In 2023, OCR settled with a dental practice for $350,000 after it disclosed a patient's protected health information to a media outlet without authorization. The practice's leadership later admitted they had never conducted formal workforce training on permissible disclosures. This case illustrates exactly why every covered entity needs a thorough understanding of the foundational regulation at the heart of HIPAA. So what is the HIPAA Privacy Rule, and what does it actually require of your organization on a day-to-day basis?

What Is the HIPAA Privacy Rule and Why Does It Exist?

The HIPAA Privacy Rule — codified at 45 CFR Part 160 and Part 164, Subparts A and E — establishes national standards for the protection of individually identifiable health information. It was finalized in 2000 and has been amended multiple times, most significantly by the Omnibus Rule of 2013.

At its core, the Privacy Rule governs how covered entities and their business associates use and disclose protected health information (PHI). It applies to health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with covered transactions.

Note the correct spelling: it's HIPAA, not "HIPPA." The acronym stands for the Health Insurance Portability and Accountability Act of 1996. Searching for "what is the HIPPA privacy rule" is one of the most common misspellings in healthcare compliance — but the requirements are the same regardless of how you spell it.

The Core Requirements Your Organization Must Meet

The Privacy Rule isn't a single obligation. It's a framework of interlocking requirements. Here are the ones that generate the most OCR enforcement actions.

Permissible Uses and Disclosures of PHI

Your covered entity may use or disclose PHI without patient authorization only in specific circumstances — primarily for treatment, payment, and healthcare operations. Disclosures for marketing, sale of PHI, and most research purposes require written patient authorization. OCR has repeatedly penalized organizations that treated these boundaries as suggestions rather than mandates.

The Minimum Necessary Standard

When using or disclosing PHI, your organization must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. This standard applies to internal uses, routine disclosures, and requests for PHI from other entities. The only exception: disclosures for treatment purposes, which are exempt from the minimum necessary requirement.

Notice of Privacy Practices

Every covered entity that provides direct treatment must give patients a Notice of Privacy Practices (NPP) at the first point of service. The NPP must describe how PHI may be used and disclosed, the patient's rights, and the entity's legal duties. Healthcare organizations consistently struggle with keeping their NPP current — especially after regulatory updates like those proposed in the 2021 HIPAA Privacy Rule NPRM.

Patient Rights Under the Privacy Rule

The Privacy Rule grants patients a suite of enforceable rights over their health information:

  • Right of Access: Patients can request and obtain copies of their PHI. OCR's Right of Access Initiative, launched in 2019, has resulted in over 45 enforcement actions and settlements totaling millions of dollars.
  • Right to Amend: Patients may request corrections to their medical records.
  • Right to an Accounting of Disclosures: Patients can request a record of certain disclosures made by the covered entity.
  • Right to Request Restrictions: Patients can ask that certain uses or disclosures be limited, though the entity is not always required to agree.
  • Right to Confidential Communications: Patients can request that communications occur through alternative means or at alternative locations.

Business Associate Obligations Under the Privacy Rule

If your organization shares PHI with vendors, consultants, or contractors, those entities likely qualify as business associates. The Omnibus Rule extended direct liability for Privacy Rule violations to business associates — meaning your billing company, cloud hosting provider, or IT vendor can face OCR enforcement independently.

Every business associate relationship must be governed by a written business associate agreement (BAA) that specifies permissible uses of PHI, requires appropriate safeguards, and mandates breach reporting. In my work with covered entities, missing or outdated BAAs remain one of the most common compliance gaps discovered during risk analysis.

The Workforce Training Requirement Most Organizations Underestimate

Section 164.530(b) of the Privacy Rule requires covered entities to train all workforce members on the entity's privacy policies and procedures. "Workforce" under HIPAA includes employees, volunteers, trainees, and anyone under the organization's direct control — regardless of whether they are paid.

Training must occur at onboarding and whenever material changes are made to policies. Yet OCR investigations routinely reveal organizations that train staff once and never revisit the curriculum. If your workforce hasn't completed current HIPAA training and certification, your organization is exposed — not just to regulatory penalties, but to the preventable HIPAA violations that stem from uninformed staff.

Enforcement: What Happens When the Privacy Rule Is Violated

OCR enforces the HIPAA Privacy Rule through investigations triggered by complaints, breach reports, and compliance reviews. Penalties are tiered based on the level of culpability:

  • Tier 1 (Lack of Knowledge): $137 to $68,928 per violation
  • Tier 2 (Reasonable Cause): $1,379 to $68,928 per violation
  • Tier 3 (Willful Neglect, Corrected): $13,785 to $68,928 per violation
  • Tier 4 (Willful Neglect, Not Corrected): $68,928 per violation, up to ~$2,067,813 per calendar year for identical provisions

These penalty amounts are adjusted annually for inflation. The most severe cases are referred to the Department of Justice for criminal prosecution, with penalties including fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell or use PHI for personal gain.

Practical Steps to Strengthen Your Privacy Rule Compliance

Understanding what the HIPAA Privacy Rule requires is necessary — but it's not sufficient. Your organization needs to operationalize compliance through concrete actions:

  • Conduct a thorough risk analysis that covers both the Privacy Rule and Security Rule.
  • Update your Notice of Privacy Practices to reflect current regulatory requirements.
  • Audit all business associate agreements for completeness and currency.
  • Implement minimum necessary policies with role-based access controls.
  • Ensure your entire workforce — including volunteers and contractors — completes regular privacy training.

Building a culture of compliance doesn't happen through policies alone. It requires ongoing education and accountability at every level of your organization. HIPAA Certify's workforce compliance platform provides a structured approach to meeting these requirements, from initial training through ongoing certification tracking.

The Privacy Rule Is the Floor, Not the Ceiling

State laws in California, Texas, Washington, and others impose additional privacy obligations that may exceed HIPAA's requirements. Under HIPAA's preemption doctrine, the more stringent standard applies. Your compliance program must account for both federal and state-level obligations to avoid the assumption that meeting the Privacy Rule alone is sufficient.

OCR has signaled through recent enforcement trends that passive compliance — checking boxes without genuine operational controls — will not withstand scrutiny. Your organization's best defense is an informed workforce, documented policies, and a commitment to treating patient privacy as an ongoing operational priority.