HIPAA · Privacy Rule · 45 CFR Part 164
HIPAA Privacy Rule
Complete Guide to PHI Protection
The HIPAA Privacy Rule establishes national standards for protecting individuals' medical records and other personal health information. Learn what PHI is, who can access it, and what patient rights must be protected.
Covers PHI in any form — electronic, paper, or oral — and grants patients enforceable rights over their health information.
45 CFR Part 164 Subpart E · U.S. Dept. of Health & Human Services (OCR) · Last reviewed June 2026
Direct Answer
The HIPAA Privacy Rule is the US federal standard that controls how Protected Health Information (PHI) may be used and disclosed, and gives patients enforceable rights over their own records. It applies to covered entities (health plans, healthcare clearinghouses, and most providers) and, through Business Associate Agreements, to the business associates — including Indian IT, BPO, and SaaS vendors — that handle US patient data on their behalf. HIPAA is a compliance obligation, not a certification: there is no official “HIPAA certificate” issued by the US government, and the rule is enforced by the HHS Office for Civil Rights (hhs.gov/hipaa).
Definitions
What is Protected Health Information (PHI)?
PHI is any individually identifiable health information created, received, maintained, or transmitted by a covered entity. This includes information in any form—electronic, paper, or oral.
Identifiers
Names, addresses, SSN, phone numbers, email, medical record numbers
Demographics
Date of birth, age, gender, race, ethnicity
Health Data
Diagnoses, treatments, medications, lab results, mental health records
Financial
Insurance info, payment history, account numbers
Biometrics
Fingerprints, photographs, voice recordings
18 HIPAA Identifiers
HIPAA defines 18 specific identifiers that make health information “individually identifiable.” To de-identify data, all 18 must be removed using Safe Harbor or Expert Determination methods.
Individual Rights
Patient Rights Under the Privacy Rule
The Privacy Rule gives individuals important, enforceable rights regarding their health information:
| Patient Right | What it means |
|---|---|
| Access | Right to inspect and obtain a copy of their PHI |
| Amendment | Right to request corrections to their health records |
| Accounting | Right to receive a list of disclosures made |
| Restriction | Right to request limits on uses/disclosures |
| Confidential Communication | Right to receive PHI through alternative means |
| Notice | Right to receive Notice of Privacy Practices |
Permitted Disclosures
Permitted Uses & Disclosures
The Privacy Rule permits use and disclosure of PHI without patient authorization in these situations:
Treatment
Providing, coordinating, or managing healthcare
Payment
Billing and collection activities
Healthcare Operations
Quality assessment, training, business planning
Public Health
Reporting diseases, injuries, vital events
Law Enforcement
Court orders, warrants, administrative requests
Research
With IRB approval or de-identified data
Minimum Necessary Standard
Covered entities must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose. This doesn't apply to treatment purposes.
Frequently Asked Questions
Common questions on the HIPAA Privacy Rule, PHI, and what it means for business associates.
What does the HIPAA Privacy Rule actually regulate?
The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) sets national standards for how covered entities and their business associates may use and disclose Protected Health Information (PHI) in any form — electronic, paper, or oral. It also grants individuals enforceable rights over their health information, such as the right to access, amend, and receive an accounting of disclosures. It is enforced by the HHS Office for Civil Rights (OCR); see https://www.hhs.gov/hipaa.
Is there an official "HIPAA Privacy Rule certificate"?
No. HIPAA is a compliance obligation, not a certification, and the U.S. government does not issue any official "HIPAA certificate." A covered entity or business associate demonstrates Privacy Rule compliance through documented policies, a Notice of Privacy Practices, workforce training, signed Business Associate Agreements, and evidence of honoring patient rights — not through a certificate. Independent attestations such as SOC 2 or a third-party HIPAA assessment can evidence your controls, but they are not government certification.
What is the minimum necessary standard?
The minimum necessary standard requires covered entities and business associates to limit PHI used, disclosed, or requested to the least amount needed to accomplish the intended purpose. It applies to most uses and disclosures, but not to disclosures for treatment, disclosures to the individual, uses or disclosures the individual has authorized, or those required by law or for HHS enforcement.
Do Indian companies need to comply with the HIPAA Privacy Rule?
Indian IT, BPO, SaaS, and analytics firms that create, receive, maintain, or transmit US patient PHI on behalf of a US covered entity are HIPAA business associates and are contractually bound — through a Business Associate Agreement — to the Privacy Rule provisions applicable to them. While the Privacy Rule is primarily a US covered-entity obligation, business associates must follow the use and disclosure limits, the minimum necessary standard, and support individual rights as set out in their BAA.
What are the 18 HIPAA identifiers?
The 18 identifiers are data elements that make health information individually identifiable — including names, geographic subdivisions smaller than a state, all date elements (except year) tied to an individual, phone and fax numbers, email addresses, Social Security numbers, medical record numbers, account numbers, biometric identifiers, full-face photographs, and any other unique identifying number or code. Removing all 18 under the Safe Harbor method (or using Expert Determination) de-identifies the data so it is no longer PHI.
Continue your HIPAA research
- HIPAA compliance hub — the Security Rule, Breach Notification, BAAs, and penalties in one place.
- HIPAA consulting for Indian companies — readiness for business associates handling US PHI (indicative ₹1.5–4L).
- HIPAA for Indian business associates — why US PHI work triggers HIPAA obligations in India.
- Tranquility Cybersecurity credentials & proof.
Written By Expert Auditors
Keep Exploring
Related Reading
HIPAA Knowledge Hub
Privacy Rule, Security Rule, BAAs, cloud guides and penalties.
Read moreHIPAA Security Rule
Administrative, physical and technical safeguards for ePHI.
Read moreBusiness Associate Agreements
What a BAA must contain and when you need one.
Read moreHIPAA Breach Notification
Reporting timelines and obligations after a PHI breach.
Read moreHIPAA Compliance
US health-data rules for healthtech and business associates.
Read moreSOC 2 for Healthtech
Where SOC 2 meets HIPAA for healthcare SaaS selling into the US.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours