HIPAA Privacy Rule Requirements Explained

One Guy Consulting
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
12 min read

HIPAA Privacy Rule rules Explained

The HIPAA Privacy Rule establishes the national standard for protecting people’ medical records and other protected health information. It defines how covered groups and their business associates may use and disclose PHI, grants patients specific rights over their health data, and imposes duties that apply to every interaction involving patient information. Understanding these rules is essential for any group that handles health data.

Enacted under the Health Insurance Portability and clear ownership Act and codified at 45 CFR Part 164 (Subparts A and E), the Privacy Rule applies to covered groups — healthcare providers who conduct digital transactions, health plans, and healthcare clearinghouses — as well as business associates who handle PHI on their behalf. This article explains the core rules every rule-keeping team must understand and implement.

Permitted Uses and shares of PHI

Treatment, Payment, and Healthcare Operations (TPO)

The Privacy Rule permits covered groups to use and disclose PHI without person access rights for three fundamental purposes:

  • Treatment — Providing, coordinating, or managing healthcare and related services. This includes consultations between providers, referrals, and sharing patient information with specialists involved in care.
  • Payment — actions related to obtaining payment for healthcare services, including billing, claims management, use review, and coverage decisions.
  • Healthcare operations — admin and quality-related actions needed to run a covered group, including quality review, training programs, rule-keeping actions, business planning, and auditing.

TPO is the broadest category of allowed use and covers the majority of day-to-day PHI interactions within healthcare groups. However, even TPO uses are subject to the minimum needed standard, which limits the amount of PHI shared to what is reasonably needed for the specific purpose.

Required shares

The Privacy Rule mandates sharing of PHI in only two situations:

  1. To the person — When a patient (or their personal representative) requests access to their own PHI, covered groups must provide it within 30 days, with limited exceptions.
  2. To HHS for enforcement — When the Department of Health and Human Services requests PHI during a rule-keeping review, review, or enforcement action.

All other shares fall under either allowed or authorized categories. groups should set up clear steps for handling both types of mandatory shares.

Permitted shares Without access rights

Beyond TPO, the Privacy Rule permits shares without patient access rights in several specific circumstances:

  • Public health actions — Reporting to public health authorities for disease surveillance, injury prevention, and FDA-regulated actions
  • Victims of abuse, neglect, or domestic violence — Reporting to government authorities authorized to receive such information
  • Health oversight actions — Audits, reviews, and inspections ran by health oversight agencies
  • Judicial and admin proceedings — In response to court orders or subpoenas with right protections
  • Law enforcement purposes — Under specific conditions including court orders, admin requests, and finding of suspects or missing persons
  • Decedents — To coroners, medical examiners, and funeral directors
  • Research — With Institutional Review Board or Privacy Board approval under specified conditions
  • Serious threat to health or safety — When needed to prevent or lessen a serious and imminent threat
  • Specialized government functions — Military, veterans, national security, and protective services actions
  • Workers’ compensation — As authorized by workers’ compensation laws

Each allowed sharing category has specific conditions and limitations. groups must train their team to identify which category applies before releasing PHI and to record the basis for each sharing decision.

The Minimum Necessary Standard

What It Requires

The minimum needed standard is a foundational principle of the Privacy Rule. It requires covered groups to make fair efforts to limit PHI use, sharing, and requests to the minimum amount needed to accomplish the intended purpose. This standard applies to most uses and shares but has important exceptions.

The minimum needed standard does not apply to:

  • shares to or requests by a healthcare provider for treatment purposes
  • shares to the person who is the subject of the information
  • Uses or shares pursuant to a valid access rights
  • shares to HHS for enforcement purposes
  • Uses or shares required by law
  • Uses or shares required for HIPAA rule-keeping

Implementing Minimum Necessary

groups must develop and implement policies that address minimum needed for both routine and non-routine shares:

  • Routine shares — set up standard steps that limit PHI released for common, recurring situations. Define the types and amounts of PHI right for each category of routine request.
  • Non-routine shares — Develop criteria for reviewing person requests on a case-by-case basis. Each non-routine request should be checked by a named person or group to determine the minimum PHI needed.
  • Role-based access — Identify classes of team members who need access to PHI and the categories of PHI each class requires. Implement access controls that enforce these limitations in digital systems.

