In February 2024, OCR settled with a Louisiana medical group for $480,000 after the office failed to provide a patient timely access to her own medical records — a core requirement of the HIPAA Privacy Rule. The case wasn't about a cyberattack or a massive data breach. It was about a fundamental misunderstanding of what the Privacy Rule actually demands. If your organization can't answer the question what are HIPAA privacy rules with specificity, you're exposed to exactly this kind of enforcement action.

What Are HIPAA Privacy Rules and Why Do They Exist?

The HIPAA Privacy Rule is codified at 45 CFR Part 164, Subparts A and E. It establishes national standards for protecting individually identifiable health information — known as protected health information (PHI) — held or transmitted by covered entities and their business associates.

Congress enacted HIPAA in 1996, but the Privacy Rule didn't take effect until April 2003. Its purpose is straightforward: give patients rights over their health information while setting boundaries on how healthcare organizations use and disclose that information.

The Privacy Rule applies to every covered entity — health plans, healthcare clearinghouses, and healthcare providers who conduct electronic transactions — as well as every business associate that handles PHI on their behalf.

The Six Core Provisions Your Organization Must Follow

Understanding what HIPAA privacy rules require means breaking the regulation into its operational components. Here are the six provisions I see organizations struggle with most frequently.

1. Permitted Uses and Disclosures of PHI

The Privacy Rule permits covered entities to use and disclose PHI without patient authorization for treatment, payment, and healthcare operations (TPO). Beyond TPO, there are twelve categories of permissible disclosures — including public health activities, law enforcement purposes, and disclosures required by law. Every other use or disclosure requires a valid written authorization from the patient.

2. The Minimum Necessary Standard

When using or disclosing PHI, your organization must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. This standard applies to internal uses, routine disclosures, and requests for PHI. It does not apply to disclosures made for treatment purposes or those authorized by the patient.

3. Patient Rights Under the Privacy Rule

Patients have the right to access and obtain copies of their PHI, request amendments, receive an accounting of disclosures, and request restrictions on certain uses. The access right is the single most enforced provision in OCR's history. Between 2019 and 2024, OCR launched its HIPAA Right of Access Initiative and settled more than 45 cases — with penalties ranging from $3,500 to $240,000 — for failures to provide timely access.

4. Notice of Privacy Practices

Every covered entity must develop, distribute, and maintain a Notice of Privacy Practices (NPP) that describes how the entity uses and discloses PHI, outlines patient rights, and explains how individuals can file complaints. Healthcare providers with a direct treatment relationship must make a good-faith effort to obtain a written acknowledgment of receipt from every patient.

5. Business Associate Agreements

If your organization shares PHI with vendors, contractors, or service providers, you must execute a business associate agreement (BAA) before any disclosure occurs. The BAA must specify permissible uses, require the business associate to implement safeguards, and mandate breach reporting. The Omnibus Rule of 2013 made business associates directly liable for Privacy Rule violations — a shift many organizations still haven't fully absorbed.

6. Administrative Requirements

The Privacy Rule mandates that covered entities designate a privacy officer, implement privacy policies and procedures, and provide workforce training on those policies. These aren't suggestions. OCR has cited deficient training programs in multiple enforcement actions, including the $4.3 million settlement with the University of Texas MD Anderson Cancer Center.

The Workforce Training Requirement Most Organizations Underestimate

Section 164.530(b) of the Privacy Rule requires that every member of your workforce — employees, volunteers, trainees, and contractors under your direct control — receive training on your privacy policies and procedures. Training must occur at onboarding and whenever material changes are made to policies.

In my work with covered entities, I consistently find that organizations either skip refresher training or rely on generic slide decks that don't address their specific privacy practices. OCR investigators ask for training records during every compliance review. If you can't produce documentation showing who was trained, when, and on what content, your organization is at risk.

Investing in a structured HIPAA training and certification program gives your workforce the regulatory knowledge they need while creating the audit trail OCR expects to see.

Common HIPAA Privacy Rule Violations That Trigger OCR Enforcement

OCR's enforcement data reveals clear patterns. The most frequently investigated violations include:

  • Impermissible disclosures of PHI — sharing patient information without authorization or a valid legal basis
  • Failure to provide patient access — exceeding the 30-day response window or charging excessive fees
  • Lack of safeguards — leaving PHI visible on screens, in open areas, or in unsecured communications
  • Missing or outdated BAAs — allowing business associates to access PHI without contractual protections
  • Insufficient risk analysis — failing to conduct and document a thorough assessment of threats to PHI

OCR has imposed more than $142 million in HIPAA penalties since the enforcement program began. Civil monetary penalties under the HITECH Act's tiered structure can reach $2,067,813 per violation category per year, adjusted annually for inflation.

Practical Steps to Strengthen Privacy Rule Compliance

If your compliance program needs an upgrade, start with these five actions:

  • Conduct a comprehensive risk analysis that covers all forms of PHI — electronic, paper, and oral
  • Review and update your Notice of Privacy Practices to reflect current uses, disclosures, and patient rights
  • Audit your business associate inventory and confirm every vendor relationship is covered by a current BAA
  • Implement role-based access controls that enforce the minimum necessary standard across your systems
  • Document every training session with dates, attendee names, and content summaries

Building a culture of compliance starts at the top. Organizations that embed privacy awareness into daily operations — not just annual check-the-box exercises — consistently perform better during OCR investigations.

Turn Awareness Into Action Across Your Workforce

Understanding what are HIPAA privacy rules is the first step. Operationalizing them across every department, every role, and every vendor relationship is what separates compliant organizations from those facing corrective action plans and six-figure settlements.

Your privacy officer can't carry this alone. Every workforce member who touches PHI needs to understand their obligations under the Privacy Rule. A centralized workforce HIPAA compliance platform ensures consistent training, tracks completion, and gives your leadership team the documentation they need when OCR comes calling.

The Privacy Rule isn't going away, and OCR's enforcement appetite is only growing. The organizations that take compliance seriously now are the ones that avoid becoming the next cautionary tale on HHS.gov.