HIPAA Privacy Rule: Scope and Requirements

The HIPAA Privacy Rule establishes federal standards governing the use and disclosure of individually identifiable health information held by specific categories of organizations operating in the United States. Enacted under the Health Insurance Portability and Accountability Act of 1996 and promulgated by the U.S. Department of Health and Human Services, the Rule defines who must comply, what information is protected, and under what conditions that information may be shared. For healthcare organizations, insurers, and their business partners, compliance failures carry civil and criminal penalty exposure that reaches $1.9 million per violation category per year (HHS Office for Civil Rights, Summary of the HIPAA Privacy Rule).

Definition and scope

The HIPAA Privacy Rule, codified at 45 CFR Parts 160 and 164, governs Protected Health Information (PHI) — a defined category of individually identifiable health data that relates to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for that care. PHI encompasses 18 distinct identifiers specified by HHS, ranging from names and geographic data smaller than state level to device identifiers and full-face photographs.

The Rule applies to three primary categories of covered entities: health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with standard transactions. Extended applicability reaches business associates — third-party contractors or subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity. The 2013 Omnibus Rule finalized under the Health Information Technology for Economic and Clinical Health (HITECH) Act made business associates directly liable under HIPAA, expanding enforcement reach beyond the original 1996 statutory boundary.

The privacy-provider network-purpose-and-scope framework maintained by this reference site organizes the broader landscape of U.S. privacy regulation, of which HIPAA represents the dominant federal standard for health sector data.

Core mechanics or structure

The Privacy Rule operates through a set of interlocking permissions, prohibitions, and procedural requirements.

Minimum Necessary Standard: Covered entities must make reasonable efforts to limit PHI use, disclosure, and requests to the minimum amount necessary to accomplish the intended purpose. This standard applies to routine disclosures but carries explicit exceptions — including disclosures to the individual patient, disclosures required by law, and treatment communications between providers.

Notice of Privacy Practices (NPP): Covered entities must provide patients with a written notice describing how PHI may be used and disclosed, the individual's rights, and the entity's legal duties. Direct treatment providers must make good-faith efforts to obtain written acknowledgment of NPP receipt.

Individual Rights: The Rule establishes six categories of individual rights — the right to access PHI, the right to request amendment, the right to an accounting of disclosures, the right to request restrictions, the right to request confidential communications, and (under the 2021 HHS HITECH Act Final Rule) the right to direct electronic copies to third-party applications.

Authorization vs. Permitted Disclosure: Uses and disclosures fall into two lanes. Permitted disclosures — including treatment, payment, healthcare operations, and 12 other national priority categories — require no patient authorization. Any use or disclosure outside those permitted categories requires a valid written authorization containing specific elements enumerated at 45 CFR § 164.508.

Safeguards Requirement: Covered entities must implement administrative, physical, and technical safeguards to protect PHI privacy — a baseline requirement distinct from (though overlapping with) the more detailed security specifications in the HIPAA Security Rule at 45 CFR Part 164, Subpart C.

Causal relationships or drivers

The Privacy Rule emerged from a documented policy gap: before 1996, no federal floor existed for health information privacy. Health data moved across insurers, employers, and providers under a patchwork of state laws with inconsistent protections. Congress mandated that HHS promulgate a federal standard if comprehensive privacy legislation was not enacted within three years — a deadline that passed without legislation, triggering the regulatory process.

HITECH (Title XIII of the American Recovery and Reinvestment Act of 2009) strengthened enforcement after the HHS Office for Civil Rights (OCR) documented that voluntary compliance mechanisms were insufficient. OCR's enforcement data shows that between 2003 and 2023, the office received over 300,000 complaints and resolved the majority through corrective action rather than penalties — a ratio that reflects the Rule's structure as a compliance-first framework (HHS OCR HIPAA Enforcement Results).

Breach notification requirements introduced by HITECH created a secondary enforcement driver: covered entities must notify affected individuals, HHS, and in cases affecting 500 or more residents in a state, prominent local media outlets. Large breaches appear on the publicly accessible HHS "Wall of Shame" — formally the Breach Notification Portal — creating reputational pressure independent of penalty proceedings.

Classification boundaries

The Privacy Rule draws hard distinctions that determine applicability:

Covered entity vs. non-covered entity: An employer maintaining employee health records under a self-insured health plan is a covered entity for those records. The same employer's HR department maintaining general personnel records is not. HIPAA does not regulate all health data — only PHI held by covered entities and their business associates.

PHI vs. de-identified information: Information that has been de-identified under either the Safe Harbor method (removal of all 18 identifiers plus certification of no residual risk) or automated review processes Determination method (statistical expert certifies that risk of re-identification is very small) falls outside the Rule's protections and restrictions. De-identification is a defined technical process, not a general judgment call.

Treatment vs. non-treatment disclosure: The Privacy Rule permits broad information sharing for treatment purposes among providers without patient authorization. Marketing communications, sale of PHI, and use of psychotherapy notes each carry heightened requirements — psychotherapy notes require a separate authorization even when other treatment disclosures are permitted.

For practitioners navigating where HIPAA intersects with state privacy laws, the privacy-providers index catalogs privacy professionals and service providers with demonstrated health sector specialization.

Tradeoffs and tensions

Interoperability vs. privacy: The 21st Century Cures Act of 2016 and HHS's 2020 Interoperability Rules require health information blocking to be prohibited and mandate open API access to patient data — creating friction with Privacy Rule minimum necessary and authorization requirements. HHS has acknowledged this tension in its rulemaking but has not resolved it through a single unified standard.

