The HIPAA Privacy Rule establishes national standards for protecting individuals' medical records and other protected health information (PHI). Unlike the Security Rule, which focuses on electronic data, the Privacy Rule applies to PHI in any form: electronic, paper, or spoken.
What the Privacy Rule does
The Privacy Rule has two main thrusts. First, it limits how covered entities and their business associates may use and disclose PHI. Second, it grants individuals rights over their own information. The overarching idea is to allow the flow of health information needed to provide high-quality care while protecting people's privacy.
Use and disclosure: the general approach
The rule generally prohibits using or disclosing PHI except as the rule permits or requires, or as the individual authorizes in writing. Some uses and disclosures are permitted without authorization, while others always require it. A few are required, such as disclosing PHI to the individual who requests their own records and to HHS for compliance investigations.
| Category | Examples |
|---|---|
| Permitted without authorization | Treatment, payment, and health care operations (TPO); certain public-interest activities. |
| Requires authorization | Most marketing, sale of PHI, most uses of psychotherapy notes. |
| Required | To the individual; to HHS for enforcement. |
Core principles
- Minimum necessary - when using or disclosing PHI for many purposes, limit it to the minimum needed to accomplish the purpose.
- Notice of privacy practices - tell individuals how their information may be used and what rights they have.
- Individual rights - access, amendment, accounting of disclosures, restriction requests, and confidential communications.
Patient rights at a glance
The Privacy Rule gives individuals several important rights, including the right to:
- Inspect and obtain a copy of their PHI in a designated record set.
- Request amendments to their records.
- Receive an accounting of certain disclosures.
- Request restrictions on certain uses and disclosures.
- Request confidential communications, such as being contacted at a specific phone number.
- Receive a notice of privacy practices.
Administrative requirements
Covered entities must also adopt written privacy policies, designate a privacy official, train their workforce, apply appropriate safeguards, and have a process for individuals to file complaints. These administrative steps make the rule operational rather than aspirational.
How it fits with the Security Rule
The Privacy and Security Rules work together. The Privacy Rule decides whether a use or disclosure is allowed and what rights individuals have; the Security Rule governs how electronic PHI is protected technically and operationally. An organization needs both to handle health information responsibly.
The Privacy Rule and state law
The Privacy Rule sets a national floor, not a ceiling. Where a state law is more protective of an individual's privacy than HIPAA, the state law generally controls; where it is less protective or conflicts in a way HIPAA does not permit, HIPAA preempts it. This means organizations often must satisfy both HIPAA and the stricter of any applicable state requirements at the same time. In Washington, for example, certain categories of sensitive information and the My Health My Data Act add protections beyond the federal baseline. Compliance therefore involves reading HIPAA together with state law rather than treating the federal rule as the whole picture.
Safeguards and incidental disclosures
The Privacy Rule also requires covered entities to apply reasonable administrative, technical, and physical safeguards to protect PHI from impermissible use or disclosure. It recognizes that some incidental disclosures are unavoidable, for instance a visitor overhearing a hallway conversation, and does not penalize them when reasonable safeguards and the minimum necessary standard are in place. Practical measures like lowering voices, positioning screens away from public view, and not leaving records unattended satisfy this expectation while keeping care efficient. The articles that follow explore permitted disclosures, the minimum necessary standard, the notice of privacy practices, and patient rights in greater depth.