HIPAA Privacy Rule Summary: All Main Points Explained

Has someone besides a patient asked you for patient information? In most cases, you need to keep information private. However, the HIPAA Privacy Rule summary covers a few instances where you can disclose that information. Before you treat your next patient, consider what the Privacy Rule entails and how it can affect your job. Then, you can give the best care possible. Keep reading to learn more.

What Is the Privacy Rule?

The Privacy Rule is part of the Health Insurance Portability and Accountability Act (HIPAA). It sets the standards that providers have to follow when using or disclosing medical records. Under the Privacy Rule, health professionals need to keep certain information private. However, the rule does allow you to use patient information for a few things, such as giving proper care and dealing with a patient's insurance plan. The rule is comprehensive yet flexible to account for the needs of many patients. That way, providers can work with patients and use medical records without compromising on care or other essential tasks.

What Information Does It Protect?

The HIPAA Privacy Rule safeguards protected health information (PHI). PHI includes demographic information, social security numbers, and patient contact information. Information can exist in a variety of forms, such as paper or electronic records. However, it can also apply to oral conversations with your patients. You can learn more about PHI and other essential elements of the Privacy Rule in a HIPAA Certification course. What is HIPAA Certification? It can apply to your continuing education, and you can use courses to stay up to date on important topics. The rule also covers de-identified health information, though the rule doesn't restrict the usage. De-identified health information doesn't disclose who the information is about, so you don't need to be as strict about using it.

Who Does It Cover?

The Privacy Rule lists covered entities that must comply with the rule's standards for privacy of individually identifiable health information. A few types of health professionals are covered entities.

  • Health care providers, such as doctors and nurses
  • Individual and group health insurance plans
  • Health care clearinghouses, that process health data
  • Business associates working in health care

As a covered entity, you should know a HIPAA Privacy Rule summary. A summary can help you understand the basics for best practices so that you can comply with the law. Then, you can give the best possible care without risking legal issues.

Basic Principle

The Privacy Rule restricts how covered entities can use and disclose PHI. However, the rule does leave two exceptions available for providers and other entities. First, the Privacy Rule may require disclosing PHI, such as when talking directly with the patient in question. You may also need to disclose information to law enforcement or other officials during an investigation that can affect a patient's situation. If a patient or their representative, such as a guardian, allows you to disclose information, you can do so. However, you must obtain permission in writing, and it should specify the PHI you need and how you'll use it.

Necessary Disclosures

Another part of the Privacy Rule focuses on when you must disclose PHI. The first scenario involves patients or a patient's representative. If the patient or representative asks to access their PHI, you can disclose the PHI. You can also do so if a patient or their representative asks for their medical records. However, make sure you verify the identity of the patient or their representative to make sure you keep their PHI safe. The other instance where you may need to disclose PHI is to the Department of Health and Human Services (HHS). If the HHS does a compliance investigation or enforcement, you can disclose PHI without having a HIPAA violation.

Permitted Uses

Another essential part of any HIPAA Privacy Rule summary covers other permitted uses and disclosures of PHI. These uses don't require permission from the patient before you can use or disclose the information. However, you should follow best practices when using PHI. Consider professional ethics and make the call with each situation as factors can vary, such as with patients who are minors. Here are a few uses where you don't need written authorization from a patient to use or disclose their PHI.

The Individual

When speaking to your patient, you don't need their permission to disclose their PHI. If a patient asks about their medical records during an appointment or via a phone call, you can give that to them. However, be careful when using the phone or other contact methods that aren't in-person. Make sure that someone isn't trying to impersonate your patient to access information. You should also consider if someone is in the room with your patient, such as a parent or spouse. If so, you may need the patient's authorization to talk about their records.

Informal Permission

You may also be able to get informal permission from your patients, but you must give the option to object. Informal permission can apply to a few things within your clinic, such as when creating a patient contact directory. You can also use informal permission if you need to contact a patient's family member. If the patient doesn't answer a call about their medical records, you may be able to contact a parent or spouse. This can also apply to billing information, such as if someone is on another person's health insurance plan. If someone else is responsible for a patient's care, you can also use informal permission to disclose the patient's PHI.

Treatment and Operations

If you need to consult with another provider regarding a patient's treatment plan, you can disclose PHI without authorization. You can do this within your office, or you can disclose the information when referring a patient to a specialist. Health care operations may also require the use of PHI. Activities such as quality assessments, insurance functions, and business planning may need PHI to make decisions. When possible, you can use de-identified health information to avoid disclosing too much. You can also use PHI when dealing with payment and insurance. Then, you can make sure a patient's insurance company pays for the patient's care and reimburses any other expenses.

Public Interest

While the Privacy Rule doesn't require disclosure, it allows you to disclose PHI when it can help the public. Public issues focus on the use of health information for purposes other than giving care. You can disclose information for public health records, law enforcement, and judicial proceedings. For example, you can disclose PHI if a patient has been sexually harassed or abused to help investigators on that case. Public interest also encompasses medical research and the donation of organs and tissues. Workers' compensation claims and essential government functions also allow you to disclose PHI without official permission.

Incidental Use

You should do your best not to accidentally disclose PHI, but it can happen. If you use or disclose some PHI along with PHI that you do have permission to use, disclosing extra PHI can be incidental. For this disclosure to qualify, you must take reasonable steps under the Privacy Rule to protect PHI. You also can't share more than the minimum amount of information necessary during the incidental use. If you don't meet one or both of those requirements, you may have a HIPAA violation. However, the rule is flexible enough to allow for accidents as it can be hard to avoid them entirely.

Limiting Use

Another essential part of the Privacy Rule focuses on limiting the use of PHI. You should only use information when necessary and not use more than the minimum. Covered entities have to take reasonable steps to only use what they have to for the task. That way, you can avoid disclosing too much information or compromising patient privacy. You can limit use by making sure providers only access what they need, but you can also limit access. If someone doesn't treat a particular patient, you can set up your system so that they can't use that patient's medical records. A medical office can set up criteria regarding "minimum necessary" standards. Then, you and your colleagues can follow the same rules when it comes to accessing patient information.


You should provide patients or their guardians, for patients under 18, with a privacy policy whenever you have a new patient or when your policy changes. The policy should cover how you use PHI and how you keep the information safe. Give the notice at the first visit when treating someone in-person. You can also give the notice through the mail or through an electronic service when contacting patients by phone or mail. When treating patients, you should also obtain a patient's signature acknowledging that you gave the patient your privacy policy. If you can't get a signature, you will need to list a reason why. However, emergency care doesn't have this same requirement.