skip to Main Content
Hipaa Privacy Policy

HIPAA Laws: Understanding the HIPAA Privacy Rule

If you operate a thriving medical practice, you may have asked what are the privacy rules HIPAA has in place. The truth of the matter is that HIPAA laws and guidelines are an ever-changing set of rules designed to make healthcare safer for patients, healthcare providers, and business associates. 

In this article, we’ll take a look at the following topics regarding the HIPAA Privacy Rule:

  • What is the HIPAA Privacy Rule?
  • Which Types of Information are Protected Under the HIPAA Privacy Rule?
  • Why Does the HIPAA Privacy Rule Exist?
  • Who Does the Privacy Rule Apply To? 
  • What Do Medical Practices Need to Do to Be Compliant with the HIPAA Privacy Rule?
  • Penalties for HIPAA Non-Compliance
  • Simplified HIPAA Compliance with PCIHIPAA

What is the HIPAA Privacy Rule?

Since its inception in 1999, HIPAA has evolved in response to emerging technologies, particularly physical copies and digitized versions of health records (known as PHI – Patient Healthcare Information or ePHI respectively) and the digitization of telehealth. This evolution has included updated rules occurring on an almost biyearly pace that expands the scope of what healthcare practices need to do to protect PHI and patient privacy. 

One of the first HIPAA laws to take effect is the HIPAA Privacy Rule in 2003. This rule was added in conjunction with the Security Rule, providing comprehensive rules that overlap with the Privacy Rule. Since taking effect, these rules have been updated, but serve as guidelines and best-practices to avoid violating the rights of patients – as well as leaving PHI accessible to criminals. 

The Privacy Rule sets restrictions and details for how PHI can be shared. The goal of this rule is to ensure that a patient’s personal health information is protected, while also enabling a safe and efficient way to transmit this information between parties (such as transactions between a payment processor and a dental office). 

The other aspect of the HIPAA Privacy Rule is to ensure that patients have the same access to their PHI/ePHI that their physicians have, while retaining a level of authority over who has access to this information and where it goes. This includes what, when and under what particular circumstances PHI can be used or disclosed. 

Which Types of Information are Protected Under the HIPAA Privacy Rule?

The following are the 18 types of information that are considered PHI under current HIPAA laws: 

  • Name
  • Address (Including any information more localized than state) 
  • Dates (except years) related to the individual, including birthdays, date of death, date of admission/discharge, etc. 
  • Telephone Number
  • Fax Number
  • Email addresses
  • Social Security number 
  • Medical record number 
  • Health plan beneficiary number
  • Account number 
  • Certificate/license number
  • Vehicle identifiers (serial numbers, license plate numbers) 
  • Device identifiers/serial numbers
  • Web URLs
  • IP address
  • Biometric identifiers such as fingerprints or voiceprints
  • Full-face photos or other identifiable photographs 
  • Other identifying numbers, characteristics or codes 

Why Does the HIPAA Privacy Rule Exist?

As the name implies, the Privacy Rule is about ensuring the privacy of a patient’s health information. As with other HIPAA laws, the Privacy Rule is meant to expand the original guidelines to encompass modern uses of PHI, as well as uphold standards of privacy according to verbal and physical documents containing health information. 

With PHI predominantly the protected property of a patient, the medical practices and their business associates who handle it are also at risk (i.e payment processors, device vendors, insurers, etc.). As telehealth expands its implementation in healthcare, PHI can be targeted by criminals or by those who may accidentally leak sensitive information. This opens the door to a number of security issues (covered by the HIPAA Security Rule) to prevent such things as ransomware attacks, identity theft, and malicious behavior (i.e. libel, slander, defamation of character)

And while HIPAA does not allow affected patients to sue covered entities (CE) in response to a mishandling of PHI, healthcare laws vary by state and may permit liability lawsuits for damages (and therefore must be adhered to). In this function, the HIPAA Privacy Rule serves as a default set of guidelines that set a number of best-practices to protect against HIPAA violations. 

Who Does the Privacy Rule Apply To?

The HIPAA Privacy Rule applies to all Covered Entities (CE) and their Business Associates (BA). According to HIPAA guidelines:

Enter your info to start your free consultation today!

  • This field is for validation purposes and should be left unchanged.
  • CEs include any party that is directly involved with the treatment, healthcare operations or payment process for healthcare services. There are 3 types of covered entities under HIPAA laws: 
    1. Healthcare Providers (healthcare practices, hospitals, physicians)
    2. Health Plans (insurers, commercial payers)
    3. Healthcare Clearinghouses (intermediary companies for transferring PHI)
  • BAs include a vendor that is hired by a CE to do one of those actions for them. Those BAs who do business with CEs need a signed Business Associate Agreement between the two organizations prior to the passing of information.

