associate Agreements
Put a written Business Associate Agreement (BAA) in place with every vendor that touches PHI, flowing the same obligations down to subcontractors. A missing BAA is one of the most common enforcement findings.
- 5
Train the workforce and enforce sanctions
Train every workforce member on your privacy policies, document the training, and apply a written sanction policy for violations. Retrain after material policy changes and on a regular cadence.
- 6
Run a risk analysis and remediate
Conduct a documented risk analysis across the Privacy and Security Rules, score the gaps, assign owners, and track remediation to closure. This is the single most scrutinized artifact in an OCR investigation.
- 7
Stand up breach response and keep evidence
Define your breach-assessment and notification workflow before you need it, log every disclosure and request, and keep your compliance evidence audit-ready. The burden of proof in an investigation is on you.
Make it audit-ready
Run HIPAA on a platform, not a spreadsheet.
RiskWatch ships pre-built HIPAA Privacy and Security Rule assessments mapped to a shared control library, tracks remediation to closure, manages Business Associate Agreements, and keeps a timestamped evidence trail, the exact record OCR asks for. Start with the free checklist or see the platform.
09 · Frequently asked
HIPAA Privacy Rule, answered
Ten questions compliance leads, privacy officers, and vendors ask on the way to a defensible program.
What is the HIPAA Privacy Rule in simple terms?
The HIPAA Privacy Rule is a US federal regulation that sets national standards for protecting individuals' medical records and other personal health information. Issued by the Department of Health and Human Services and codified at 45 CFR Part 160 and Subparts A and E of Part 164, it limits how covered entities and their business associates can use and disclose protected health information (PHI), and it gives patients rights over that information, including the right to see and get a copy of their records.
What does the HIPAA Privacy Rule protect?
It protects "protected health information" (PHI): individually identifiable health information held or transmitted by a covered entity or business associate, in any form, oral, paper, or electronic. That includes information about a person's past, present, or future physical or mental health, the care they received, and payment for that care, when it is tied to identifiers such as name, address, dates, or medical record number.
Who has to follow the HIPAA Privacy Rule?
Covered entities (health plans, health care clearinghouses, and health care providers who transmit health information electronically for covered transactions) and their business associates (vendors and subcontractors that handle PHI on their behalf). Since the 2013 Omnibus Rule, business associates are directly liable for compliance, not just contractually bound.
What is the minimum necessary standard?
The minimum necessary standard requires covered entities to limit uses, disclosures, and requests of PHI to the least amount needed to accomplish the intended purpose. It does not apply to disclosures to or authorized by the individual, disclosures for treatment, or a few other listed exceptions, but it governs most routine operational access and is enforced through role-based access policies.
What is the difference between the Privacy Rule and the Security Rule?
The Privacy Rule covers all PHI in any form and governs who may use or disclose it and the rights patients hold over it. The Security Rule is narrower: it applies only to electronic PHI (ePHI) and requires administrative, physical, and technical safeguards to keep that electronic data confidential, available, and intact. They work together, the Privacy Rule sets the "what" and "who," the Security Rule sets the "how" for electronic data.
What is the HIPAA Breach Notification Rule?
The Breach Notification Rule requires covered entities to notify affected individuals, the Secretary of HHS, and in some cases the media following a breach of unsecured PHI. Individuals must be notified without unreasonable delay and no later than 60 days after discovery. Breaches affecting 500 or more residents of a state or jurisdiction also require notice to prominent media and prompt notice to HHS; smaller breaches are reported to HHS annually. Business associates must notify the covered entity.
What are the penalties for violating the HIPAA Privacy Rule?
Civil penalties are tiered by culpability, from violations the entity did not know about up to willful neglect, with per-violation amounts and annual caps that the HHS Office for Civil Rights adjusts for inflation each year. Penalties can reach into the millions of dollars per year for a category of violations. Criminal violations, prosecuted by the Department of Justice, can carry fines up to $250,000 and up to 10 years in prison for the most serious knowing misuse of PHI.
Is patient consent always required to share PHI?
No. A covered entity may use and disclose PHI without authorization for treatment, payment, and health care operations, for disclosures to the individual, and for twelve defined national-priority purposes (such as public health and required-by-law disclosures). Most other uses, including marketing and the sale of PHI, require a valid written authorization that meets the rule's content requirements.
How long must HIPAA documentation be retained?
The Privacy Rule requires covered entities to retain required documentation, including policies and procedures, the Notice of Privacy Practices, and dispositions of complaints, for six years from the date of creation or the date it was last in effect, whichever is later. Note this is the federal HIPAA retention period for compliance documentation, separate from state medical-record retention laws.
Does the HIPAA Privacy Rule apply to employers or schools?
Generally no, not in those roles. Employment records held by an employer and education records covered by FERPA are excluded from PHI. HIPAA applies to covered entities and business associates in their health-care capacity. An employer that also sponsors a self-insured group health plan, however, must wall off and protect the PHI it handles for the plan.
From the rule to a defensible program
Turn the HIPAA Privacy Rule into audit-ready evidence.
Pre-built HIPAA Privacy and Security assessments, cross-mapped controls, BAA tracking, and a timestamped audit trail. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime