HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards for when and how protected health information (PHI) can be used and disclosed. It applies to health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. The rule gives patients rights over their health information, including the right to access their records, request corrections, and know who has seen their data.

Citation: 45 C.F.R. Parts 160, 164 Subpart E

Sections: 102

Words indexed: 58,919

Applies to: Health plans, healthcare clearinghouses, healthcare providers who transmit health information electronically (covered entities), and their business associates

Key Points

Covered entities can use PHI for treatment, payment, and healthcare operations without patient authorization

Most other uses require written patient authorization

Patients have the right to access their own records within 30 days of request

The 'minimum necessary' standard limits PHI use to what is needed for the specific purpose

Business associates who handle PHI must sign a Business Associate Agreement (BAA)

Violations can result in fines from $100 to $50,000 per violation, up to $1.5 million per year per violation category

Key Areas

Uses and Disclosures

When PHI can be used or shared without authorization

Patient Rights

Access, amendment, accounting of disclosures, restrictions

Minimum Necessary

Limiting PHI use to what is needed for the purpose

Business Associates

Requirements for third parties handling PHI

Administrative Requirements

Policies, training, safeguards, complaints

Key Provisions

164.502

Uses and Disclosures: General Rules

The foundation of the Privacy Rule. Defines when PHI can be used without authorization (treatment, payment, operations) and when authorization is required.

164.508

Uses Requiring Authorization

Lists the specific situations where patient authorization IS required: marketing, sale of PHI, psychotherapy notes, and most research.

164.512

Uses Without Authorization or Opportunity to Agree/Object

The 12 categories where PHI can be disclosed without patient consent: public health, law enforcement, judicial proceedings, workers' comp, and others.

164.524

Patient Right of Access

Patients' right to access and obtain a copy of their PHI. This is the most commonly enforced provision. HHS has brought enforcement actions specifically for access violations.

164.526

Right to Amend

Patients can request corrections to their records. Covered entities must respond within 60 days.

164.530

Administrative Requirements

Requires privacy policies, a privacy officer, workforce training, and safeguards. This is what auditors check first.

All Regulation Sections

Part 160HIPAA: General Administrative Requirements(61)

Part 164HIPAA: Security and Privacy(41)

Ask about HIPAA Privacy

Get AI-powered answers scoped to HIPAA Privacy regulations with verified citations.

Research HIPAA Privacy

Common Questions

Can a hospital share patient information with family members?

Only if the patient has the opportunity to agree or object, or if the provider determines it is in the patient's best interest when the patient is incapacitated.

Do I need patient consent to send records to another doctor?

No. Treatment is a permitted use under the Privacy Rule. You can share PHI for treatment without patient authorization.

What is the minimum necessary standard?

You must limit PHI use and disclosure to the minimum amount needed for the purpose. This does NOT apply to treatment, which is exempt from minimum necessary.

Quick Reference

CFR Citation: 45 C.F.R. Parts 160, 164 Subpart E
Source: Electronic Code of Federal Regulations
Coverage: 102 sections, 58,919 words