An Overview of the HIPAA Privacy Rule

Meeba Gracy

Meeba Gracy

Mar 08, 2023

HIPAA privacy rule

Medical information: who has access to it and how is that access governed? There is a lot of ambiguity around this topic. This confusion was the driving factor behind Congress giving a green light to the Health Insurance Portability and Accountability Act (HIPAA), which includes a set of regulations known as the HIPAA Privacy Rule. 

In this blog post, we’ll overview HIPAA’s Privacy Rule, exploring why Congress deemed these rules necessary and what they mean for safeguarding health data. 

Let’s dive in…

History of HIPAA Privacy Rule

HIPAA was introduced in 1996 with the underlying goal of increasing access to healthcare across the country. It was crafted as a three-pronged solution through ensuring portability, tax provisions, and, most notably, administrative simplification. 

The HIPAA Privacy Rule was foremost in and entered through works of the Department of Health and Human Services (HHS). This rule was highly sought after as it can create an effective system where the digital transmission of health records is done more safely and prevent major privacy complications. 

HIPAA privacy rule goal

Remember that before 1999, the government or authorities rarely complied with the federal regulations protecting health information privacy. However, the need for a powerful role grew rampant over the increase in violations, and finally, HHS stepped in with a solution. The solution: the introduction of the HIPAA Privacy Rule.

After considering public feedback for a model regulation for HIPAA privacy, they amended the Common Rule to include robust regulations for the disclosure and use of PHI by CE’s (covered entities). 

This version of the HIPAA Privacy Rule required most healthcare providers to comply by April 14, 2003. Behind these regulations is Congress’ acknowledgment of how much data from personal health records contributes to conducting countless medical research.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule addresses the main disclosure and use of PHI of an individual by entities. It gives an individual more control over their personally identifiable information.

Advocating for Stronger Privacy Rules

Today, various privacy advocates pointed out that the U.S. is overdue for stronger safeguards than HIPAA regulation. These demands mainly relate to health care instead of medical research.  

Hence, a Harris Poll was conducted as part of this study to gain fresh insight into this issue.

After analyzing the data from the study, the committee found that citizens were highly skeptical of their PHI’s privacy and security. However, they noted that while HIPAA’s Privacy Rule has somewhat lessened these worries, it didn’t eradicate them. 

Another thing to note is that while most survey participants expressed discomfort with having their PHI being used for research purposes without notice and express consent, most respondents were willing to provide their data if certain precautions were in place. The scope of the research is available. 

Although it’s been more than 27 years since its introduction, the HIPAA privacy rule summary still stands tall today as one of its most achievements amongst other regulations set out by HHS.

What Does HIPAA Privacy Rule Cover?

Privacy rules ensure that your PHI remains under wraps. It creates parameters and terms for using or sharing such information without approval.

It applies to the following:

The Privacy Rule applies to:

HIPAA privacy rule applies to

Health plans

Health plans in the context of privacy rules include employers, church, and government health plans. It also includes multi-employer health plans.

Recommended: HIPAA compliance form for employers

Health Care Providers

Now, this is where it gets interesting: health care providers are covered under privacy rules regardless of their size. It applies to anyone who electronically transfers PHI, including referrals, authorization, insurance claims, transactions, or benefits eligibility.

If you are wondering what constitutes a healthcare provider, here are some examples:

  • Institutional providers
  • Physicians
  • Dentists and other practitioners
  • Medical or health services
  • Person or organization that provides bills

Business Associates

Business Associates are those contractors or non-workforce members who might need access to PHI. For example, suppose you’re a healthcare organization that needs to outsource I.T. services. In that case, you’ll need to make sure that you have a “Business Associate Agreement” with your vendor or contractor before allowing them access to this sensitive data. 

Hybrid Entities

An entity that performs both HIPAA-regulated and non-regulated activities is known as a “hybrid entity.” For example, UNC is a hybrid institution. Take the Student Health Center and Counseling Center, for instance; these are part of UNC’s healthcare system.

Information that HIPAA Privacy Rules Protect

This critical rule safeguards all information pertaining to an individual’s health that a covered entity or its business associate might hold, whether verbal, electronic, or paper. In regulatory slang, this protected data falls under one acronym – PHI.

Here’s the list of PHI that the Privacy rules cover:

  • Name
  • Address
  • Social Security Number
  • Bear Number
  • Marital status
  • Birth date,
  • Hospital admit date
  • Hospital appointment date and discharge date
  • Telephone and Fax numbers
  • Email addresses
  • Insurance l.D. number
  • Insurance account number
  • Driver’s license
  • Demographics related to insurance information
  • Family information
  • Signature in sheets at any healthcare center
  • A person’s physical and mental well-being, either in the past, present or future
  • Any data that can be linked to a particular person or reasonably believed to enable the identification of an individual as a patient, student, or employee constitutes personal information
  • Whether it be the past, present or future, compensation for medical services is a PHI

What instances require a provider to acquire consent before disclosing or using information?

First of all, all healthcare providers are responsible for protecting your privacy! Hence, they must acquire your consent before using or disclosing any PHI to provide treatment, manage payment, and handle operations.

Disclosing PHI with public health authorities

While protecting patients’ privacy is a top priority, it’s also important to enable public health authorities to access necessary information for them to do their job. 

The Privacy Rule recognizes this necessity by allowing PHI to be shared with these authorities so they can effectively work towards the collective well-being of our communities. This is important to understand what the HIPAA privacy rule stands for!

What rights do patients have under the HIPAA Privacy Rule?

The HIPAA Privacy Rule states that healthcare organizations (covered entities) must provide individuals access to PHI upon request. 

This includes inspecting or getting copies of PHI maintained by healthcare entities and having that PHI transmitted to a third party designated by you. 

The right applies to any information created, whether produced or stored electronically or physically on-site, remotely or in archives. Every data falls under this set of rights, regardless of when it was created or where it is stored (electronically, physically on-site, or remotely in archives).

Recommended: Five core components fo HIPAA

The Sprinto Way

Keeping up with HIPAA compliance can be a lot to juggle, along with maintaining business growth. Still trying to figure out where to start? Sprinto has the answer! 

We set you up for success by automating your HIPAA-related tasks, from assessing risk to evaluating your compliance posture. Our solution automatically flags off any instances that could affect achieving/maintaining compliance and offers training solutions to ensure that the occurrence of same errors are diminished significantly.

Save yourself time and hassle so you can focus on what matters: growing your business. Feel free to drop us a line to make HIPAA compliance easier than ever!


What are the 3 rules of HIPAA?

The 3 rules of HIPAA are as follows:

  • Privacy rules
  • Security rules
  • Breach Notification rules

What are the four basic parts of the HIPAA privacy Rule?

The 4 basic parts of HIPAA privacy rule are as follows:

  • Administrative simplification
  • Privacy of health information
  • Security of electronic records
  • Insurance portability

Why does the HIPAA Privacy Rule exist?

The HIPAA Privacy Rule’s major reason is that it ensures top-tier protection of individuals’ health information. The Privacy Rule ensures this happens without compromising on necessary data flow.

Meeba Gracy

Meeba Gracy

Meeba, an ISC2-certified cybersecurity specialist, passionately decodes and delivers impactful content on compliance and complex digital security matters. Adept at transforming intricate concepts into accessible insights, she’s committed to enlightening readers. Off the clock, she can be found with her nose in the latest thriller novel or exploring new haunts in the city.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.