HIPAA Privacy Rule
Complete Guide to PHI Protection
The HIPAA Privacy Rule establishes national standards for protecting individuals' medical records and other personal health information. Learn what PHI is, who can access it, and what patient rights must be protected.
What is Protected Health Information (PHI)?
PHI is any individually identifiable health information created, received, maintained, or transmitted by a covered entity. This includes information in any form—electronic, paper, or oral.
Identifiers
Names, addresses, SSN, phone numbers, email, medical record numbers
Demographics
Date of birth, age, gender, race, ethnicity
Health Data
Diagnoses, treatments, medications, lab results, mental health records
Financial
Insurance info, payment history, account numbers
Biometrics
Fingerprints, photographs, voice recordings
18 HIPAA Identifiers
HIPAA defines 18 specific identifiers that make health information "individually identifiable." To de-identify data, all 18 must be removed using Safe Harbor or Expert Determination methods.
Patient Rights Under the Privacy Rule
The Privacy Rule gives individuals important rights regarding their health information:
Access
Right to inspect and obtain a copy of their PHI
Amendment
Right to request corrections to their health records
Accounting
Right to receive a list of disclosures made
Restriction
Right to request limits on uses/disclosures
Confidential Communication
Right to receive PHI through alternative means
Notice
Right to receive Notice of Privacy Practices
Permitted Uses & Disclosures
The Privacy Rule permits use and disclosure of PHI without patient authorization in these situations:
Treatment
Providing, coordinating, or managing healthcare
Payment
Billing and collection activities
Healthcare Operations
Quality assessment, training, business planning
Public Health
Reporting diseases, injuries, vital events
Law Enforcement
Court orders, warrants, administrative requests
Research
With IRB approval or de-identified data
Minimum Necessary Standard
Covered entities must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose. This doesn't apply to treatment purposes.
Need Help with HIPAA Privacy Compliance?
Our experts can help you implement Privacy Rule requirements and develop compliant policies and procedures.