The HIPAA Privacy Rule establishes national standards for how health information that can identify you is protected, shared, and used. It applies to health care providers, health plans, and health care clearinghouses, and it gives you specific rights over your own medical records. At its core, the rule says that your protected health information (PHI) can be used without your permission for treatment, payment, and health care operations, but most other uses require your written authorization.
What Counts as PHI
Protected health information is any health data that can be linked back to a specific person. That includes obvious things like your medical diagnoses and lab results, but it also covers the identifiers that connect that information to you. HIPAA defines 18 specific identifiers that make health information “protected”:
- Names
- Geographic data smaller than a state (street address, city, ZIP code)
- Dates directly related to an individual (birth date, admission date, discharge date, death date), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs
- Any other unique identifying number or code
If all 18 identifiers are stripped from a health record, the data is considered “de-identified” and is no longer subject to the Privacy Rule. This matters for research and public health work, where organizations need health data without the ability to trace it back to individuals.
Who Must Follow the Rule
The Privacy Rule applies to three types of “covered entities”: health care providers (doctors, clinics, pharmacies, nursing homes, dentists, psychologists), health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid), and health care clearinghouses that process health information into standardized formats. Providers are covered only if they transmit health information electronically for standard transactions like billing.
Any outside company that handles PHI on behalf of a covered entity, called a business associate, must also comply. Think billing companies, cloud storage providers, or IT firms with access to patient data. The covered entity must have a written contract specifying what the business associate can do with the information. Business associates are directly liable for certain HIPAA violations, not just contractually liable.
If an organization doesn’t fall into any of these categories, HIPAA doesn’t apply to it. This is why fitness apps, most employers (outside of their role as health plan sponsors), and life insurance companies generally aren’t bound by the Privacy Rule.
When PHI Can Be Shared Without Your Permission
The Privacy Rule allows covered entities to use and disclose your PHI without authorization in three core situations, often abbreviated as TPO:
- Treatment: Providers can share your information with other providers to coordinate your care. Your primary care doctor can send records to a specialist you’ve been referred to, or a hospital can share your chart with the lab running your blood work.
- Payment: Your provider can send information to your insurance company to get reimbursed for services. Your insurer can share information with another plan to coordinate benefits.
- Health care operations: Covered entities can use PHI for quality improvement, training, auditing, fraud detection, and other administrative functions necessary to run the organization.
Beyond TPO, the Privacy Rule also permits disclosures without authorization for public health activities, law enforcement purposes under specific conditions, judicial proceedings, and situations involving serious threats to health or safety. But for most other purposes, including marketing, a covered entity needs your written authorization before sharing your PHI.
The Minimum Necessary Standard
Even when sharing PHI is allowed, covered entities can’t just hand over your entire medical file. The Privacy Rule requires them to limit disclosures to the minimum amount of information needed to accomplish the purpose. If your insurance company needs to process a claim for a knee surgery, the provider shouldn’t send your full psychiatric history along with it.
For routine, recurring disclosures, organizations must have standard protocols in place that pre-define what information gets shared and who within the organization can access it. For unusual, one-off requests, each disclosure must be individually reviewed against reasonable criteria. The one major exception: disclosures for treatment purposes are not subject to the minimum necessary standard, because providers generally need a complete clinical picture to care for you safely.
Your Rights Under the Privacy Rule
The Privacy Rule grants you six key rights over your health information:
- Access: You can ask to see and get a copy of your health records.
- Amendment: You can request corrections to your health information if you believe it contains errors.
- Notice: You’re entitled to receive a Notice of Privacy Practices that explains, in plain language, how your information may be used and shared.
- Authorization control: You can decide whether to give permission before your information is used for certain purposes, like marketing.
- Restrictions: You can request that a covered entity limit how it uses or discloses your PHI, though the entity isn’t always required to agree.
- Accounting of disclosures: You can get a report showing when and why your health information was shared for certain purposes.
The Notice of Privacy Practices is something you’ve likely encountered, even if you didn’t realize it. Health care providers must give it to you no later than your first visit. It has to describe how the entity uses PHI, explain your rights, list who to contact with questions, and include an effective date. Providers must also post it prominently in their offices and on their websites. When they make material changes to their privacy practices, they’re required to update the notice and distribute it promptly.
Reproductive Health Care Protections
A 2024 update to the Privacy Rule added specific protections for reproductive health care information. Covered entities and business associates are now prohibited from using or disclosing PHI to investigate or impose legal liability on someone for seeking, obtaining, providing, or facilitating reproductive health care that is lawful in the state where it was provided, or that is protected by federal law.
The rule includes a built-in presumption: if the reproductive care was provided by someone other than the entity receiving the request for records, that care is presumed to have been lawful unless the entity has actual knowledge otherwise, or the requester provides a substantial factual basis showing the care was unlawful. This means a covered entity can’t simply hand over reproductive health records in response to an investigation from another state without first determining whether the care in question was legal where it took place.
Penalties for Violations
The Office for Civil Rights at HHS enforces the Privacy Rule through a tiered penalty structure based on the level of responsibility:
- Unknowing violations: $100 to $50,000 per violation, up to $25,000 per year for repeat violations.
- Reasonable cause: $1,000 to $50,000 per violation, up to $100,000 per year.
- Willful neglect, corrected in time: $10,000 to $50,000 per violation, up to $250,000 per year.
- Willful neglect, not corrected: $50,000 per violation, up to $1.5 million per year.
The gap between the lowest and highest tiers is significant. An organization that makes an honest mistake and didn’t know it violated the rule faces a potential $100 fine. One that knowingly ignores the rule and fails to fix the problem faces $50,000 per violation with a $1.5 million annual cap. Criminal penalties, including potential jail time, can also apply for the most egregious violations like knowingly obtaining PHI under false pretenses.