State law preemption: HIPAA sets a federal floor, not a ceiling. State laws that provide greater privacy protections are not preempted. California's Confidentiality of Medical Information Act (CMIA) and state mental health confidentiality statutes impose requirements stricter than HIPAA in specific contexts. Covered entities operating across state lines must comply with whichever standard is more protective in a given situation — a structural compliance burden with no federal simplification mechanism.

Research access vs. individual privacy: The Privacy Rule permits disclosure of PHI for research under specified conditions — IRB or Privacy Board waiver, de-identification, or a limited data set with a data use agreement. Epidemiological research and public health surveillance depend on these permissions, but their breadth is contested. The COVID-19 public health emergency demonstrated both the value and the limits of existing research exemptions.

Security vs. care coordination: Minimum necessary requirements can impede time-sensitive care coordination. Emergency treatment exceptions exist but are narrowly scoped, and the boundary between permitted treatment communication and unpermitted disclosure is a recurring source of OCR enforcement inquiries.

Common misconceptions

Misconception: HIPAA applies to all health data. The Rule applies only to PHI held by covered entities and business associates. Fitness app data, direct-to-consumer genetic test results, and health information shared voluntarily on social media fall outside HIPAA's jurisdiction. The Federal Trade Commission, not OCR, has primary authority over health data practices of non-covered commercial entities (FTC Health Breach Notification Rule, 16 CFR Part 318).

Misconception: A patient can always access their entire medical record. The Privacy Rule provides a right of access but enumerates exceptions — psychotherapy notes, information compiled for legal proceedings, and PHI subject to the Clinical Laboratory Improvements Amendments (CLIA) exemptions. Covered entities may also deny access in specified circumstances with review rights.

Misconception: Verbal communication between providers requires authorization. Treatment disclosures — including verbal consultations between treating clinicians — are permitted without authorization under 45 CFR § 164.506. The minimum necessary standard applies differently to treatment communications than to administrative disclosures.

Misconception: Encryption eliminates HIPAA obligations. Encryption renders a breach "unsecured PHI" — meaning it triggers the breach notification safe harbor under the HITECH Act — but encryption does not eliminate Privacy Rule use and disclosure requirements. A covered entity cannot share encrypted PHI with an unauthorized third party and claim immunity.

The how-to-use-this-privacy-resource page describes how this reference site organizes regulatory content across privacy verticals, including health sector compliance frameworks.

Checklist or steps (non-advisory)

The following sequence reflects the compliance structure enumerated in the Privacy Rule's administrative requirements at 45 CFR § 164.530:

  1. Identify covered entity status — Confirm whether the organization qualifies as a health plan, healthcare clearinghouse, or provider transmitting PHI electronically in covered transactions.
  2. Inventory PHI holdings — Catalog all forms and locations of PHI, including paper, electronic, and oral formats, across all systems and third-party processors.
  3. Execute Business Associate Agreements (BAAs) — Establish written agreements with all contractors and subcontractors that create, receive, maintain, or transmit PHI on behalf of the covered entity, per 45 CFR § 164.504(e).
  4. Develop and distribute Notice of Privacy Practices — Draft NPP meeting content requirements at 45 CFR § 164.520; post prominently and distribute to patients at first service contact.
  5. Implement minimum necessary policies — Establish documented criteria for routine and non-routine PHI requests and disclosures, per 45 CFR § 164.514(d).
  6. Designate a Privacy Official — Appoint a named individual responsible for Privacy Rule policy development and compliance, per 45 CFR § 164.530(a).
  7. Establish complaint procedures — Maintain a documented process for receiving and addressing individual privacy complaints, per 45 CFR § 164.530(d).
  8. Train workforce — Document training on Privacy Rule policies for all workforce members with PHI access, per 45 CFR § 164.530(b).
  9. Apply sanctions — Implement and apply sanctions against workforce members who violate privacy policies, per 45 CFR § 164.530(e).
  10. Conduct periodic review — Evaluate privacy policies against changes in law, organizational structure, and operational practice; document all revisions.

Reference table or matrix

HIPAA Privacy Rule: Key Provisions by Applicability

Provision Applies To Regulatory Citation Exceptions / Notes
Protected Health Information definition Covered entities, Business Associates 45 CFR § 160.103 De-identified data excluded per § 164.514(a)
Notice of Privacy Practices Direct treatment providers, health plans 45 CFR § 164.520 Indirect treatment providers exempt from distribution requirement
Individual right of access Covered entities 45 CFR § 164.524 Psychotherapy notes, legal preparation records excepted
Minimum Necessary Standard Covered entities 45 CFR § 164.514(d) Does not apply to treatment disclosures to providers
Authorization requirement Covered entities 45 CFR § 164.508 Overrides permitted disclosures for marketing, PHI sale, psychotherapy notes
Business Associate Agreement Covered entities + Business Associates 45 CFR § 164.504(e) Required before PHI is shared with any qualifying contractor
Breach Notification (HITECH) Covered entities, Business Associates 45 CFR §§ 164.400–414 Encrypted PHI qualifies for safe harbor if encryption meets HHS specification
Privacy Official designation Covered entities 45 CFR § 164.530(a) Small provider exemptions for some administrative requirements do not include this requirement
Workforce training Covered entities 45 CFR § 164.530(b) Documentation of training required; no prescribed curriculum
Complaint procedures Covered entities 45 CFR § 164.530(d) Retaliation against complainants prohibited under § 164.530(g)
 ·   · 

References

Read Next

Data Breach Notification Requirements by State ANA › Professional Services Authority › National Cyber › National Privacy Data Breach Notification Requirements by State State-level... CCPA and CPRA Compliance Guide ANA › Professional Services Authority › National Cyber › National Privacy CCPA and CPRA Compliance Guide The California Consumer Privacy... COPPA: Children's Online Privacy Protection ANA › Professional Services Authority › National Cyber › National Privacy COPPA: Children's Online Privacy Protection The Children's...