TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. HIPAA Privacy Rules: A Complete Guide for 2026
Legal Compliance

HIPAA Privacy Rules: A Complete Guide for 2026

Understand the HIPAA privacy rules, who must comply, what is protected, and how to avoid violations. A practical guide for covered entities.

TermsBox Team|April 2, 202613 min read

HIPAA privacy rules are the federal regulations that govern how health information is used, disclosed, and protected in the United States. If your organization handles medical records, insurance claims, or any form of individually identifiable health data, understanding these rules is not optional.

This guide provides a practical overview of the HIPAA Privacy Rule, including who must comply, what information is protected, patient rights, permitted disclosures, and how to avoid violations. This content is educational and does not constitute legal advice. Consult a qualified health care attorney or compliance officer for guidance specific to your organization.

What Is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is a set of federal regulations established under the Health Insurance Portability and Accountability Act of 1996. Codified at 45 CFR Part 160 and Subparts A and E of Part 164, the Privacy Rule creates national standards for the protection of individually identifiable health information, known as protected health information (PHI).

At its core, the HIPAA Privacy Rule does three things:

  • Defines protected health information. It establishes what types of data qualify as PHI and are therefore subject to federal protection.
  • Sets boundaries on use and disclosure. It limits when and how covered entities can use or share PHI, with specific exceptions for treatment, payment, and health care operations.
  • Grants individual rights. It gives patients the right to access, amend, and control the distribution of their health records.

The Privacy Rule is distinct from the HIPAA Security Rule, which focuses specifically on electronic PHI (ePHI) and technical safeguards. Both rules work together, but the Privacy Rule has a broader scope covering PHI in any form: electronic, paper, or oral.

Who Must Comply With HIPAA Privacy Regulations

HIPAA privacy regulations do not apply to every organization that handles health-related data. The law defines two categories of regulated entities.

Covered entities

Under 45 CFR Section 160.103, covered entities include:

  • Health plans. Health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and military and veterans' health programs.
  • Health care clearinghouses. Organizations that process nonstandard health information into standard formats, such as billing services and repricing companies.
  • Health care providers. Any provider that transmits health information electronically in connection with a HIPAA-covered transaction. This includes hospitals, physicians, dentists, pharmacies, nursing homes, and clinics.

The critical qualifier for providers is the electronic transmission component. A therapist who accepts only cash and keeps only paper records may not be a covered entity, though state privacy laws may still apply.

Business associates

A business associate is any person or organization that performs functions on behalf of a covered entity involving the use or disclosure of PHI. Examples include cloud hosting providers, medical billing companies, IT contractors with access to health records, and attorneys who receive PHI for legal services.

Under the HITECH Act and the 2013 Omnibus Rule, business associates are directly liable for HIPAA compliance. They must sign a Business Associate Agreement (BAA) with the covered entity and face the same penalties for violations.

Organizations not covered by HIPAA

Several types of organizations handle health data but fall outside HIPAA's scope: life insurers, employers (with respect to employment records), workers' compensation carriers, most schools (covered by FERPA), law enforcement agencies, and consumer health apps not connected to a covered entity.

If your organization collects health-related information but is not a covered entity or business associate, HIPAA does not apply. You should still publish a clear privacy policy. A privacy policy generator can help you disclose data practices under laws like the GDPR and CCPA that may apply to health-adjacent data.

What Information Do HIPAA Privacy Rules Protect?

The Privacy Rule protects a specific category of data called protected health information. Understanding what qualifies as PHI is fundamental to compliance.

Definition of PHI

Under 45 CFR Section 160.103, PHI is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. It includes information that relates to an individual's past, present, or future health condition, the provision of health care, or payment for health care, and that identifies the individual or provides a reasonable basis for identification.

The 18 HIPAA identifiers

The Privacy Rule specifies 18 data elements that make health information individually identifiable. These include names, geographic data smaller than a state, dates related to an individual (except year), phone and fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle and device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

When all 18 identifiers are removed, the data is considered de-identified under the Safe Harbor method (45 CFR Section 164.514(b)) and is no longer subject to HIPAA restrictions.

What PHI is not

Not all health-related data is PHI. The following are generally excluded:

  • Employment records held by an employer in its capacity as employer
  • Education records covered by FERPA
  • De-identified data meeting Safe Harbor or Expert Determination standards
  • Data held by entities that are not covered entities or business associates

HIPAA Privacy Rule Requirements for Use and Disclosure

The Privacy Rule sets strict limits on when covered entities can use or disclose PHI. This is the operational core of HIPAA privacy regulations.

Required disclosures

A covered entity may not use or disclose PHI except as permitted or required by the Privacy Rule (45 CFR Section 164.502(a)). Required disclosures are limited to two situations: to the individual when they request their own records, and to HHS during compliance investigations.

