HIPAA Privacy Rule Requirements Explained
The HIPAA Privacy Rule sets the national standard for protecting people's medical records and other protected health information. It defines how covered entities and their business associates can use and disclose PHI. It also grants patients specific rights over their health data.
It sets duties that apply to every exchange involving patient data. Knowing these rules is key for any group that handles health data.
Enacted under the Health Insurance Portability and Accountability Act and set out in 45 CFR Part 164 (Subparts A and E), the Privacy Rule applies to covered entities � healthcare providers who conduct electronic transactions, health plans.
Healthcare clearinghouses � as well as business associates who handle PHI on their behalf. This article explains the core rules every compliance team must know and put in place.
Permitted Uses and Disclosures of PHI
Treatment, Payment, and Healthcare Operations (TPO)
The Privacy Rule lets covered entities use and share PHI without individual consent for three key purposes:
- Treatment � Providing, coordinating, or managing healthcare and related services. This includes talks between providers, referrals, and sharing patient data with specialists involved in care.
- Payment � Tasks tied to getting payment for healthcare services, including billing, claims handling, use review, and coverage choices.
- Healthcare operations � Administrative and quality-related tasks needed to run a covered entity, including quality checks, training programs, compliance tasks, business planning, and auditing.
TPO is the broadest category of permitted use and covers most day-to-day PHI dealings within healthcare groups. However, even TPO uses are subject to the minimum necessary standard.
This limits how much PHI can be shared to what's necessary for the specific purpose.
Required Disclosures
The Privacy Rule requires groups to disclose PHI in only two cases:
- To the individual � When a patient (or their personal representative) requests access to their own PHI, covered entities must provide it within 30 days, with limited exceptions.
- To HHS for enforcement � When the Department of Health and Human Services requests PHI during a compliance probe, review, or enforcement action.
All other disclosures fall under either permitted or authorized categories. Groups should set up clear steps for handling both types of mandatory disclosures.
Permitted Disclosures Without Authorization
Beyond TPO, the Privacy Rule allows disclosures without patient consent in several specific cases:
- Public health activities � Reporting to public health authorities for disease surveillance, injury prevention, and FDA-regulated tasks
- Victims of abuse, neglect, or domestic violence � Reporting to government bodies allowed to receive such data
- Health oversight activities � Audits, probes, and checks run by health oversight agencies
- Judicial and administrative proceedings � In response to court orders or subpoenas with proper safeguards
- Law enforcement purposes � Under specific conditions including court orders, official requests, and finding suspects or missing persons
- Decedents � To coroners, medical examiners, and funeral directors
- Research � With IRB or Privacy Board approval under set conditions
- Serious threat to health or safety � When necessary to prevent or lessen a serious and imminent threat
- Specialized government functions � Military, veterans, national security, and protective services tasks
- Workers' compensation � As authorized by workers' compensation laws
Each category of permitted disclosures has specific rules and conditions. Groups must train their staff to know which category applies before releasing PHI and to record the basis for each disclosure choice.
The Minimum Necessary Standard
What It Requires
The minimum necessary standard is a key part of the Privacy Rule. It requires covered entities to limit how they use and share PHI.
Requests to the minimum amount necessary to accomplish the intended purpose. This standard applies to most uses and disclosures but has important exceptions.
The minimum necessary standard does not apply to:
- Disclosures to or requests by a healthcare provider for treatment purposes
- Disclosures to the individual who is the subject of the information
- Uses or disclosures under a valid authorization
- Disclosures to HHS for enforcement purposes
- Uses or disclosures required by law
- Uses or disclosures required for HIPAA compliance
Implementing Minimum Necessary
Groups must create policies that spell out the minimum necessary for routine and non-routine disclosures:
- Routine disclosures � Set standard steps that limit PHI released for common, recurring cases. Define the types and amounts of PHI fitting for each category of routine request.
- Non-routine disclosures � Create criteria for reviewing each request on its own. Each non-routine request should be checked by a named person or group to find the minimum PHI needed.
- Role-based access � Identify groups of staff who need access to PHI and the types of PHI each group requires. Set up access controls that enforce these limits in electronic systems.
