HIPAA Privacy Rule: Explanation and Guidance

[45 CFR §§ 160, 162, 164]


The HIPAA Privacy Rule applies to HIPAA Covered Entities and their Business Associates. By complying with the required safeguards defined by the HIPAA Security Rule, the Privacy Rule protects all individually identifiable health information in any form or media: electronic, paper, or oral. This information is referred to as Protected Health Information (PHI).

The Privacy Rule excludes from PHI any employment records that a Covered Entity maintains in its capacity as an employer and any student health information contained in education records subject to protection under the Family Educational Rights and Privacy Act (FERPA), 20 USC § 1232(g). 

There are no restrictions on the use or disclosure of de-identified health information that neither identifies nor provides a reasonable basis to identify an individual.

Specific Definitions

  • Minimum Necessary is a key protection of the Privacy Rule that requires Covered Entities to evaluate their practices and enhance safeguards to limit unnecessary or inappropriate access to and disclosure of PHI. [45 CFR §§ 164.502(b), 164.514(d)]. The standard does not apply to disclosures to a health care provider for treatment; uses or disclosures made to the individual, or authorized by law or in accordance with other provisions in the Privacy Rule. [45 CFR § 164.502(b)(2)].

General Principle

A Covered Entity may not use or disclose PHI unless:

  1. the Privacy Rule permits or requires; or
  2. the individual (or his/her representative) who is the subject of the PHI consents in writing.

Required Disclosures [45 CFR § 164.502(a)(2)]

A Covered Entity must disclose PHI to:

  1. individuals (or their representatives) when they request access to their PHI or request an accounting of the disclosure of their PHI; and
  2. to the Department of Health and Human Services (HHS) for investigations, reviews, or enforcement actions.

Permitted Uses and Disclosures [45 CFR § 164.502(a)(1)]

A Covered Entity is permitted, but not required, to use and disclose PHI without an individual authorization:

  1. To the individual subject of the PHI, unless it is required for access or accounting of disclosures;
  2. For treatment, payment, and health care operations;
  3. When the individual is given the opportunity to agree or object; or in an emergency situation when use or disclosure is determined to be in the best interests of the individual;
  4. When the use or disclosure is a result of or incident to an otherwise permitted use or disclosure and the information is limited to the minimum necessary to accomplish the intended purpose of the use or disclosure; or
  5. National priority purposes such as judicial investigations, law enforcement, and serious threats to public health or safety. The complete list of twelve purposes is described in 45 CFR § 164.512.

Notice [45 CFR § 164.520]

Each individual has a right to adequate notice of

  1. how a Covered Entity may use and disclose their PHI;
  2. the individual’s rights under HIPAA which include access and amendment of their PHI and an accounting of the disclosures of their PHI by the Covered Entity or its Business Associates; and
  3. the Covered Entity’s obligations with regards to PHI.

The notice must be in plain language, include an effective date, and include contact information for individuals to receive more information about the Covered Entity’s privacy policies. The notice must be made available to any person who asks for it and should be prominently posted on any web site the Covered Entity maintains that provides information about its customer services or benefits.

Covered Entities who provide treatment must provide the notice to the individual no later than the date of first service delivery and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgement of receipt of the notice. If the first service delivery is provided electronically, then the Covered Entity must send an electronic notice automatically and contemporaneously in response to the individual’s first request for service.

Administrative Requirements for Covered Entities [45 CFR § 164.530]

  1. Written Privacy Policies and Procedures consistent with the Privacy Rule.
  2. Designated Privacy Official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the Covered Entity’s privacy practices.
  3. Workforce Training for all workforce members on privacy policies and procedures and Appropriate Sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.
  4. Mitigation, to the extent practicable, of any harmful effect the Covered Entity learns was caused by use or disclosure of PHI by its workforce or its Business Associates in violation of its privacy policies and procedures or the Privacy Rule.
  5. Reasonable Administrative, Technical, and Physical Safeguards to prevent the intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit the incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. Such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or passcode, and limiting access to keys or passcodes.
  6. Complaints Procedures for individuals to complain about a Covered Entity’s compliance with its privacy policies and procedures and the Privacy Rule. The Covered Entity must explain those procedures in its privacy practices notice.
  7. No Retaliation against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule.
  8. No Waiver of Rights may be required of an individual a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
  9. Documentation and Record Retention for Six Years after the later of the date of their creation or last effective date for a Covered Entity’s privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented. This is not a requirement for retention of the ePHI, but only the required administrative documentation.


Violation of HIPPA and the HIPAA Privacy Rule includes both civil and criminal penalties.

To assist in auditing compliance with HIPAA privacy requirements, NIU follows guidelines and checklists established by the National Institute of Standards and Technology (NIST), specifically NIST’s Special Publication (SP) 800-53, Revision 4, Appendix J: the Privacy Control Catalog in Security and Privacy Controls for Federal Information Systems and Organizations

Back to top