Permitted disclosures without authorization

The Privacy Rule permits disclosure without the individual's written authorization in several defined circumstances:

  • Treatment, payment, and health care operations (TPO). The most common basis for disclosure. Providers can share PHI with other providers for treatment, with insurers for payment, and internally for quality assurance and business management.
  • Public health activities. Reporting communicable diseases, vital statistics, and adverse events to public health authorities under 45 CFR Section 164.512(b).
  • Victims of abuse, neglect, or domestic violence. Reporting to government authorities as permitted under 45 CFR Section 164.512(c).
  • Judicial and administrative proceedings. Responding to court orders, subpoenas, or discovery requests under 45 CFR Section 164.512(e).
  • Law enforcement purposes. Limited disclosures for identifying suspects, fugitives, or missing persons under 45 CFR Section 164.512(f).
  • Health oversight activities. Audits, investigations, and inspections conducted by government agencies under 45 CFR Section 164.512(d).

The minimum necessary standard

Under 45 CFR Section 164.502(b), covered entities must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose. This standard applies to most uses and disclosures, with these exceptions:

  • Disclosures to or requests by a health care provider for treatment
  • Disclosures to the individual
  • Uses or disclosures authorized by the individual
  • Disclosures to HHS for enforcement
  • Uses or disclosures required by law

In practice, this means a billing department should not have access to clinical notes, and a referral letter should include only the information the receiving provider needs for treatment.

Individual Rights Under HIPAA Privacy Rules

The Privacy Rule grants patients six specific rights regarding their health information. These rights are enforceable, and covered entities must have processes in place to honor them.

1. Right to access (45 CFR Section 164.524)

Patients have the right to inspect and obtain a copy of their PHI held in a designated record set. Covered entities must respond within 30 days (with a possible 30-day extension). They may charge a reasonable, cost-based fee for copies. The 21st Century Cures Act further strengthened electronic access rights.

2. Right to request amendment (45 CFR Section 164.526)

Patients can request corrections to their PHI if they believe it is inaccurate or incomplete. The covered entity may deny the request under specific circumstances but must provide a written explanation.

3. Right to an accounting of disclosures (45 CFR Section 164.528)

Patients can request a list of disclosures made outside of treatment, payment, and health care operations for the six years prior to the request. The first accounting in any 12-month period must be provided free of charge.

4. Right to request restrictions (45 CFR Section 164.522(a))

Patients can ask covered entities to restrict uses and disclosures of their PHI. The covered entity is not required to agree, with one exception: if a patient pays out of pocket in full, the provider must restrict disclosure to a health plan upon request.

5. Right to request confidential communications (45 CFR Section 164.522(b))

Patients can request that communications be sent to an alternative address or by a specific method. Providers must accommodate reasonable requests without requiring an explanation.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

6. Right to receive notice of privacy practices

Under 45 CFR Section 164.520, covered entities must provide a Notice of Privacy Practices (NPP) describing how the entity uses and discloses PHI, the individual's rights, and the entity's legal duties.

HIPAA Privacy Rule Penalties and Enforcement

The Office for Civil Rights (OCR) within HHS enforces the HIPAA Privacy Rule. Penalties have increased significantly since the HITECH Act expanded enforcement authority.

Penalty tiers (adjusted for inflation)

HIPAA penalties are structured in four tiers based on the level of culpability:

Tier Culpability Level Minimum Per Violation Maximum Per Violation
1 Lack of knowledge $137 $68,928
2 Reasonable cause $1,379 $68,928
3 Willful neglect (corrected within 30 days) $13,785 $68,928
4 Willful neglect (not corrected) $68,928 $68,928

The annual cap across all tiers is $2,067,813. Criminal penalties under 42 U.S.C. Section 1320d-6 can reach $250,000 in fines and 10 years imprisonment for offenses involving intent to sell or misuse PHI.

State attorneys general enforcement

The HITECH Act granted state attorneys general the authority to bring civil actions for HIPAA violations under 42 U.S.C. Section 1320d-5(d). Several states have exercised this authority, adding another layer of enforcement risk beyond the OCR.

HIPAA Privacy Rules and Digital Health

The digital transformation of health care has introduced new compliance challenges that the original 1996 law did not anticipate.

Telehealth

Telehealth platforms must comply with HIPAA privacy rules when used by covered entities. The platform itself must sign a BAA with the provider. Standard consumer video chat tools should not be used for clinical consultations.

Mobile health apps

HIPAA applies to a mobile health app only if the app handles PHI on behalf of a covered entity or business associate. A consumer wellness app tracking steps or calories is generally not subject to HIPAA. However, an app built by a hospital for patient portal access is fully covered.

The FTC's Health Breach Notification Rule (16 CFR Part 318) fills the gap for personal health record vendors not covered by HIPAA.

Cloud computing and ePHI

Cloud service providers that store ePHI are business associates and must sign a BAA. Major cloud platforms offer HIPAA-eligible services, but the covered entity retains responsibility for correct configuration and access controls.

Website privacy compliance

If your organization operates a website that collects health-related information, even appointment requests or contact forms that mention symptoms, evaluate whether that data constitutes PHI. Organizations subject to HIPAA should ensure their website privacy policies accurately reflect data handling practices. A privacy policy generator can help create baseline privacy disclosures, though HIPAA-specific language should be reviewed by a compliance officer.

How to Comply With HIPAA Privacy Rule Requirements

Compliance is not a one-time project. It requires ongoing policies, training, and monitoring. Here is a practical framework.

1. Conduct a PHI inventory

Map every location where PHI is created, received, stored, or transmitted. This includes EHR systems, paper files, email, cloud storage, mobile devices, and any third-party platforms.

2. Designate a Privacy Officer

Under 45 CFR Section 164.530(a), every covered entity must designate a privacy official responsible for developing and implementing privacy policies. This person is the point of contact for compliance questions and OCR inquiries.

3. Develop written policies and procedures

Document your organization's policies for:

  • Permitted uses and disclosures of PHI
  • Minimum necessary determinations
  • Patient rights procedures (access, amendment, accounting)
  • Breach notification procedures
  • Business associate management
  • Sanctions for employee violations

4. Implement workforce training

All workforce members who handle PHI must receive training on the organization's privacy policies. Training should occur at onboarding and periodically thereafter. Document all training with dates, topics, and attendee records.

5. Execute Business Associate Agreements

Review every vendor relationship that involves PHI access. Execute a BAA with each business associate that meets the requirements of 45 CFR Section 164.504(e). Monitor BAAs for expiration and update them when the scope of services changes.

6. Establish a breach response plan

Under the Breach Notification Rule (45 CFR Sections 164.400 through 164.414), covered entities must notify affected individuals within 60 days of discovering a breach. Breaches affecting 500 or more individuals require notification to HHS and prominent media outlets.

7. Conduct regular risk assessments

Assess risks to PHI confidentiality at least annually and after any significant change to operations, systems, or personnel. The Security Rule requires periodic risk assessments under 45 CFR Section 164.308(a)(1)(ii)(A).

Frequently Asked Questions

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is a federal regulation under 45 CFR Part 160 and Subparts A and E of Part 164 that establishes national standards for protecting individuals' medical records and other individually identifiable health information. It applies to health plans, health care clearinghouses, and health care providers who transmit health information electronically.

What are the penalties for violating HIPAA privacy rules?

HIPAA penalties are tiered based on the level of negligence. Tier 1 (lack of knowledge) carries fines of $137 to $68,928 per violation. Tier 2 (reasonable cause) ranges from $1,379 to $68,928. Tier 3 (willful neglect, corrected) ranges from $13,785 to $68,928. Tier 4 (willful neglect, not corrected) carries a minimum of $68,928 per violation. The annual maximum across all tiers is $2,067,813.

Does HIPAA apply to mobile health apps?

HIPAA applies to mobile health apps only if the app is created by or on behalf of a covered entity or business associate and handles protected health information. A standalone fitness tracker or wellness app that does not interact with a covered entity is generally not subject to HIPAA, though it may fall under FTC regulations or state health privacy laws.

What is the minimum necessary standard under HIPAA?

The minimum necessary standard requires covered entities to limit the use, disclosure, and request of protected health information to the minimum amount needed to accomplish the intended purpose. It applies to most uses and disclosures but does not apply to disclosures for treatment purposes, disclosures to the individual, or uses authorized by the individual.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is the HIPAA Privacy Rule?
  • Who Must Comply With HIPAA Privacy Regulations
  • Covered entities
  • Business associates
  • Organizations not covered by HIPAA
  • What Information Do HIPAA Privacy Rules Protect?
  • Definition of PHI
  • The 18 HIPAA identifiers
  • What PHI is not
  • HIPAA Privacy Rule Requirements for Use and Disclosure
  • Required disclosures
  • Permitted disclosures without authorization
  • The minimum necessary standard
  • Individual Rights Under HIPAA Privacy Rules
  • 1. Right to access (45 CFR Section 164.524)
  • 2. Right to request amendment (45 CFR Section 164.526)
  • 3. Right to an accounting of disclosures (45 CFR Section 164.528)
  • 4. Right to request restrictions (45 CFR Section 164.522(a))
  • 5. Right to request confidential communications (45 CFR Section 164.522(b))
  • 6. Right to receive notice of privacy practices
  • HIPAA Privacy Rule Penalties and Enforcement
  • Penalty tiers (adjusted for inflation)
  • State attorneys general enforcement
  • HIPAA Privacy Rules and Digital Health
  • Telehealth
  • Mobile health apps
  • Cloud computing and ePHI
  • Website privacy compliance
  • How to Comply With HIPAA Privacy Rule Requirements
  • 1. Conduct a PHI inventory
  • 2. Designate a Privacy Officer
  • 3. Develop written policies and procedures
  • 4. Implement workforce training
  • 5. Execute Business Associate Agreements
  • 6. Establish a breach response plan
  • 7. Conduct regular risk assessments
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.