When asking for PHI from other covered entities, groups must also limit their requests to the minimum needed for the stated purpose. This duty applies to both the asking and disclosing parties.
Patient Rights Under the Privacy Rule
Right of Access
Patients have the right to view and get a copy of their PHI maintained in a designated record set. This includes medical records, billing records, enrollment records.
Other records used to make decisions about the individual. Covered entities must:
- Respond to access requests within 30 days (one 30-day extension permitted with written notice)
- Provide PHI in the format requested by the patient if readily producible, or in a readable alternative format
- Charge only a reasonable, cost-based fee for copies
- Provide electronic copies of ePHI when requested and maintained electronically
Limited exceptions to the right of access include psychotherapy notes, information compiled for legal proceedings, and certain laboratory results covered by CLIA.
Right to Request Amendment
Patients may ask a covered entity to amend PHI in a designated record set. If the covered entity agrees, it must make the amendment and tell the person and relevant parties. If the covered entity denies the request, it must give a written denial with the basis for the choice and info about the person's right to submit a statement of disagreement.
Right to an Accounting of Disclosures
People have the right to get a record of certain disclosures of their PHI made in the six years preceding the request. This accounting must include disclosures made for purposes other than treatment, payment, healthcare operations, or those the person authorized. Each entry must include the date, name and address of the recipient, what PHI was shared, and why.
Right to Request Restrictions
Patients may ask for limits on how a covered entity uses or shares their PHI for treatment, payment, or healthcare operations. Covered entities are not generally required to agree to these requests, with one key exception: a covered entity must agree to block disclosures to a health plan if the patient has paid for the service in full out of pocket and the disclosure is not otherwise required by law.
Right to Request Confidential Communications
Patients may request that covered entities reach them through other means or at other locations. For example, a patient may request that appointment reminders be sent to a work email rather than a home address. Health plans must honor reasonable requests, and healthcare providers should do the same.
Notice of Privacy Practices (NPP)
Content Requirements
Every covered entity must develop and distribute a Notice of Privacy Practices that informs individuals about how their PHI may be used and disclosed. The NPP must include:
- How the covered entity may use and disclose PHI
- The individual's rights regarding their PHI
- The covered entity's legal obligations regarding PHI
- Contact information for the privacy officer or named complaint contact
- The effective date of the notice
- A statement that the organization is required by law to maintain the privacy of PHI
The NPP must be written in plain language that patients can readily grasp. Overly technical or legal language weakens the purpose of the notice and may draw regulatory scrutiny.
Distribution Requirements
Healthcare providers with a direct treatment tie must:
- Provide the NPP to patients no later than the first service visit (including electronic service delivery)
- Make the NPP available to anyone who requests it
- Post the NPP prominently at the service delivery site
- Post the NPP on the organization's website if it maintains one
Health plans must give the NPP at enrollment and within 60 days of a major change. Any material shift in privacy practices requires a revised NPP sent to affected people.
Authorization Requirements
When Authorization Is Required
An authorization is required for uses and disclosures of PHI that are not otherwise permitted or required by the Privacy Rule. Common cases that need authorization include:
- Marketing communications � Using PHI to make marketing communications, with limited exceptions for face-to-face talks and small promotional gifts
- Sale of PHI � Disclosing PHI in exchange for remuneration
- Psychotherapy notes � Most uses and disclosures of psychotherapy notes
- Research � When IRB or Privacy Board waiver of authorization is not obtained
- Fundraising � Using PHI beyond permitted demographic information and dates of service (an opt-out must be provided)
Valid Authorization Elements
A valid authorization must contain specific core elements and required statements:
Core elements: - Description of the PHI to be used or disclosed - Name or specific identification of the individuals authorized to make the use or disclosure - Name or specific identification of the persons to whom the disclosure may be made - Description of the purpose of the use or disclosure - An expiration date or event - The person's signature and date
Required statements: - The individual's right to revoke the authorization in writing - Whether treatment, payment, enrollment, or eligibility depends on the authorization - The chance of re-disclosure by the recipient
Authorizations that are missing required elements, have expired, or have been revoked are not valid. Covered entities must not act on flawed authorizations.
