In 2023, OCR settled with a medical practice for $50,000 after an unauthorized employee accessed patient records with no treatment, payment, or operational justification. The employee was curious about a neighbor's diagnosis. That single act of snooping triggered a breach investigation and a corrective action plan that consumed months of staff time. It also raised the question every healthcare organization must answer clearly: who can have access to a patient's PHI, and under what circumstances?

Who Can Have Access to a Patient's PHI: What the Privacy Rule Actually Says

The HIPAA Privacy Rule at 45 CFR § 164.502 establishes the foundational principle: a covered entity may use or disclose protected health information only as the rule specifically permits or requires. PHI does not become accessible simply because someone works in a healthcare setting.

There are three broad categories of permitted access. Understanding each one — and their boundaries — is the difference between a compliant workforce and an OCR enforcement target.

1. The Patient Themselves

Under 45 CFR § 164.524, individuals have the right to access their own PHI held in a designated record set. OCR has made this a top enforcement priority, issuing over $2 million in penalties since 2019 under its Right of Access Initiative alone. Your organization must provide access within 30 days of a written request, with one 30-day extension permitted.

Patients can also authorize another person — a family member, attorney, or personal representative — to access their PHI through a valid HIPAA authorization form that meets the requirements of 45 CFR § 164.508.

2. Workforce Members With a Legitimate Need

Physicians, nurses, billing staff, and other workforce members may access PHI when it is necessary for treatment, payment, or healthcare operations (TPO). But "workforce member" under HIPAA extends beyond employees — it includes volunteers, trainees, and anyone under your organization's direct control.

The critical constraint here is the minimum necessary standard at 45 CFR § 164.502(b). Your covered entity must make reasonable efforts to limit PHI access to the minimum amount needed for the task at hand. A billing specialist processing a claim does not need access to psychotherapy notes. A front-desk coordinator confirming an appointment does not need full lab results.

In my work with covered entities, I consistently find that role-based access controls are implemented at the technology level but never reviewed after initial setup. Staff roles change. Departments merge. Access permissions drift. Annual reviews of access levels are not optional — they are part of ongoing compliance.

3. Business Associates Performing Services on Your Behalf

A business associate — a third-party vendor that creates, receives, maintains, or transmits PHI on behalf of your covered entity — may access patient PHI, but only under a signed business associate agreement (BAA) as required by 45 CFR § 164.502(e). Cloud storage providers, billing companies, IT service firms, transcription services, and EHR vendors all fall into this category.

The BAA must specify permitted uses and disclosures, require the business associate to safeguard PHI, and mandate breach notification. Without a signed BAA, any disclosure of PHI to that vendor is a HIPAA violation — regardless of whether the vendor actually mishandles the data.

Disclosures That Don't Require Patient Authorization

The Privacy Rule at 45 CFR § 164.512 permits disclosures without patient authorization in specific situations. These include:

  • Public health activities — reporting communicable diseases to state health departments
  • Law enforcement purposes — complying with court orders, subpoenas, or administrative requests that meet HIPAA requirements
  • Workers' compensation — disclosures necessary to comply with workers' comp laws
  • Health oversight activities — audits, investigations, and inspections by agencies like OCR itself
  • Averting a serious threat — disclosures necessary to prevent or lessen a serious and imminent threat to health or safety

Each exception has specific conditions. "Permitted" does not mean "unlimited." Your workforce needs to understand these boundaries in practice, not just in theory.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR § 164.530(b), every covered entity must train all workforce members on its PHI policies and procedures. New hires must be trained before they access PHI. When material changes occur — a new EHR system, a revised Notice of Privacy Practices, an updated breach response protocol — retraining is required.

OCR investigations routinely uncover that organizations have either no training documentation or training that was last delivered years ago. If your organization cannot demonstrate that each workforce member received HIPAA training relevant to their role, your compliance posture has a significant gap.

Structured HIPAA training and certification programs solve this by providing documented, role-specific education that satisfies the Privacy Rule's training mandate. The documentation alone — proof of completion, dates, topics covered — can be decisive during an OCR investigation.

How to Restrict PHI Access in Practice

Knowing who can have access to a patient's PHI is only useful if your organization enforces those boundaries. Here are the operational controls that matter most:

  • Implement role-based access controls (RBAC) in your EHR and all systems containing PHI. Map each job function to the minimum data elements required.
  • Conduct regular access audits. The Security Rule's audit controls requirement at 45 CFR § 164.312(b) means your systems must log access, and your organization must review those logs.
  • Terminate access immediately when workforce members change roles or leave the organization. Delayed deprovisioning is one of the most common findings in breach investigations.
  • Require BAAs before any vendor engagement involving PHI. No exceptions, no verbal agreements, no retroactive signing.
  • Train continuously, not just at onboarding. Annual refresher training reinforces boundaries and addresses new threat vectors like phishing and social engineering.

What Happens When the Wrong Person Accesses PHI

Unauthorized access to PHI is a reportable breach under the Breach Notification Rule at 45 CFR §§ 164.400–414 unless your organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI was compromised. If you cannot make that demonstration, you must notify affected individuals within 60 days, report to HHS, and — for breaches affecting 500 or more individuals — notify prominent media outlets.

OCR penalties for HIPAA violations range from $141 per violation (where the entity was unaware) to over $2 million per violation category per year for willful neglect. Beyond financial penalties, corrective action plans can mandate years of external monitoring.

The most preventable breaches are internal. Snooping, over-permissioned accounts, and untrained staff account for a significant share of OCR investigations. Proactive workforce compliance through a platform like HIPAA Certify directly addresses the root cause of these incidents.

Build a Culture Where PHI Access Is Intentional

Understanding who can have access to a patient's PHI is not a one-time policy exercise — it is an ongoing operational discipline. Your risk analysis must account for access patterns. Your training must address real scenarios. Your technology must enforce the minimum necessary standard at every point of access.

Every workforce member who touches PHI should be able to answer one question: "Why do I need this specific information for this specific task?" If they cannot answer that clearly, the access should not exist.