The Privacy Rule

Last updated: November 4, 2020

Sets national standards for when protected health information (PHI) may be used and disclosed. The Privacy Rule protects individually identifiable health information, called PHI, held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. PHI includes information that relates to the individual’s:

  • Present, or future physical or mental health or condition
  • Provision of health care to the individual
  • Past, present, or future payment for the provision of health care to the individual PHI includes many common identifiers, such as name, address, birth date, and Social Security number

The HIPAA Privacy Rule establishes standards for the protection of PHI held by private entities such as:

  • Health plans
  • Health care clearinghouses
  • Those health care providers that conduct certain health care transactions electronically
  • Their business associates

(HHS, 2016)







Table1 1: Covered Entities and Examples


Health Plans ·         Company health plans

·         Government programs that pay for healthcare, such as Medicare, Medicaid, and the Military and Veterans’ healthcare programs

·         Health insurance companies

·         Health Maintenance Organizations (HMOs)

Health Care Clearinghouses ·         Billing services

·         Community health management information systems

·         Repricing companies

·         Valued-added networks

Health Care Providers ·         Chiropractors

·         Clinics

·         Dentists

·         Doctors

·         Nursing homes

·         Pharmacies

·         Psychologists

Business Associates ·         Accreditation

·         Billing

·         Claims processing

·         Consulting

·         Data analysis

·         Financial services

·         Legal services

·         Management administration

·         Utilization review


The Privacy Rule gives patients important rights with respect to their health information, including rights to examine and obtain a copy of their health records in the form and manner they request, and to ask for corrections to their information. Also, the Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes.

A covered entity may use and disclose protected health information, without an individual’s authorization, for the following purposes or situations (HHS, 2016):

  • To the Individual (unless required for access or accounting of disclosures)
  • Treatment, Payment, and Health Care Operations;
  • Opportunity to Agree or Object
  • Incident to an otherwise permitted use and disclosure
  • Public Interest and Benefit Activities; and
  • Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.


A covered entity also may rely on an individual’s informal permission to disclose to the individual’s family, relatives, or friends, or to other persons whom the individual identifies, protected health information directly relevant to that person’s involvement in the individual’s care or payment for care.  In addition, a covered entity may rely on an individual’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual’s care of the individual’s location, general condition, or death. Furthermore, protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts.

The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule.

The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes. These include (HHS, 2016):

  1. Required by Law. Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).
  2. Public Health Activities. Covered entities are allowed to disclose protected health information to: (1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; (2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance; (3) individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and (4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law.
  3. Victims of Abuse, Neglect or Domestic Violence.  Covered entities may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence in certain circumstances.
  4. Health Oversight Activities. Covered entities may disclose protected health information to health oversight agencies such as audits and investigations necessary for oversight of the health care system and government benefit programs.
  5. Judicial and Administrative Proceedings. Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.
  6. Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions:
    • When required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests)
    • To identify or locate a suspect, fugitive, material witness, or missing person.
    • In response to a law enforcement official’s request for information about a victim or suspected victim of a crime.
    • To notify law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death.
    • Whenever a covered entity believes that protected health information is evidence of a crime that occurred on its premises
    • By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
  7. Decedents. Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.
  8. Cadaveric Organ, Eye, or Tissue Donation. Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.
  9. Research. “The Privacy Rule allows covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.
  10. Serious Threat to Health or Safety. Covered entities may disclose protected health information when they feel it’s necessary in order to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat. Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
  11. Essential Government Functions. An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.
  12. Workers’ Compensation. Covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits