In 2023, OCR settled with a dental practice for $350,000 after investigators found the organization had been disclosing patient records to a third-party marketing firm without valid authorizations. The practice believed it had consent. It didn't — at least not the kind HIPAA's Privacy Rule requires. This gap between what organizations think the Privacy Rule demands and what it actually demands is one of the most persistent compliance failures I see in my work with covered entities.
What HIPAA's Privacy Rule Actually Requires
The Privacy Rule, codified at 45 CFR Part 164 Subpart E, establishes national standards for the protection of individually identifiable health information — what we call protected health information (PHI). It applies to every covered entity: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.
But the Privacy Rule doesn't stop at covered entities. Under the Omnibus Rule of 2013, business associates who create, receive, maintain, or transmit PHI on behalf of a covered entity are directly liable for Privacy Rule violations. If your organization shares PHI with a billing company, cloud storage vendor, or IT service provider, those entities must comply as well.
At its core, the Privacy Rule governs three things: how PHI can be used (within your organization), how it can be disclosed (shared outside your organization), and what rights patients have over their own information. Every policy you write, every workflow you design, and every vendor relationship you maintain must align with these requirements.
The Minimum Necessary Standard Most Teams Ignore
One of the most misunderstood provisions within HIPAA's Privacy Rule is the minimum necessary standard. Under 45 CFR §164.502(b), your organization must make reasonable efforts to limit PHI access, use, and disclosure to the minimum amount necessary to accomplish the intended purpose.
In practice, this means your front desk staff shouldn't have the same level of access to medical records as your treating physicians. Your billing department needs specific data elements — not the full clinical chart. Yet in organization after organization, I find role-based access controls that are either nonexistent or configured so broadly that every employee can see everything.
OCR enforcement actions have repeatedly cited minimum necessary violations. The fix starts with a thorough risk analysis of how PHI flows through your systems and who touches it at each stage. Then you restrict access by role, document those restrictions, and audit them regularly.
Patient Rights Your Organization Cannot Afford to Mishandle
The Privacy Rule grants patients a suite of rights that your workforce must understand and operationalize:
- Right of access — Patients can request copies of their PHI, and you must respond within 30 days (with one 30-day extension if needed). OCR's Right of Access Initiative has produced over 45 enforcement actions since 2019, with penalties ranging from $3,500 to $240,000.
- Right to amend — Patients can request corrections to their records. You can deny amendments, but only for specific reasons outlined in the rule, and you must provide a written denial.
- Right to an accounting of disclosures — Your organization must track certain disclosures of PHI and provide that accounting upon request.
- Right to request restrictions — Patients can ask you to limit how their PHI is used or disclosed. You're generally not required to agree — except when a patient pays out of pocket in full and asks you not to disclose to their health plan.
Each of these rights requires documented policies, trained staff, and consistent execution. A single mishandled access request can trigger an OCR investigation and a costly resolution agreement.
Your Notice of Privacy Practices Is Not a Formality
Your Notice of Privacy Practices (NPP) is a regulatory requirement under 45 CFR §164.520, not a checkbox exercise. It must accurately describe how your organization uses and discloses PHI, explain patient rights, and identify your privacy official. Any time your practices change materially, the NPP must be updated and redistributed.
Healthcare organizations consistently struggle with NPP compliance because they treat it as a one-time document. Your NPP should be reviewed annually alongside your risk analysis. If you've added telehealth services, changed business associates, or modified how you handle research data, your NPP likely needs revision.
Business Associate Agreements: Where Privacy Rule Gaps Multiply
Every relationship where a third party handles PHI on your behalf requires a business associate agreement (BAA) that meets the requirements of 45 CFR §164.504(e). Without a compliant BAA, every disclosure to that vendor is a potential HIPAA violation.
I routinely encounter organizations that have BAAs with their EHR vendor but not with their shredding company, their answering service, or their cloud-based scheduling tool. Each of these entities likely accesses PHI. A missing BAA doesn't just expose you to penalties — it fundamentally undermines your Privacy Rule compliance posture.
Maintain a current inventory of every business associate. Review each BAA annually. Confirm that your associates are conducting their own risk analyses and providing workforce training to their employees who handle your patients' data.
The Workforce Training Requirement Most Organizations Underestimate
Under 45 CFR §164.530(b), every member of your workforce must receive training on your Privacy Rule policies and procedures. This isn't limited to clinical staff. Receptionists, IT personnel, janitorial staff with physical access to records, volunteers, and even board members — anyone who could encounter PHI must be trained.
Training must occur at onboarding and whenever material changes to your policies affect how workforce members handle PHI. Annual refresher training has become an industry best practice that OCR looks favorably upon during investigations.
Generic training slides won't meet this standard. Your training must be tailored to your organization's specific policies, workflows, and risk profile. A comprehensive HIPAA training and certification program gives your workforce the regulatory foundation they need while documenting completion for audit readiness.
Build a Privacy Rule Compliance Program That Holds Up to Scrutiny
Compliance with HIPAA's Privacy Rule isn't achieved through a single policy manual or an annual training session. It requires an integrated program: documented policies mapped to specific regulatory provisions, ongoing risk analysis, trained workforce members, audited access controls, compliant BAAs, and a responsive patient rights process.
OCR has collected over $142 million in enforcement penalties since the Privacy Rule took effect. The organizations that avoid those penalties are the ones that treat compliance as a continuous operational function rather than a project with a finish line.
Start by identifying your gaps. Conduct a thorough risk analysis. Update your NPP. Audit your business associate inventory. And invest in workforce HIPAA compliance that goes beyond surface-level awareness. Your patients — and OCR — expect nothing less.