Regulatory guide
The Privacy Rule governs how your practice uses and discloses patient information — who can see it, when, and under what conditions. This guide covers the provisions that matter most for independent practices, in language practitioners can act on.
45 CFR §§ 164.500–534
Overview
The HIPAA Privacy Rule (45 CFR §§ 164.500–534) establishes national standards for the protection of individually identifiable health information. Unlike the Security Rule — which focuses on electronic data — the Privacy Rule covers PHI in every form: electronic records, paper charts, and verbal communications.
For independent practices, the Privacy Rule governs everyday operations: how your front desk discusses patient information, how billing staff share data with insurers, how clinicians coordinate care with specialists, and how your practice responds when a patient asks to see their records.
The rule defines permitted uses and disclosures — situations where PHI can be shared without patient authorization (treatment, payment, healthcare operations, public health reporting) — and situations where written authorization is mandatory (marketing, psychotherapy notes, sale of information). It also establishes patient rights that your practice must support: access, amendment, accounting of disclosures, restrictions, and confidential communications.
Key provisions
§164.502(b)
Covered entities must limit the use, disclosure, and request of PHI to the minimum amount needed to accomplish the intended purpose. Staff should not access entire patient records when only a specific data point is needed. This standard applies to internal use, disclosures to third parties, and requests to other covered entities — with exceptions for treatment, patient requests, and legally required disclosures.
§§164.524–528
Patients have the right to access their medical records, request corrections, obtain an accounting of disclosures, request restrictions on uses of their PHI, and receive confidential communications. Covered entities must respond to access requests within 30 days. Denial of access is limited to narrow circumstances, and patients can appeal.
§164.520
Every covered entity must provide patients with a clear, written notice explaining how their PHI may be used and disclosed, their rights, and the entity's legal obligations. The NPP must be provided at the first service encounter, posted in the facility, and available on the practice's website. Material changes require redistributing the notice.
§164.508
Uses and disclosures not covered by TPO or other permitted purposes require a valid, written authorization from the patient. Authorizations must be specific — describing the information, who may disclose it, who may receive it, the purpose, and an expiration date. Psychotherapy notes and marketing uses require separate, specific authorizations.
Privacy vs. Security
These two rules are complementary — not interchangeable. Compliance with one does not satisfy the other. Most independent practices need to address both simultaneously.
What it protects
Privacy Rule
All PHI — electronic, paper, and oral
Security Rule
Only ePHI — electronic protected health information
Core focus
Privacy Rule
How PHI is used and disclosed — who can see it and under what circumstances
Security Rule
How ePHI is safeguarded — technical, physical, and administrative controls
Patient rights
Privacy Rule
Access, amendment, accounting of disclosures, restrictions, confidential communications
Security Rule
No direct patient-facing rights — focuses on organizational safeguards
Key requirement
Privacy Rule
Notice of Privacy Practices, minimum necessary standard, authorization requirements
Security Rule
Security Risk Assessment, access controls, encryption, audit logging
Enforcement focus
Privacy Rule
Unauthorized disclosures, failure to provide access, missing NPPs
Security Rule
Missing SRAs, unencrypted ePHI, no access controls, no audit trails
Who must comply
Privacy Rule
Covered entities (and BAs for certain provisions)
Security Rule
Both covered entities and business associates — fully and directly
For your practice
Front desk staff, billing teams, and clinical staff all handle PHI differently. Each role needs training on what they can share, with whom, and under what circumstances. The most common Privacy Rule violations come from well-meaning employees who disclose too much information in response to phone calls, family inquiries, or insurance requests.
The NPP is not a formality. It must accurately describe your practice's data handling. If you use a patient portal, send appointment reminders by text, or share records with referring physicians, your NPP must reflect those uses. A generic template that doesn't match your actual operations is a compliance gap.
Configure your EHR so each role sees only the data they need. Front desk staff don't need clinical notes. Billing staff don't need psychotherapy records. Role-based access isn't just a Security Rule requirement — the Privacy Rule's minimum necessary standard demands it at the use-and-disclosure level.
Treatment, payment, and healthcare operations don't require patient authorization. Public health reporting, law enforcement requests, and certain regulatory disclosures have their own exceptions. Everything else — marketing, research, psychotherapy notes, sale of PHI — requires a valid, written authorization with specific content requirements.
Patients have the right to access their records in the format they request, including electronic copies. Denials are limited and must be justified. OCR has made patient right-of-access its enforcement priority — more than half of recent enforcement actions involve access request failures. Do not delay, and do not charge unreasonable fees.
Privacy Rule compliance starts with visibility
Patient Protect covers both Privacy Rule and Security Rule requirements in a single platform — risk assessments, policy generation, workforce training, and patient rights workflows. No spreadsheets. No consultants.
14-day free trial · No charge until trial ends
FAQ
The Privacy Rule governs how PHI in any form — electronic, paper, or oral — is used and disclosed. It defines patient rights and sets standards for who can access information and under what circumstances. The Security Rule focuses specifically on ePHI and requires technical, physical, and administrative safeguards to protect it. Both rules apply to all covered entities, and compliance with one does not satisfy the other.
Yes — without exception. There is no size-based exemption. A solo practitioner with 50 patients has the same Privacy Rule obligations as a hospital system. This includes providing a Notice of Privacy Practices, implementing the minimum necessary standard, responding to patient access requests, and documenting all policies and procedures.
Yes. Disclosures for treatment purposes — including referrals, consultations, and care coordination — are permitted under the Privacy Rule without patient authorization. However, the minimum necessary standard still applies to payment and operations disclosures. Only share the information the referring provider needs for the clinical purpose.
OCR enforces Privacy Rule violations on the same penalty scale as all HIPAA violations: $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. The most common Privacy Rule enforcement actions involve failure to provide patient access to records, unauthorized disclosures, and missing or inadequate Notices of Privacy Practices.
