In 2023, OCR settled with Yakima Valley Memorial Hospital for $240,000 after 23 security guards were found snooping through patient medical records without a legitimate work reason. The case wasn't a Security Rule matter—it was a textbook Privacy Rule failure. If your organization can't clearly answer what is the Privacy Rule responsible for protecting, incidents like this become inevitable.

What Is the Privacy Rule Responsible for Protecting? The Direct Answer

The HIPAA Privacy Rule, codified at 45 CFR Part 164, Subparts A and E, is responsible for protecting individually identifiable health information held or transmitted by a covered entity or its business associates. This information is formally known as protected health information, or PHI.

PHI isn't limited to medical diagnoses or lab results. It encompasses any information that can identify a patient and relates to their past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare services. That scope is far broader than most workforce members realize.

The 18 Identifiers That Define PHI Under the Privacy Rule

The Privacy Rule specifies 18 categories of identifiers that, when linked to health information, create PHI. Healthcare organizations consistently struggle to train their teams on the full list. Here are the identifiers your workforce must recognize:

  • Names
  • Geographic data smaller than a state
  • All dates (except year) related to an individual — birth date, admission date, discharge date, date of death
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

Remove all 18 identifiers and you have de-identified data, which falls outside the Privacy Rule's protection requirements. Leave even one attached to health data, and your organization bears full compliance obligations.

Beyond Data: The Patient Rights the Privacy Rule Protects

Understanding what the Privacy Rule is responsible for protecting goes beyond data elements. The rule establishes a framework of individual rights that every covered entity must uphold.

Right of Access. Patients can request and obtain copies of their PHI maintained in a designated record set. OCR has pursued more than 45 enforcement actions under its Right of Access Initiative since 2019, with settlements ranging from $3,500 to $240,000.

Right to Request Amendment. Individuals may ask your organization to amend inaccurate or incomplete PHI. You can deny the request under specific conditions, but you must respond within 60 days.

Right to an Accounting of Disclosures. Patients can request a record of certain disclosures your covered entity has made of their PHI over the prior six years.

Right to Request Restrictions. Individuals can ask you to limit how you use or disclose their PHI. If a patient pays out of pocket in full, you must honor their request to restrict disclosure to a health plan.

Right to Receive a Notice of Privacy Practices. Your organization must provide a clear, written notice explaining how you use and disclose PHI, along with the individual's rights. This document isn't a formality—it's a regulatory requirement with specific content mandates.

How the Privacy Rule Limits Use and Disclosure of PHI

The Privacy Rule doesn't just define what's protected—it dictates how that protection must function day to day. Two core principles govern every use and disclosure decision at your organization.

The Minimum Necessary Standard. When using or disclosing PHI, your covered entity must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. This standard applies to internal uses, routine disclosures, and requests for PHI from business associates. It does not apply to disclosures for treatment purposes or disclosures authorized by the patient.

Permitted vs. Required Disclosures. The Privacy Rule requires disclosure only in two scenarios: when the individual requests access to their own PHI, and when OCR conducts a compliance investigation or enforcement review. All other disclosures are either permitted under specific conditions (treatment, payment, healthcare operations, public health activities, law enforcement) or require written patient authorization.

The Workforce Training Requirement Most Organizations Underestimate

In my work with covered entities, the gap between having a privacy policy and having a workforce that understands it is enormous. The Privacy Rule at 45 CFR §164.530(b) requires that every member of your workforce receive training on your organization's privacy policies and procedures. This isn't optional, and it isn't a one-time event.

New hires must be trained before they interact with PHI. When material changes occur in your policies, retraining is required. And documentation of all training must be retained for six years. The Yakima Valley case is a sharp reminder: without consistent, role-based training, your privacy protections exist only on paper.

Investing in a structured HIPAA training and certification program is the most direct way to close this gap. Every workforce member—from front-desk staff to C-suite executives—needs to understand exactly what PHI is, how the Privacy Rule protects it, and what their personal obligations are.

Business Associate Obligations Under the Privacy Rule

The Omnibus Rule of 2013 extended Privacy Rule obligations directly to business associates and their subcontractors. If a third party creates, receives, maintains, or transmits PHI on behalf of your covered entity, they are bound by the same protections.

Your business associate agreements must specify permissible uses and disclosures of PHI, require breach notification, and mandate that the business associate implement safeguards. A HIPAA violation by your business associate can trigger enforcement action against both parties. OCR does not treat vendor relationships as a liability shield.

What Happens When Privacy Rule Protections Fail

When the protections the Privacy Rule establishes are not maintained, the consequences are concrete. Under the Breach Notification Rule, your organization must notify affected individuals, the HHS Secretary, and in breaches affecting 500 or more individuals, the media. OCR's penalty tiers range from $100 to $50,000 per violation, with annual maximums up to $2,067,813 per violation category (adjusted for inflation).

Beyond financial penalties, a breach erodes patient trust—something no corrective action plan can fully restore. Proactive compliance through ongoing risk analysis, policy enforcement, and workforce education is the only reliable defense.

Build Privacy Rule Compliance Into Your Organization's Culture

The Privacy Rule protects PHI in all its forms—paper, electronic, and oral. It protects individual rights that give patients control over their health information. And it establishes enforceable standards that your covered entity must meet every day, not just during an audit.

If your organization hasn't conducted a recent review of its privacy policies, workforce training records, or business associate agreements, now is the time. Explore HIPAA Certify's workforce compliance platform to ensure your entire team understands what the Privacy Rule demands—and how to deliver it.