In 2023, a dermatology practice in Massachusetts paid $150,000 to the Office for Civil Rights after a patient's medical photographs were disclosed to a reporter without authorization. The practice had no written policies governing how it handled patient images. That single gap — a missing privacy policy — turned a careless moment into a federal enforcement action. If you've ever wondered what is the Privacy Rule for HIPAA, that settlement is a sharp place to start.

The Privacy Rule is the federal regulation that tells every covered entity in the United States exactly what it can and cannot do with a patient's protected health information. It's not a suggestion. It's not a best practice. It's law, and the Office for Civil Rights at HHS enforces it with real penalties.

I've spent years helping organizations — from solo dental offices to multi-state health systems — understand and apply this rule. Here's what you actually need to know.

What Is the Privacy Rule for HIPAA, Exactly?

The HIPAA Privacy Rule is a set of federal standards published under the Health Insurance Portability and Accountability Act of 1996. It establishes national standards for how protected health information (PHI) — in any form, whether paper, electronic, or spoken aloud — must be used, disclosed, and safeguarded.

The rule applies to three categories of organizations known as covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. It also extends to business associates — the vendors, billing companies, and IT contractors who handle PHI on behalf of those covered entities.

In plain terms, the Privacy Rule answers one question: who is allowed to see, use, or share a patient's health information, and under what circumstances?

The Six Things the Privacy Rule Actually Requires

I've audited dozens of organizations that thought they were compliant because they locked a filing cabinet. The Privacy Rule goes much further. Here are its core requirements.

1. Limits on How PHI Is Used and Disclosed

Covered entities may only use or disclose PHI for treatment, payment, and healthcare operations without patient authorization. Outside of those purposes — and a handful of narrowly defined exceptions like public health reporting — you need the patient's written authorization. Period.

2. The Minimum Necessary Standard

When your organization does use or share PHI, you must limit what you share to the minimum amount necessary to accomplish the task. Your billing team doesn't need the clinical notes. Your front desk staff doesn't need the diagnosis. This standard is violated constantly, and OCR knows it.

3. Patient Rights

The Privacy Rule grants patients a bundle of specific rights over their own health information. They can request access to their medical records. They can request amendments. They can ask for an accounting of disclosures — a log of who their PHI has been shared with and why. They can request restrictions on certain uses. These aren't optional courtesies; they're enforceable rights.

4. Notice of Privacy Practices

Every covered entity must provide patients with a Notice of Privacy Practices (NPP) that explains, in clear language, how their PHI may be used, what their rights are, and how to file a complaint. Most organizations post this on their website and hand it out at intake. But I've seen plenty of practices with notices that haven't been updated since 2013. That's a problem.

5. Administrative Safeguards

You must designate a privacy officer, train your entire workforce on privacy policies, and implement administrative procedures to protect PHI. This isn't about technology — it's about people and processes. Who is responsible? What's the procedure when something goes wrong? If you can't answer those questions, you're not compliant.

6. Business Associate Agreements

If any outside vendor touches PHI on your behalf — your EHR vendor, your shredding company, your cloud storage provider — you need a signed business associate agreement (BAA) in place before they access a single record. No BAA means you're liable for whatever they do with that data.

The $5.55 Million Mistake: When Privacy Rule Violations Add Up

In 2017, Memorial Healthcare System in Florida agreed to a $5.5 million settlement with OCR after employees impermissibly accessed the ePHI of 115,143 patients. The root cause? Insufficient access controls and a failure to regularly review who had access to what information.

That case didn't involve a hacker. It involved employees logging into systems they had no legitimate reason to access. The Privacy Rule's minimum necessary standard existed to prevent exactly this kind of breach — and Memorial Healthcare System hadn't enforced it.

In my experience, internal snooping is one of the most common and most preventable Privacy Rule violations. Staff curiosity about a celebrity patient, a neighbor, or even a coworker's medical records leads to real enforcement actions every year.

Who Must Follow the Privacy Rule?

This question comes up constantly. Here's the direct answer.