De-Identification of PHI
Safe Harbor Method
The Privacy Rule provides two methods for de-identifying PHI so that it is no longer subject to HIPAA regulations. The Safe Harbor method requires removal of 18 specific identifiers:
- Names
- Geographic data smaller than a state
- Dates (except year) related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers
- Full-face photographs and comparable images
- Any other unique identifying number or code
Additionally, the covered entity must have no actual knowledge that the remaining information could identify an individual. For a detailed breakdown of these identifiers, see our PHI guide.
Expert Determination Method
The Expert Determination method requires an individual with the right statistical and scientific knowledge to apply those methods and find that the risk of identifying an individual from the data is very small. The expert must document the methods and results of the review.
Organizations that need to use health data for analytics, research, or business intelligence should weigh both methods to find which approach best fits their needs.
Privacy Rule FAQ
Can a covered entity share PHI with a patient's family members?
Yes, but with conditions. A covered entity may share PHI with a family member, relative, or close personal friend of the patient if the patient agrees, does not object when given the opportunity, or if the provider uses professional judgment that sharing is in the patient's best interest. In emergencies where the patient cannot respond, providers may share info directly tied to the person's role in the patient's care.
What is the difference between the Privacy Rule and the Security Rule?
The Privacy Rule governs all forms of PHI � paper, oral.
Electronic � and defines when and how PHI may be used and disclosed. The Security Rule applies specifically to ePHI and requires administrative, physical, and technical safeguards to protect electronic data. Both rules work together to create a broad framework for PHI protection.
How long must an organization retain Privacy Rule documentation?
The Privacy Rule requires keeping policies, procedures, and certain records for six years from the date of creation or the date when it was last in effect, whichever is later. This includes authorizations, NPPs, complaint records, and compliance records.
What are the penalties for Privacy Rule violations?
Civil monetary penalties range from 41 to ,134,831 per violation, depending on the level of culpability. Tier 1 (did not know) carries the lowest penalties, while Tier 4 (willful neglect not corrected) carries the highest. Criminal penalties may also apply for knowing violations, with fines up to 50,000 and imprisonment up to 10 years for offenses committed with intent to sell or use PHI for personal gain.
Does the minimum necessary standard apply to oral communications?
Yes. The minimum necessary standard applies to spoken sharing of PHI. Healthcare providers should take reasonable steps to limit incidental disclosures during oral talks, such as speaking in private areas. Dental practices face particular challenges here, lowering voices.
Avoiding discussions of PHI in public spaces. However, the Privacy Rule does not require that every risk of incidental disclosure be eliminated � only that reasonable safeguards are in place.
Privacy Rule Takeaways
The HIPAA Privacy Rule creates a broad framework for guarding patient data while enabling the flow of health info needed for quality care, efficient payment.
Effective healthcare operations. Groups must understand permitted uses and disclosures, implement the minimum necessary standard, honor patient rights, and maintain proper authorization procedures to achieve compliance.
Privacy Rule compliance is not a one-time task but an ongoing effort that calls for regular training, policy review.
Attention to evolving rules and guidance. Groups that build Privacy Rule needs into daily work form better bonds with patients and lower the risk of enforcement actions.
One Guy Consulting helps healthcare groups put Privacy Rule needs in place through practical policy templates, staff training programs.
Compliance checks. Explore our HIPAA compliance guide for a broader view of the compliance landscape, or browse our policy library for ready-to-use Privacy Rule records. Reach out to build a privacy program that protects patients and sets your group up for long-term compliance success. privacy policy templates
Privacy Rule Key Provisions Reference
| Provision | CFR Section | What It Requires | Applies To |
|---|---|---|---|
| Permitted Uses | 164.502(a) | Defines when PHI can be used without authorization | CE + BA |
| Minimum Necessary | 164.502(b) | Limit PHI to what is needed for the purpose | CE + BA |
| Notice of Privacy Practices | 164.520 | Provide patients with privacy notice at first encounter | CE only |
| Authorization | 164.508 | Get written authorization for non-TPO disclosures | CE + BA |
| Right of Access | 164.524 | Provide records within 30 days of request | CE only |
| Amendment Rights | 164.526 | Allow patients to request corrections to records | CE only |
| Accounting of Disclosures | 164.528 | Track and report non-TPO disclosures on request | CE + BA |
| Training | 164.530(b) | Train all workforce on privacy policies | CE + BA |
Key stat: The Privacy Rule applies to all forms of PHI - paper, electronic, and oral. While the Security Rule covers only ePHI, the Privacy Rule is broader. OCR enforcement data shows that impermissible disclosures of oral PHI (overheard conversations, phone calls in waiting rooms) trigger complaints at a rate comparable to electronic breaches.
