A $4.75 Million Mistake That Started With One Misunderstood Rule

In 2022, Memorial Hermann Health System paid a $2.4 million settlement to HHS after its workforce disclosed a patient's protected health information in a press release. The staff involved likely thought they were doing their jobs. They weren't trying to break the law. But they didn't understand the Privacy Rule — and that ignorance carried a seven-figure price tag.

If you've ever searched for a privacy rule HIPAA summary, you're probably trying to make sense of the regulation without reading all 115 pages of regulatory text. I don't blame you. I've spent over a decade helping covered entities and business associates interpret this rule, and I still find sections that trip up experienced compliance officers.

This post gives you the essential summary — what the Privacy Rule actually requires, who it applies to, what rights your patients have, and where organizations keep getting burned.

What Is the HIPAA Privacy Rule? A Direct Answer

The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards for protecting individuals' medical records and other protected health information (PHI). It sets limits on who can access and disclose PHI, and it gives patients specific rights over their own health data.

HHS published the final Privacy Rule in December 2000, with most covered entities required to comply by April 14, 2003. The Office for Civil Rights (OCR) enforces it. You can read the full Privacy Rule text on HHS.gov.

Here's the part most people miss: the Privacy Rule doesn't just apply to electronic records. It covers PHI in any form — paper charts, verbal conversations, faxes, emails, text messages. If it identifies a patient and relates to their health condition, treatment, or payment, the Privacy Rule has something to say about it.

Who the Privacy Rule Actually Applies To

The rule applies to three categories of covered entities:

  • Health plans — health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid
  • Health care clearinghouses — entities that process nonstandard health information into standard formats
  • Health care providers — any provider who transmits health information electronically in connection with certain transactions (claims, eligibility inquiries, etc.)

But it doesn't stop there. Business associates — vendors, consultants, billing companies, IT contractors — who handle PHI on behalf of a covered entity are also bound by Privacy Rule requirements through business associate agreements (BAAs).

I've seen organizations assume that outsourcing their billing means outsourcing their liability. It doesn't. If your business associate violates the Privacy Rule, OCR will investigate you both.

The Six Core Principles in Any Privacy Rule HIPAA Summary

If you're building a compliance program or training your workforce, these six principles form the backbone of the Privacy Rule. Get these right, and you'll avoid most of the landmines.

1. The Minimum Necessary Standard

When using or disclosing PHI, your organization must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. A billing clerk doesn't need to see therapy notes. A receptionist doesn't need access to lab results.

This standard trips up organizations constantly. In my experience, the biggest violations happen not because of hackers, but because of overly broad access permissions inside EHR systems.

2. Permitted Uses and Disclosures

The Privacy Rule permits covered entities to use and disclose PHI without patient authorization for three primary purposes: treatment, payment, and health care operations (TPO). Beyond TPO, there are twelve categories of permitted disclosures — including public health activities, law enforcement, and judicial proceedings — each with specific conditions attached.

Any use outside these categories requires a valid written authorization from the patient.

3. Individual Rights

Patients have powerful rights under the Privacy Rule that your staff must understand and facilitate:

  • Right to access their own PHI (with limited exceptions)
  • Right to request amendments to their records
  • Right to an accounting of disclosures
  • Right to request restrictions on certain uses and disclosures
  • Right to receive a Notice of Privacy Practices
  • Right to file complaints with the covered entity or directly with OCR

The right of access has become OCR's favorite enforcement target. Since 2019, OCR has settled more than 45 cases under its HIPAA Right of Access Initiative. Penalties have ranged from $3,500 to $240,000 — often for simply dragging feet on medical record requests.

4. Notice of Privacy Practices (NPP)

Every covered entity must provide patients with a clear, written notice explaining how their PHI may be used and disclosed. Most organizations treat this as a checkbox exercise. That's a mistake. OCR investigators look at your NPP as evidence of whether you take compliance seriously.

5. Administrative Requirements

The Privacy Rule requires covered entities to designate a Privacy Officer, develop written privacy policies and procedures, and train their entire workforce on those policies. Not just clinicians — everyone. The front desk staff, the janitor with access to the building, the intern.

If you haven't built out your workforce training program yet, this is the requirement that demands it.

6. Breach Notification

While breach notification has its own rule (45 CFR §§ 164.400-414), it's deeply intertwined with the Privacy Rule. When an impermissible use or disclosure of PHI occurs, your organization must assess whether it constitutes a breach and follow specific notification procedures — to affected individuals, to HHS, and in some cases, to the media.

Where Organizations Keep Failing: Real Enforcement Actions

Theory is useful. Enforcement data is better. Here's what OCR penalties actually look like when organizations ignore the Privacy Rule.

Banner Health agreed to a $1.25 million settlement after a breach affecting nearly 3 million individuals. OCR's investigation found a lack of sufficient security measures — but the root failures traced back to inadequate risk analysis and Privacy Rule compliance gaps.

Oklahoma State University — Center for Health Sciences — $875,000 (2022)

OCR found that OSU-CHS failed to conduct a thorough risk analysis and didn't have adequate audit controls after a breach involving their web server. The corrective action plan required comprehensive policy overhauls and workforce training.

These aren't theoretical scenarios. These are real organizations that employed real compliance teams and still got it wrong. The common thread? Gaps in workforce training and outdated policies.

The Privacy Rule and ePHI: Where It Overlaps With Security

One of the most common misunderstandings I encounter: people think the Privacy Rule only covers paper records while the Security Rule covers electronic data. That's wrong.

The Privacy Rule covers all PHI, including ePHI. The Security Rule adds specific technical, administrative, and physical safeguards for ePHI. They work together. You can't comply with one and ignore the other.

If your organization handles patient information digitally — and in 2026, that means every organization — you need integrated training that addresses both rules simultaneously. Our HIPAA training catalog covers both Privacy and Security Rule requirements in courses designed for different workforce roles.

What a Privacy Rule HIPAA Summary Means for Your Day-to-Day Operations

Let me boil this down to what actually matters when your staff shows up on Monday morning.

Your front desk needs to know they can't discuss a patient's appointment with the patient's family member without verifying authorization. Your billing department needs to understand the minimum necessary standard before pulling records. Your IT team needs to know that Privacy Rule violations aren't just a clinical problem — a misconfigured portal that exposes patient records is a Privacy Rule issue.

And your leadership needs to understand that OCR doesn't care whether a violation was intentional. Negligence carries penalties too — up to $2,067,813 per violation category per year under the adjusted penalty tiers (as outlined in 45 CFR Part 160, Subpart D).

Three Things to Do This Week

If this privacy rule HIPAA summary revealed gaps in your organization, here are three concrete steps:

  • Audit your access controls. Pull a report from your EHR showing who has access to what. Apply the minimum necessary standard ruthlessly.
  • Review your Notice of Privacy Practices. When was it last updated? Does it reflect current uses of PHI, including telehealth and patient portals?
  • Train your workforce. Not just new hires — everyone. Annual training is the baseline, not the ceiling. Browse our HIPAA training options to find role-specific courses that actually stick.

The Privacy Rule isn't going away. OCR's enforcement budget isn't shrinking. And patient expectations around data privacy are only increasing. The organizations that treat the Privacy Rule as a living compliance obligation — not a document they read once in 2003 — are the ones that stay out of the headlines.