In 2024, OCR settled with a New England dermatology practice for $300,640 after an investigation revealed the organization had no policies implementing the Privacy Rule's core requirements — despite having operated as a covered entity for over a decade. This wasn't an isolated case. Healthcare organizations across the country remain uncertain about what the Privacy Rule actually requires. A thorough summary of the HIPAA Privacy Rule isn't just helpful reading — it's the foundation every compliance program must be built on.

A Working Summary of the HIPAA Privacy Rule for Covered Entities

The HIPAA Privacy Rule, codified at 45 CFR Part 160 and Part 164, Subparts A and E, establishes national standards for the protection of individually identifiable health information — known as protected health information (PHI). It applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their business associates.

The rule accomplishes three things simultaneously: it gives patients enforceable rights over their health information, it sets boundaries on how PHI can be used and disclosed, and it mandates administrative safeguards to ensure compliance. If your organization touches PHI in any form — paper, electronic, or oral — the Privacy Rule governs your operations.

Permitted Uses and Disclosures: Where Most Violations Begin

The Privacy Rule does not prohibit all sharing of PHI. It permits use and disclosure without patient authorization for three core purposes: treatment, payment, and healthcare operations (TPO). Beyond TPO, the rule identifies specific circumstances — such as public health activities, law enforcement requests, and judicial proceedings — where disclosure is permitted or required.

Every other use or disclosure requires a valid, written authorization from the patient. In my work with covered entities, the most common compliance gap is staff making disclosures they assume are permitted but that actually fall outside TPO and the enumerated exceptions. This is precisely why ongoing HIPAA training and certification is not optional — it's what prevents well-meaning employees from triggering a HIPAA violation.

The Minimum Necessary Standard Your Workforce Must Follow

One of the most misunderstood provisions in any summary of the HIPAA Privacy Rule is the minimum necessary standard. Under 45 CFR § 164.502(b), covered entities must make reasonable efforts to limit PHI access, use, and disclosure to the minimum amount necessary to accomplish the intended purpose.

This applies to internal access as well. Your front desk staff should not have the same level of access to medical records as your treating physicians. Implementing role-based access controls, limiting database queries, and training your workforce on need-to-know principles are all required — not suggested — under this standard.

Exceptions to Minimum Necessary

  • Disclosures to or requests by a healthcare provider for treatment purposes
  • Disclosures to the individual who is the subject of the PHI
  • Uses or disclosures authorized by the individual
  • Disclosures required by law or for compliance with HIPAA itself
  • Disclosures to HHS for enforcement purposes

Patient Rights Under the Privacy Rule: Non-Negotiable Obligations

The Privacy Rule grants patients a suite of rights that your organization must operationalize — not merely acknowledge. These include the right to access their PHI (with a response required within 30 days), the right to request amendments, the right to an accounting of disclosures, and the right to request restrictions on certain uses.

Your organization must also provide a Notice of Privacy Practices (NPP) at the first point of service. This document must describe how PHI is used, the patient's rights, and your organization's legal duties. OCR has repeatedly cited failure to provide or update the NPP as grounds for corrective action. After the Omnibus Rule took effect in 2013, all NPPs had to be updated to reflect business associate liability and breach notification requirements — yet many organizations still operate with outdated versions.

Business Associate Requirements You Cannot Ignore

The Privacy Rule requires that any business associate — a person or entity that performs functions involving PHI on behalf of a covered entity — operate under a written business associate agreement (BAA). This agreement must specify permitted uses of PHI, require appropriate safeguards, and mandate breach reporting.

Since the Omnibus Rule, business associates are directly liable for Privacy Rule violations. OCR enforcement actions have targeted business associates independently, with penalties reaching into the millions. If your organization shares PHI with IT vendors, billing companies, cloud storage providers, or consultants, every one of those relationships requires a compliant BAA.

Administrative Requirements That Drive Day-to-Day Compliance

Beyond policies on paper, the Privacy Rule mandates specific administrative actions:

  • Designate a Privacy Officer responsible for developing and implementing your organization's privacy policies and procedures.
  • Conduct workforce training on Privacy Rule requirements for every member of your workforce — employees, volunteers, trainees, and contractors alike. Training must occur at onboarding and be reinforced regularly.
  • Implement a sanctions policy for workforce members who violate privacy policies.
  • Establish a complaint process that allows patients and staff to report privacy concerns without retaliation.
  • Perform a thorough risk analysis to identify vulnerabilities in how PHI is handled across your organization.

OCR has made clear through enforcement actions that having policies is not enough — you must demonstrate that those policies are implemented, trained on, and enforced. Comprehensive workforce HIPAA compliance programs are the mechanism that transforms written policies into actual organizational behavior.

OCR Enforcement: What Happens When the Privacy Rule Is Violated

OCR enforces the Privacy Rule through complaint investigations and compliance reviews. Penalties are tiered based on the level of culpability, ranging from $137 to $68,928 per violation under the annually adjusted penalty structure, with calendar-year caps reaching $2,067,813 for willful neglect violations left uncorrected.

Between 2003 and 2024, OCR has resolved over 30,000 cases resulting in corrective action or technical assistance. The agency has collected more than $142 million in settlements and civil monetary penalties. The pattern is consistent: organizations that lack documented training, current policies, and completed risk analyses face the steepest consequences.

Turning This Summary Into Action for Your Organization

A summary of the HIPAA Privacy Rule is only valuable if it drives concrete steps. Start by auditing your Notice of Privacy Practices for accuracy. Review every business associate relationship for a current BAA. Confirm that your Privacy Officer has the resources and authority to enforce policies. And invest in documented, trackable workforce training that proves your organization takes compliance seriously — not just during an OCR investigation, but every day PHI passes through your systems.