Sources
- 45 CFR Part 164, Subpart E - Privacy of Individually Identifiable Health Information
- 45 CFR 164.502 - Uses and Disclosures of PHI: General Rules
- 45 CFR 164.520 - Notice of Privacy Practices
- HHS: HIPAA Privacy Rule
Related Reading
- HIPAA Authorization Form Requirements
- HIPAA Minimum Necessary Rule
- PHI vs PII vs ePHI: Key Differences
Privacy Rule Key Provisions Reference
| Provision | CFR Section | What It Requires | Applies To |
|---|---|---|---|
| Permitted Uses | 164.502(a) | Defines when PHI can be used without authorization | CE + BA |
| Minimum Necessary | 164.502(b) | Limit PHI to what is needed for the purpose | CE + BA |
| Notice of Privacy Practices | 164.520 | Provide patients with privacy notice at first encounter | CE only |
| Authorization | 164.508 | Get written authorization for non-TPO disclosures | CE + BA |
| Right of Access | 164.524 | Provide records within 30 days of request | CE only |
| Amendment Rights | 164.526 | Allow patients to request corrections to records | CE only |
| Accounting of Disclosures | 164.528 | Track and report non-TPO disclosures on request | CE + BA |
| Training | 164.530(b) | Train all workforce on privacy policies | CE + BA |
Key stat: The Privacy Rule applies to all forms of PHI - paper, electronic, and oral. While the Security Rule covers only ePHI, the Privacy Rule is broader. OCR enforcement data shows that impermissible disclosures of oral PHI (overheard conversations, phone calls in waiting rooms) trigger complaints at a rate comparable to electronic breaches.
Sources
- 45 CFR Part 164, Subpart E - Privacy of Individually Identifiable Health Information
- 45 CFR 164.502 - Uses and Disclosures of PHI: General Rules
- 45 CFR 164.520 - Notice of Privacy Practices
- HHS: HIPAA Privacy Rule
Related Reading
- HIPAA Authorization Form Requirements
- HIPAA Minimum Necessary Rule
- PHI vs PII vs ePHI: Key Differences
Privacy Rule Key Provisions Reference
| Provision | CFR Section | What It Requires | Applies To |
|---|---|---|---|
| Permitted Uses | 164.502(a) | Defines when PHI can be used without authorization | CE + BA |
| Minimum Necessary | 164.502(b) | Limit PHI to what is needed for the purpose | CE + BA |
| Notice of Privacy Practices | 164.520 | Provide patients with privacy notice at first encounter | CE only |
| Authorization | 164.508 | Get written authorization for non-TPO disclosures | CE + BA |
| Right of Access | 164.524 | Provide records within 30 days of request | CE only |
| Amendment Rights | 164.526 | Allow patients to request corrections to records | CE only |
| Accounting of Disclosures | 164.528 | Track and report non-TPO disclosures on request | CE + BA |
| Training | 164.530(b) | Train all workforce on privacy policies | CE + BA |
Key stat: The Privacy Rule applies to all forms of PHI - paper, electronic, and oral. While the Security Rule covers only ePHI, the Privacy Rule is broader. OCR enforcement data shows that impermissible disclosures of oral PHI (overheard conversations, phone calls in waiting rooms) trigger complaints at a rate comparable to electronic breaches.
Sources
- 45 CFR Part 164, Subpart E - Privacy of Individually Identifiable Health Information
- 45 CFR 164.502 - Uses and Disclosures of PHI: General Rules
- 45 CFR 164.520 - Notice of Privacy Practices
- HHS: HIPAA Privacy Rule