Skip to Main Content
Main Menu

Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

The HIPAA Privacy Rule is a Federal sectoral rule that establishes national privacy standards to protect individuals’ medical records and electronic protected health information (ePHI) handled and maintained by certain entities in the healthcare industry.

Who does HIPPA apply to?

The HIPAA Privacy Rule applies to HIPAA Covered Entities (i.e. healthcare providers, health plans, healthcare clearinghouses) and, by extension, their Business Associates (i.e. service provider of a covered entity) who create, receive, maintain or transmit health information in electronic form.

Privacy protection measures

Authorization for uses and disclosure of PHI

Written patient authorization is required to use PHI for specified purposes (other than treatment, payment, or health care operations), including disclosing PHI to a third party specified by the patient. Ensure authorizations specify which PHI can be used or disclosed, the person authorized to use or disclose PHI, the recipient of the disclosure, and an expiration date.

Right to access and correction of PHI

Individuals have the right to examine and obtain a copy of their health records, and to request corrections. Access includes information contributed by the individual, and extends to PHI about the individual contributed by other healthcare providers or Covered Entities.

Principle of minimum necessary

Covered Entities must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed for the intended purpose of use or disclosure. Develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary.


Covered Entities must provide a notice of its privacy practices that describes the way in which the entity uses and discloses PHI, and the rights afforded to individuals over their PHI. Each Covered Entity must abide by the PHI handling practices specified in the privacy notice.


Guide to HIPAA Compliance

How to build and implement a program to demonstrate compliance with HIPAA.


  • Are all businesses that handle PHI subject to the HIPAA Privacy Rule?

    The HIPAA Privacy Rule only applies to those organizations that meet the definition of a Covered Entity (i.e., healthcare providers, health plans, healthcare clearinghouses that electronically transmit ePHI) or Business Associate. It does not apply to employers handling employee health information, or to other organizations that do not meet these requirements.

  • Is all health information regulated by the HIPAA Privacy Rule?

    Health information is only protected by the HIPAA Privacy Rule where it is created or received by a Covered Entity, relates to the past, present, or future physical or mental health or condition of an individual, and is maintained or transmitted in an electronic format, and relates.

  • Who enforces the HIPAA Privacy Rule?

    The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing compliance with the HIPAA Privacy Rule.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top