Use and disclosure of PHI, in any form.

The HIPAA Privacy Rule lives at 45 CFR Part 164, Subpart E. Where the Security Rule protects electronic PHI with administrative, physical, and technical safeguards, the Privacy Rule decides something different: when protected health information may be used and disclosed at all, in any form, paper, electronic, or spoken, and what rights individuals have over it.

The general rule is restrictive by default (45 CFR 164.502). A covered entity may not use or disclose PHI except as the rule permits or requires, or with the individual's written authorization. Almost everything below is either a named exception to that default or a control on how the exception is used.

One scoping note worth keeping in mind: information that has been de-identified under the rule's standard (45 CFR 164.514(a) and (b)) is no longer PHI, and the Privacy Rule no longer applies to it. De-identification done correctly is a legitimate way to take data out of scope.

The rule follows your data downstream.

If a vendor creates, receives, maintains, or transmits PHI on your behalf, it is a business associate, and the relationship has to run under a business associate agreement that meets 45 CFR 164.504(e). Business associates are also directly liable for certain Privacy Rule provisions, not just the terms of the contract.

In practice the exposure sits in the agreements you already signed. The required provisions are specific, and missing or weak language is common. A clause-level review against the 164.504(e) elements is the fastest way to see where a given BAA actually stands.

Common questions about the HIPAA Privacy Rule.

What is the difference between the HIPAA Privacy Rule and the Security Rule?

The Privacy Rule (45 CFR Part 164, Subpart E) governs how protected health information may be used and disclosed, in any form, and the rights patients have over it. The Security Rule (Subpart C) sets the administrative, physical, and technical safeguards for electronic PHI specifically. Most organizations need both: the Privacy Rule decides what you may do with PHI, and the Security Rule decides how you must protect the electronic copy of it.

What counts as protected health information under the Privacy Rule?

Protected health information is individually identifiable health information held or transmitted by a covered entity or business associate, in any form: paper, electronic, or oral. Information that has been de-identified under 45 CFR 164.514 is no longer PHI and falls outside the rule.

What is the minimum necessary standard?

For most uses and disclosures, the Privacy Rule requires you to limit PHI to the minimum necessary to accomplish the purpose (45 CFR 164.502(b) and 164.514(d)). Treatment, disclosures to the individual, and disclosures made under a valid authorization are key exceptions where the standard does not apply.

When do I need a patient authorization to use PHI?

You may use and disclose PHI for treatment, payment, and health care operations without authorization (45 CFR 164.506), and for a set of public-interest purposes the rule enumerates (164.512). For most other uses, including most marketing and any sale of PHI, you need a valid written authorization under 164.508.

What rights do patients have over their health information?

The Privacy Rule grants individuals the right to access and obtain a copy of their records (164.524), request amendments (164.526), receive an accounting of certain disclosures (164.528), request restrictions on uses and disclosures (164.522), and receive a Notice of Privacy Practices (164.520). The right of access is among the most-cited issues in OCR enforcement.

Does the HIPAA Privacy Rule apply to business associates?

Yes. Business associates are directly liable for certain Privacy Rule provisions and must operate under a business associate agreement that meets 45 CFR 164.504(e). A clause-level BAA review against those required provisions is the fastest way to see where a given agreement stands.

Primary source: 45 CFR Part 164, Subpart E (eCFR). This page is an operational explainer, not legal advice.

See where your Privacy Rule program stands.

The Readiness Snapshot is free. It places your organization on Rote's compliance maturity matrix and points to where your documentation is thin against the Privacy Rule and the rest of HIPAA, within one week.