Essentially, if your organization has the ability to and may access PHI at any point, then the Privacy Rule applies to you. 

What Do Medical Practices Need to Do to Be Compliant with the HIPAA Privacy Rule?

To be compliant under the Privacy Rule, there are many steps that CEs must take on a regular basis to to maintain compliance. These include:

  • Designating a Privacy Officer, a person that oversees the adherence to privacy policies and procedures regarding PHI in compliance with federal and state HIPAA laws.
  • Ongoing training employees on Privacy Rule requirements, as well as a timeframe for providing this training for new employees
  • Establishing a patient complaint filing system, as well as an investigation process for these patient complaints
  • Signed Business Associate Agreement  with organizations they work with 
  • Providing patients with written Notice of Privacy Practices (NPP) 
  • Providing patients with access to their medical records. This includes the ability to modify these records and request restrictions to the usage and sharing of their PHI as needed.
  • Adhering to the HIPAA Minimum Necessary Standard, a mandate that ensures employees working for a CE should have access to the very minimum amount of PHI that enables them to do their job. This helps reduce the potential for accidental leakage from internal staff, human error, or social engineering.
  • Ensure written permission is obtained from patients before their PHI is used for purposes such as research, fundraising, or marketing. 
  • Ensure proper steps are taken to maintain the integrity of ePHI (including individual personal identifiers of patients).
  • Ensure that patient authorization forms have been updated to include the disclosure of immunization records to schools
  • Provide the option for patients to restrict disclosure of ePHI to a health plan (ex. when they have paid for a procedure privately) 
  • Provide an electronic copy of health records to a patient upon request.
  • Taking any additional actions and methods needed to ensure that PHI is not used in any way that compromises compliance. 

For the complete contents of the HIPAA Privacy Rule, visit the Department of Health & Human Services website.

Penalties for HIPAA Non-Compliance

Having a thorough understanding of the HIPAA Privacy Rule and how it sets national standards for patients’ rights to PHI and ePHI is crucial to remain compliant with HIPAA laws. If they are discovered to not be upheld, they can lead to  two different types of HIPAA violations: civil and criminal. 

  • Civil HIPAA violations: Given out if the individual that committed the violation did so without any malicious intent. This can include either neglect or lack of awareness that their actions were wrong.
  • Criminal HIPAA violations: If individuals that committed the HIPAA violation were determined to be acting with malicious intent, the violation leads to larger financial penalties and significant time in jail. 
Civil HIPAA Violation Penalty
The individual was not aware that they were committing a HIPAA violation $100 per violation
The individual had reasonable cause for their actions and did not act with willful neglect A minimum of $1,000 per violation
The individual was acting with willful neglect, but then fixed the issue A minimum of $10,000 per violation
The individual was acting with willful neglect and did not fix the issue A minimum of $50,000 per violation


Criminal HIPAA Violation Penalty
The individual knowingly obtains and discloses PHI
  • Fined up to $50,000 
  • Up to a year in jail
The individual commits violations under false pretenses
  • Fined up to $100,000 
  • Up to 5 years in jail
The individual commits the violation for personal gain (i.e uses PHI to harm the patient or for personal gain)
  • Fined up to $250,000 
  • Up to 10 years in jail

Proposed Changes to the HIPAA Privacy Rule

Starting in December of 2020, the HHS Office of Civil Rights issued an NPRM (Notice of Proposed Rule-making) regarding proposed changes upcoming to HIPAA laws, including the Privacy Rule. These changes are intended to remove any unnecessary barriers to providing care or managing the administrative aspects of the healthcare industry, including:

  • Increasing the efficiency and effectiveness of the healthcare system, such as streamlining the PHI request completion process for all parties
  • improving the process of patients accessing their own requested PHI without adding strain on the healthcare professionals themselves
  • Adding shortened response window time for covered entities (CE)
  • Providing a viewable fee chart for PHI access requests
  • And more

Because medical practices are responsible to adhere to these proposed changes when they take effect, it’s important for your practice’s Privacy Officer to implement changes as soon as they take effect. 

(For a complete overview of these proposed changes to HIPAA laws, click here.)

Simplified HIPAA Compliance with PCIHIPAA

As you can see, being compliant with HIPAA, particularly its Privacy Rules, is complicated and can lead to significant penalties. Luckily, PCIHIPAA offers a comprehensive and dynamic platform OfficeSafe to simplify HIPAA compliance. 

Trusted by 1,000’s of medical practices nationwide, PCIHIPAA helps your organization take every necessary step needed to be HIPAA compliant. From training modules, developing policy procedures for handling PHI, to network security assessments, let PCIHIPAA be your first choice for HIPAA compliance. Learn more about PCIHIPAA today!

Back To Top