HIPAA Privacy Rule: What You Need to Know
Quick Answer
The HIPAA Privacy Rule establishes standards for how covered entities may use and disclose Protected Health Information (PHI), gives patients rights to access and control their health data, and requires a Notice of Privacy Practices.
HIPAA Privacy Rule Overview
The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) governs when and how PHI can be used and disclosed. While the Security Rule focuses on technical protections, the Privacy Rule addresses the policies and procedures around data access, patient rights, and organizational obligations.
Key Takeaways
- Applies to all forms of PHI (paper, oral, electronic) — not just ePHI
- Defines permitted uses and disclosures (treatment, payment, healthcare operations, and specific exceptions)
- Requires patient authorization for most uses beyond treatment/payment/operations
- Establishes patient rights: access, amendment, accounting of disclosures, restriction requests
- Requires a Notice of Privacy Practices (NPP) to be provided to every patient
Permitted Uses and Disclosures
The Privacy Rule defines specific situations where PHI can be used or disclosed without patient authorization:
| Category | Examples | Restrictions |
|---|---|---|
| Treatment | Sharing records between providers, referrals, consultations | Minimum necessary does not apply |
| Payment | Billing, claims processing, insurance eligibility verification | Minimum necessary applies |
| Healthcare Operations | Quality improvement, compliance, auditing, business planning | Minimum necessary applies |
| Required by Law | Court orders, subpoenas, law enforcement requests | Must verify legal authority |
| Public Health | Disease reporting, vital statistics, FDA reporting | Limited to specific public health purposes |
| Abuse/Neglect | Reporting suspected abuse or neglect | To appropriate government authorities |
| Health Oversight | Government audits, investigations, inspections | Limited to oversight agencies |
| Research | With IRB/Privacy Board approval or de-identified data | Specific conditions must be met |
The Minimum Necessary Standard
ℹ️ Use Only What You Need
The minimum necessary standard requires covered entities to make reasonable efforts to limit PHI access, use, and disclosure to the minimum amount necessary to accomplish the intended purpose. For example, a billing department should only access the PHI needed for billing — not the patient's complete medical history. Exception: the minimum necessary standard does NOT apply to treatment purposes.
Patient Rights Under the Privacy Rule
- Right to Access: Patients can request copies of their PHI within 30 days (15 days for ePHI under proposed rule changes). Fee must be limited to reasonable cost of copying.
- Right to Amendment: Patients can request corrections to their PHI. Covered entities must respond within 60 days.
- Right to Accounting of Disclosures: Patients can request a list of who has received their PHI (with certain exceptions for treatment, payment, and operations).
- Right to Request Restrictions: Patients can request restrictions on certain uses/disclosures. Covered entities must agree if disclosure is to a health plan for services paid out-of-pocket.
- Right to Confidential Communications: Patients can request alternative communication methods (e.g., call cell instead of home phone).
- Right to Receive Notice: Every patient must receive a Notice of Privacy Practices explaining how their PHI is used.
Notice of Privacy Practices (NPP)
NPP Required Elements
- Description of how PHI may be used and disclosed
- Patient rights regarding their PHI
- Covered entity's obligations to protect PHI
- Who to contact for complaints
- Effective date of the notice
- Statement that authorization is required for uses beyond TPO
- Must be prominently posted and available to anyone who asks
Privacy Rule for Business Associates
Business associates must comply with the Privacy Rule provisions specified in their Business Associate Agreement (BAA). While business associates don't directly interact with patients, they must still implement policies to ensure PHI is used and disclosed only as permitted.
30 days
Access Request Response
Maximum time to fulfill patient access requests
60 days
Amendment Response
Maximum time to respond to amendment requests
6 years
Accounting Period
Period covered by accounting of disclosures
$6.50
Max Per-Page Copy Fee
Proposed reasonable fee limit
Does the Privacy Rule apply to de-identified data?
No. De-identified data (where all 18 HIPAA identifiers are removed or a statistical expert certifies re-identification risk is minimal) is not considered PHI and is not subject to the Privacy Rule.
Can a patient access all of their PHI?
Mostly yes, but there are limited exceptions. Covered entities can deny access to psychotherapy notes, information compiled for legal proceedings, and certain research data. Denials may be appealable through a designated reviewing authority.
Does the Privacy Rule apply to business associates?
Yes, since the HITECH Act (2009). Business associates must comply with Privacy Rule requirements specified in their BAA, including limiting PHI use and disclosure and implementing the minimum necessary standard.
What's the relationship between the Privacy Rule and state laws?
HIPAA preempts state laws that are less protective of patient privacy. However, state laws that are more protective than HIPAA still apply. In practice, many states have stronger privacy protections that must be followed alongside HIPAA.
Find HIPAA Compliance Tools
Compare tools that help you manage Privacy Rule requirements, patient rights requests, and documentation.
Browse HIPAA Tools