In 2023, OCR settled with a dental practice in New England for $50,000 after a patient filed a complaint that the practice had disclosed her treatment records to a family member without authorization. The practice's defense? They assumed family members were automatically entitled to information. This case is a sharp reminder that HIPAA gives privacy protection for individuals — not organizations, not family members, and not employers — and misunderstanding who those protections cover is one of the fastest paths to a violation.

HIPAA Gives Privacy Protection For Individuals — Here's What That Means

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, establishes national standards to protect individuals' medical records and other protected health information (PHI). Specifically, HIPAA gives privacy protection for every person whose health information is created, received, maintained, or transmitted by a covered entity or business associate.

This includes patients receiving care at a hospital, members enrolled in a health plan, and individuals whose records are handled by a healthcare clearinghouse. The protection follows the information, not the setting — meaning PHI is protected whether it exists in an electronic health record, a paper chart, or a verbal conversation at a nurses' station.

The Three Categories of Individuals Protected Under HIPAA

Healthcare organizations consistently struggle to define exactly who falls under HIPAA's privacy umbrella. Let me break it down clearly.

1. Patients of Healthcare Providers

Any individual who receives healthcare services from a covered entity provider — a physician, hospital, pharmacy, or clinic — has HIPAA privacy protections. Their PHI cannot be used or disclosed without authorization except for treatment, payment, and healthcare operations, or where otherwise permitted by the Privacy Rule.

2. Health Plan Members and Enrollees

Individuals enrolled in health insurance plans, HMOs, employer-sponsored group health plans, and government programs like Medicare and Medicaid are all protected. Their enrollment data, claims history, and coverage details are PHI and cannot be shared without meeting the minimum necessary standard.

3. Individuals Whose Records Pass Through Clearinghouses

Healthcare clearinghouses process nonstandard health information into standard formats. Every individual whose data moves through these systems is afforded the same protections, even if they never interact with the clearinghouse directly.

What HIPAA Privacy Protection Actually Requires of Your Organization

Understanding who HIPAA protects is only half the equation. Your covered entity must operationalize those protections through specific administrative, technical, and physical safeguards.

Notice of Privacy Practices: Every covered entity must provide individuals with a clear notice explaining how their PHI may be used, their rights under HIPAA, and the entity's legal duties. This isn't optional — it's a requirement under 45 CFR §164.520, and OCR reviews it during every compliance investigation.

Minimum Necessary Standard: When your workforce accesses, uses, or discloses PHI, they must limit it to the minimum amount necessary to accomplish the task. A billing specialist doesn't need access to psychiatric notes. A front-desk coordinator doesn't need lab results. Role-based access controls are essential.

Individual Rights: HIPAA gives individuals the right to access their own records, request amendments, obtain an accounting of disclosures, and request restrictions on certain uses. Your organization must have documented policies and trained staff to honor these requests within the timelines specified in the Privacy Rule — typically 30 days for access requests.

Where Organizations Fail: Misunderstanding Who PHI Belongs To

In my work with covered entities, I've seen a recurring pattern: organizations treat PHI as if it belongs to the institution. It doesn't. The privacy rights belong to the individual whose information it is. Your organization is the custodian, not the owner.

This distinction matters in everyday scenarios. When an employer calls a group health plan asking for an employee's claims data, the plan cannot disclose it — even though the employer sponsors the plan. When a parent demands records for an adult child, the provider must verify the patient's authorization. When a business associate subcontracts data processing, the downstream entity must also comply with HIPAA protections.

OCR enforcement actions consistently target these misunderstandings. Between 2003 and 2024, OCR has resolved over 35,000 complaints and collected more than $142 million in penalties. Many of these cases trace back to unauthorized disclosures where someone assumed they had the right to share an individual's PHI.

The Workforce Training Gap That Creates Liability

The Privacy Rule at 45 CFR §164.530(b) requires that every member of your workforce receive training on your organization's privacy policies and procedures. Yet this is the requirement most organizations underestimate. Annual checkbox training isn't enough — your team needs scenario-based education that reflects real situations they encounter daily.

A receptionist needs to understand why she can't confirm a patient's appointment to an unverified caller. A nurse needs to know when a verbal disclosure in a shared room crosses the line. An IT administrator needs to recognize that accessing a coworker's records out of curiosity is a HIPAA violation — even if no external disclosure occurs.

Investing in comprehensive HIPAA training and certification is the most effective way to close this gap. Training should cover the Privacy Rule, Security Rule, Breach Notification Rule, and the Omnibus Rule updates that expanded business associate liability.

Risk Analysis: The Foundation of Every Privacy Protection

No privacy protection program works without a current, thorough risk analysis. The Security Rule requires covered entities and business associates to conduct a risk analysis under 45 CFR §164.308(a)(1). This isn't a one-time event — it must be updated whenever your environment changes, new technology is implemented, or new threats emerge.

Your risk analysis identifies where PHI is stored, how it moves through your systems, and where vulnerabilities exist. Without it, every other safeguard you implement is built on guesswork.

Turning Privacy Protection Into Organizational Culture

HIPAA gives privacy protection for individuals, but that protection only exists in practice when your organization builds it into daily operations. Policies on paper don't stop breaches — trained people and enforced processes do.

Start by auditing your current privacy practices against the Privacy Rule's requirements. Verify that your Notice of Privacy Practices is current and distributed properly. Confirm that role-based access aligns with the minimum necessary standard. And ensure every workforce member — from executives to volunteers — has completed up-to-date training.

If your organization needs a structured path to compliance, HIPAA Certify's workforce compliance program provides the tools and training to protect every individual whose PHI you handle — because that's exactly who HIPAA was written for.