If the Security Rule is about protecting data technically, the Privacy Rule is about controlling its use. It governs every form of protected health information — electronic, paper, and spoken — and it gives patients enforceable rights over their own records.
What the Privacy Rule covers
The Privacy Rule sets national standards for the use and disclosure of protected health information (PHI) by covered entities and, through Business Associate Agreements, their business associates. It applies to PHI in any form, whether stored in an electronic record, written on paper, or spoken in a hallway conversation.
Its central premise is simple: PHI may only be used or disclosed when the rule permits it, or when the individual authorizes it. Everything else in the Privacy Rule elaborates on that core principle. Building durable HIPAA compliance starts with internalizing this default of restraint.
Permitted uses and disclosures
The Privacy Rule permits PHI to be used or disclosed without patient authorization for a defined set of purposes. The most important are treatment, payment, and healthcare operations — the everyday activities of delivering and paying for care. A provider sharing records with a specialist, a clinic billing an insurer, and a hospital conducting quality reviews are all permitted uses.
The rule also permits certain disclosures in the public interest, such as required reporting to public-health authorities, and disclosures to the individual themselves. Outside these permitted categories, a valid authorization is generally required.
When authorization is required
For uses and disclosures that fall outside the permitted categories — marketing, most disclosures of psychotherapy notes, sale of PHI, and many research uses — the Privacy Rule requires a written authorization from the individual. A valid authorization must be specific: it identifies the information, who may disclose and receive it, the purpose, and an expiration, and it informs the individual of their right to revoke it.
Treating authorization as a deliberate, documented step — rather than a formality — is essential, because using PHI beyond what an authorization permits is a violation.
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
The minimum necessary standard
A defining feature of the Privacy Rule is the “minimum necessary” standard. When using or disclosing PHI, or requesting it from others, covered entities must limit themselves to the minimum amount reasonably needed to accomplish the purpose. This applies to routine workflows through role-based access and to non-routine disclosures through case-by-case review.
There are exceptions — the standard does not apply to disclosures for treatment, to the individual, or where authorized — but as a general discipline, minimum necessary shapes how access is granted and how data is shared throughout the organization.
Patient rights under the Privacy Rule
The Privacy Rule grants individuals a set of rights over their health information. They have the right to access and obtain a copy of their records, to request corrections of inaccurate information, to request restrictions on certain uses and disclosures, and to request confidential communications. They also have the right to an accounting of certain disclosures and to receive a Notice of Privacy Practices.
Honoring these rights promptly and consistently is a core operational obligation, and failures to provide timely access are among the most common sources of complaints and enforcement.
The Notice of Privacy Practices
Covered entities must provide individuals with a Notice of Privacy Practices that explains how their PHI may be used and disclosed and describes their rights. The notice must be written in plain language, made available to patients, and posted where practical. It is the primary way patients learn how their information is handled, and providing it is a baseline Privacy Rule requirement.
Administrative requirements
Beyond rules about disclosure, the Privacy Rule imposes administrative obligations. Covered entities must designate a privacy official responsible for the program, train workforce members on privacy policies, apply sanctions for violations, implement safeguards to protect PHI, and establish a process for individuals to file complaints. These requirements ensure that privacy protection is operationalized, not merely promised. Honoring these limits is central to HIPAA compliance.
Privacy Rule and business associates
The Privacy Rule reaches business associates through Business Associate Agreements. A covered entity may disclose PHI to a business associate to perform services, provided a BAA binds the associate to use the information only as permitted and to safeguard it. Business associates, in turn, must honor the relevant Privacy Rule obligations that flow through their agreements, including minimum necessary and breach reporting.
Common Privacy Rule pitfalls
Frequent Privacy Rule mistakes include disclosing more information than necessary, failing to provide patients timely access to their records, using PHI for marketing without authorization, and neglecting to train staff on what they may and may not share. Casual conversations and misdirected communications — faxes, emails, or messages sent to the wrong recipient — are also common and surprisingly costly.
Most of these failures stem from a culture that has not internalized the rule’s default of restraint. Training and clear procedures are the most effective countermeasures.
How to comply with the Privacy Rule
Compliance begins with written privacy policies and a designated privacy official. From there, implement role-based access aligned to minimum necessary, train every workforce member, provide a clear Notice of Privacy Practices, and stand up reliable processes for honoring patient rights and handling complaints. Ensure Business Associate Agreements are in place with every vendor that touches PHI.
Finally, treat compliance as ongoing. Review policies as workflows change, retrain regularly, and audit access and disclosures so that the rule’s principles remain embedded in daily practice rather than fading into the background.
Why the Privacy Rule matters
The Privacy Rule is what gives patients confidence that their most sensitive information will be handled with discretion. For organizations, it provides a clear framework for deciding when health information may be used and shared. Getting it right protects patients from unwanted exposure and protects the organization from complaints, penalties, and the erosion of trust that follows a privacy failure.
Incidental disclosures
The Privacy Rule recognizes that some incidental disclosures are unavoidable in real-world care — a patient name overheard at a reception desk, for instance. These are permitted as long as the covered entity has applied reasonable safeguards and followed the minimum necessary standard. The key is that incidental disclosures must be a byproduct of an otherwise permitted use, not the result of carelessness.
Reasonable safeguards — lowered voices, privacy screens, and careful handling of documents — keep these incidental exposures within bounds and demonstrate good-faith diligence.
De-identified data and limited data sets
Information that has been properly de-identified is no longer PHI and falls outside the Privacy Rule, enabling broader use for analytics and research. The rule also defines a “limited data set” — data with most direct identifiers removed — which may be used for research, public health, or operations under a data use agreement. Both mechanisms let organizations extract value from data while protecting individuals.
Training and a culture of privacy
Policies alone do not produce compliance; people do. The Privacy Rule requires workforce training, but the most effective organizations go further and build a culture where restraint with PHI is second nature. Regular, role-specific training that uses real scenarios — what to share with a caller, how to verify identity, when to escalate — turns abstract rules into reliable everyday behavior.
Enforcement and complaints
Individuals who believe their privacy rights have been violated can file a complaint with the covered entity or directly with the HHS Office for Civil Rights. OCR investigates complaints and can require corrective action or impose penalties. Many enforcement actions trace back to mundane failures — denied access requests, oversharing, or untrained staff — underscoring that consistent, everyday compliance is the best protection against enforcement.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.