The HIPAA Privacy Rule, explained for operators
The Security Rule gets the headlines, but the Privacy Rule is where most day-to-day compliance lives. It governs what you are allowed to do with protected health information, what you must tell patients, and the rights patients hold over their own records. This is the plain-language version: what the rule requires, the handful of standards that drive most of the work, and where Rote helps you check your program against them.
Use and disclosure of PHI, in any form.
The HIPAA Privacy Rule lives at 45 CFR Part 164, Subpart E. Where the Security Rule protects electronic PHI with administrative, physical, and technical safeguards, the Privacy Rule decides something different: when protected health information may be used and disclosed at all, in any form, paper, electronic, or spoken, and what rights individuals have over it.
The general rule is restrictive by default (45 CFR 164.502). A covered entity may not use or disclose PHI except as the rule permits or requires, or with the individual's written authorization. Almost everything below is either a named exception to that default or a control on how the exception is used.
One scoping note worth keeping in mind: information that has been de-identified under the rule's standard (45 CFR 164.514(a) and (b)) is no longer PHI, and the Privacy Rule no longer applies to it. De-identification done correctly is a legitimate way to take data out of scope.
Four obligations cover most of it.
If your program handles these four well, you have addressed the bulk of routine Privacy Rule compliance. Each maps to a specific section of the rule, and each is checked by the same skill: HIPAA Gap Analysis, control by control, with a coverage status, a confidence score, and the citation behind it.
PHI may be used for treatment, payment, and health care operations without authorization (164.506), plus a defined set of public-interest disclosures the rule enumerates (164.512). Everything outside those lanes needs a closer look.
Checked by HIPAA Gap Analysis →For uses beyond the permitted lanes, including most marketing and any sale of PHI, you need a valid written authorization with the specific elements the rule requires. Defective authorizations are a common finding.
Checked by HIPAA Gap Analysis →Limit PHI to the minimum necessary for the purpose. It applies to most uses and disclosures, with key carve-outs for treatment, disclosures to the individual, and disclosures under authorization.
Checked by HIPAA Gap Analysis →Most covered entities must maintain and provide a Notice of Privacy Practices describing how PHI is used and the individual's rights. A stale or missing notice is an easy, avoidable gap.
Checked by HIPAA Gap Analysis →What individuals can require of you.
The Privacy Rule gives individuals enforceable rights over their information. The right of access in particular is one of the most frequently cited issues in OCR enforcement, so it is worth confirming your process actually works. Having a policy that mentions a right is not the same as a process that honors it on time.
Individuals may inspect and obtain a copy of their PHI, generally within 30 days and at a reasonable, cost-based fee.
Checked by HIPAA Gap Analysis →Individuals may request corrections to PHI they believe is inaccurate or incomplete, and you must respond within the rule's timeline.
Checked by HIPAA Gap Analysis →Individuals may request an accounting of certain disclosures of their PHI outside treatment, payment, and operations.
Checked by HIPAA Gap Analysis →Individuals may request restrictions on uses and disclosures, including a required restriction for items paid out of pocket in full.
Checked by HIPAA Gap Analysis →The rule follows your data downstream.
If a vendor creates, receives, maintains, or transmits PHI on your behalf, it is a business associate, and the relationship has to run under a business associate agreement that meets 45 CFR 164.504(e). Business associates are also directly liable for certain Privacy Rule provisions, not just the terms of the contract.
In practice the exposure sits in the agreements you already signed. The required provisions are specific, and missing or weak language is common. A clause-level review against the 164.504(e) elements is the fastest way to see where a given BAA actually stands.
Check your program against the rule.
Rote's analysis skills map your existing documents to specific Privacy Rule sections so you can see coverage, gaps, and the citation behind each finding. They run as structured analyses, not a stack of new work.
Maps your policies and procedures against HIPAA Security Rule and Privacy Rule requirements, with coverage status, a confidence score, and the CFR citation per control.
Open skill →Clause-by-clause analysis of a business associate agreement against the 45 CFR 164.504(e) required provisions, with deficiencies flagged and recommended language.
Open skill →A Seven Elements assessment that combines a structured intake with document analysis to produce a maturity stage, enterprise blocker flags, and a 30/60/90 day roadmap.
Open skill →Ask a Privacy Rule question against your own workspace documents and get an answer sourced to a specific document and citation, with escalation when context is thin.
Open skill →Common questions about the HIPAA Privacy Rule.
The Privacy Rule (45 CFR Part 164, Subpart E) governs how protected health information may be used and disclosed, in any form, and the rights patients have over it. The Security Rule (Subpart C) sets the administrative, physical, and technical safeguards for electronic PHI specifically. Most organizations need both: the Privacy Rule decides what you may do with PHI, and the Security Rule decides how you must protect the electronic copy of it.
Protected health information is individually identifiable health information held or transmitted by a covered entity or business associate, in any form: paper, electronic, or oral. Information that has been de-identified under 45 CFR 164.514 is no longer PHI and falls outside the rule.
For most uses and disclosures, the Privacy Rule requires you to limit PHI to the minimum necessary to accomplish the purpose (45 CFR 164.502(b) and 164.514(d)). Treatment, disclosures to the individual, and disclosures made under a valid authorization are key exceptions where the standard does not apply.
You may use and disclose PHI for treatment, payment, and health care operations without authorization (45 CFR 164.506), and for a set of public-interest purposes the rule enumerates (164.512). For most other uses, including most marketing and any sale of PHI, you need a valid written authorization under 164.508.
The Privacy Rule grants individuals the right to access and obtain a copy of their records (164.524), request amendments (164.526), receive an accounting of certain disclosures (164.528), request restrictions on uses and disclosures (164.522), and receive a Notice of Privacy Practices (164.520). The right of access is among the most-cited issues in OCR enforcement.
Yes. Business associates are directly liable for certain Privacy Rule provisions and must operate under a business associate agreement that meets 45 CFR 164.504(e). A clause-level BAA review against those required provisions is the fastest way to see where a given agreement stands.
Primary source: 45 CFR Part 164, Subpart E (eCFR). This page is an operational explainer, not legal advice.
See where your Privacy Rule program stands.
The Readiness Snapshot is free. It places your organization on Rote's compliance maturity matrix and points to where your documentation is thin against the Privacy Rule and the rest of HIPAA, within one week.