When requesting PHI from other covered groups, groups must also limit their requests to the minimum needed for the stated purpose. This duty applies to both the requesting and disclosing parties.

Patient Rights Under the Privacy Rule

Right of Access

Patients have the right to inspect and obtain a copy of their PHI kept in a named record set. This includes medical records, billing records, enrollment records, and other records used to make decisions about the person. Covered groups must:

  • Respond to access requests within 30 days (one 30-day extension allowed with written notice)
  • Provide PHI in the format requested by the patient if readily producible, or in a readable alternative format
  • Charge only a fair, cost-based fee for copies
  • Provide digital copies of ePHI when requested and kept electronically

Limited exceptions to the right of access include psychotherapy notes, information compiled for legal proceedings, and certain laboratory results covered by CLIA.

Right to Request Amendment

Patients may request that a covered group amend PHI in a named record set. If the covered group agrees, it must make the amendment and inform the person and relevant parties. If the covered group denies the request, it must provide a written denial with the basis for the decision and information about the person’s right to submit a statement of disagreement.

Right to an Accounting of shares

people have the right to receive an accounting of certain shares of their PHI made in the six years before the request. This accounting must include shares made for purposes other than treatment, payment, healthcare operations, or shares authorized by the person. Each entry must include the date, name and address of the recipient, a description of the PHI disclosed, and the purpose of the sharing.

Right to Request Restrictions

Patients may request restrictions on how a covered group uses or discloses their PHI for treatment, payment, or healthcare operations. Covered groups are usually not required to agree to these requests, with one important exception: a covered group must agree to restrict shares to a health plan if the patient has paid for the service in full out of pocket and the sharing is not otherwise required by law.

Right to Request Confidential Communications

Patients may request that covered groups communicate with them through alternative means or at alternative locations. For example, a patient may request that appointment reminders be sent to a work email rather than a home address. Health plans must accommodate fair requests, and healthcare providers should accommodate fair requests.

Notice of Privacy Practices (NPP)

Content rules

Every covered group must develop and distribute a Notice of Privacy Practices that informs people about how their PHI may be used and disclosed. The NPP must include:

  • How the covered group may use and disclose PHI
  • The person’s rights regarding their PHI
  • The covered group’s legal duties regarding PHI
  • Contact information for the privacy officer or named complaint contact
  • The effective date of the notice
  • A statement that the group is required by law to keep the privacy of PHI

The NPP must be written in plain language that patients can reasonably understand. Overly tech or legalistic language undermines the purpose of the notice and may draw rule-based scrutiny.

Distribution rules

Healthcare providers with a direct treatment relationship must:

  • Provide the NPP to patients no later than the first service delivery (including digital service delivery)
  • Make the NPP available to anyone who requests it
  • Post the NPP prominently at the service delivery site
  • Post the NPP on the group’s website if it maintains one

Health plans must provide the NPP at enrollment and within 60 days of a real revision. Any real change to privacy habits requires a revised NPP and distribution to affected people.

access rights rules

When access rights Is Required

An access rights is required for uses and shares of PHI that are not otherwise allowed or required by the Privacy Rule. Common situations requiring access rights include:

  • Marketing communications — Using PHI to make marketing communications, with limited exceptions for face-to-face communications and promotional gifts of nominal value
  • Sale of PHI — Disclosing PHI in exchange for remuneration
  • Psychotherapy notes — Most uses and shares of psychotherapy notes
  • Research — When IRB or Privacy Board waiver of access rights is not obtained
  • Fundraising — Using PHI beyond allowed demographic information and dates of service (an opt-out must be provided)

Valid access rights Elements

A valid access rights must contain specific core elements and required statements:

Core elements: - Description of the PHI to be used or disclosed - Name or specific finding of the persons authorized to make the use or sharing - Name or specific finding of the persons to whom the sharing may be made - Description of the purpose of the use or sharing - An expiration date or event - The person’s signature and date

Required statements: - The person’s right to revoke the access rights in writing - Whether treatment, payment, enrollment, or eligibility is conditioned on the access rights - The possible for re-sharing by the recipient

Authorizations that are missing required elements, have expired, or have been revoked are not valid. Covered groups must not act on defective authorizations.