Covered entities must follow the Privacy Rule. That means:

  • Health plans (insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid)
  • Healthcare clearinghouses (entities that process nonstandard health information into standard formats)
  • Healthcare providers who conduct certain electronic transactions (doctors, hospitals, pharmacies, clinics, dentists, psychologists)

Business associates — organizations that perform functions or services involving PHI on behalf of a covered entity — must also comply. The 2013 Omnibus Rule made that crystal clear.

If your organization falls into either category and you haven't trained your workforce on Privacy Rule requirements, you're already behind. Our HIPAA training catalog covers exactly what your staff needs to know.

How the Privacy Rule Differs from the Security Rule

People conflate these two constantly. Here's the distinction.

The Privacy Rule governs all forms of PHI — paper records, verbal conversations, electronic data, faxes, everything. It defines who can access information and when.

The Security Rule is narrower. It applies only to electronic protected health information (ePHI) and specifies the technical, physical, and administrative safeguards required to protect it. Think encryption, access controls, audit logs.

You need both. But the Privacy Rule is the foundation. Without clear privacy policies, even the best firewall in the world won't save you from an OCR investigation.

What Happens When You Violate the Privacy Rule

OCR uses a tiered penalty structure based on the level of negligence involved. Under the HIPAA enforcement rule at 45 CFR Part 160, Subpart D, penalties can range from $137 per violation for unknowing infractions up to nearly $2.2 million per violation category per year for willful neglect left uncorrected.

And those are just the civil penalties. State attorneys general can bring their own enforcement actions. Criminal penalties — pursued by the Department of Justice — can result in fines up to $250,000 and prison time up to 10 years for offenses committed with intent to sell or use PHI for personal gain.

These aren't theoretical risks. OCR has collected over $142 million in HIPAA enforcement actions since 2003. Every dollar came from an organization that believed it was doing enough.

Three Privacy Rule Gaps I See in Almost Every Audit

After years of doing this work, certain patterns repeat themselves. Here are the three most common Privacy Rule failures I encounter.

Outdated or Missing Notices of Privacy Practices

Your NPP should reflect your current operations, including telehealth capabilities, patient portal access, and any state-specific privacy requirements. If yours still references pre-2013 language, it needs an overhaul.

No Workforce Training — or One-and-Done Training

The Privacy Rule requires that you train every member of your workforce — not just clinicians, but administrative staff, volunteers, and even student interns. Training must happen at onboarding and be refreshed regularly. A single training session from five years ago doesn't meet the standard. Our workforce training programs are built to address exactly this gap.

Verbal PHI Disclosures

Check-in desks where staff call out patient names and diagnoses in crowded waiting rooms. Nurses discussing cases in elevators. Doctors leaving voicemails with detailed clinical information. The Privacy Rule covers spoken PHI, and these everyday moments are where most organizations fall short.

How to Build Real Privacy Rule Compliance

Compliance isn't a binder on a shelf. It's a living system. Here's what that looks like in practice.

Appoint a privacy officer. This person owns your privacy policies, handles patient complaints, and manages breach response. In small practices, this can be a dual role — but someone must own it.

Conduct a risk assessment. You can't protect what you haven't identified. Map every place PHI lives in your organization — every system, every filing cabinet, every email thread.

Write clear policies. Cover use and disclosure, minimum necessary, patient rights, breach notification, and business associate management. Then train your staff on those policies.

Train continuously. Annual training is the minimum. Incident-driven refreshers — after a near-miss or a policy change — are what separate compliant organizations from the ones writing settlement checks. Explore the HIPAA training options that fit your organization's size and risk profile.

Document everything. OCR doesn't just ask whether you followed the Privacy Rule. They ask you to prove it. If it's not documented, it didn't happen.

The Bottom Line on the HIPAA Privacy Rule

The Privacy Rule isn't some abstract regulatory concept. It's the framework that determines whether your patients can trust you with their most sensitive information. Every covered entity and every business associate must understand it — not in theory, but in the daily decisions their workforce makes about who sees what, when, and why.

The organizations that get this right don't just avoid fines. They build the kind of operational discipline that protects their patients and their reputation. The ones that don't? They end up on OCR's wall of resolution agreements, wishing they'd started sooner.

Start now. Your patients — and your bottom line — will thank you.