De-finding of PHI

Safe Harbor Method

The Privacy Rule provides two methods for de-identifying PHI so that it is no longer subject to HIPAA rules. The Safe Harbor method requires removal of 18 specific identifiers:

  1. Names
  2. Geographic data smaller than a state
  3. Dates (except year) related to an person
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers
  17. Full-face photographs and comparable images
  18. Any other unique identifying number or code

Also, the covered group must have no actual knowledge that the remaining information could identify an person. For a detailed breakdown of these identifiers, see our PHI guide.

Expert decision Method

The Expert decision method requires a person with right statistical and scientific knowledge to apply statistical or scientific principles and determine that the risk of identifying an person from the data is very small. The expert must record the methods and results of the analysis.

groups that need to use health data for analytics, research, or business intelligence should check both methods to determine which approach best fits their needs and skills.

Privacy Rule FAQ

Can a covered group share PHI with a patient’s family members?

Yes, but with conditions. A covered group may share PHI with a family member, relative, or close personal friend of the patient if the patient agrees, does not object when given the chance, or if the provider exercises professional judgment that sharing is in the patient’s best interest. In emergency situations where the patient is incapacitated, providers may share information directly relevant to the person’s involvement in the patient’s care.

What is the difference between the Privacy Rule and the Security Rule?

The Privacy Rule governs all forms of PHI — paper, oral, and digital — and defines when and how PHI may be used and disclosed. The Security Rule applies namely to ePHI and requires admin, physical, and tech protections to protect digital data. Both rules work together to create a complete framework for PHI protection.

How long must an group retain Privacy Rule written records?

The Privacy Rule requires retention of policies, steps, and certain written records for six years from the date of creation or the date when it was last in effect, whichever is later. This includes authorizations, NPPs, complaint records, and written records of rule-keeping actions.

What are the penalties for Privacy Rule breaches?

Civil monetary penalties range from $141 to $2,134,831 per breach, depending on the level of culpability. Tier 1 (did not know) carries the lowest penalties, while Tier 4 (willful neglect not corrected) carries the highest. Criminal penalties may also apply for knowing breaches, with fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell or use PHI for personal gain.

Does the minimum needed standard apply to oral communications?

Yes. The minimum needed standard applies to oral communications of PHI. Healthcare providers should take fair steps to limit incidental shares during oral communications, such as speaking in private areas, lowering voices, and avoiding discussions of PHI in public spaces. However, the Privacy Rule does not require that every risk of incidental sharing be eliminated — only that fair protections are in place.

Privacy Rule Takeaways

The HIPAA Privacy Rule creates a complete framework for protecting patient information while enabling the flow of health data needed for quality care, efficient payment, and effective healthcare operations. groups must understand allowed uses and shares, implement the minimum needed standard, honor patient rights, and keep proper access rights steps to achieve rule-keeping.

Privacy Rule rule-keeping is not a one-time project but an ongoing commitment that requires regular training, policy review, and attention to evolving rule-based guidance. groups that embed Privacy Rule rules into their daily operations build stronger patient relationships and reduce their exposure to enforcement actions.

One Guy Consulting helps healthcare groups implement Privacy Rule rules through practical policy templates, team training programs, and rule-keeping reviews. Explore our HIPAA rule-keeping guide for a broader view of the rule-keeping space, or browse our policy library for ready-to-implement Privacy Rule written records. Reach out to build a privacy program that protects patients and positions your group for long-term rule-keeping success. privacy policy templates

Keep Reading

All Articles