3.1 The HIPAA Privacy Rule

What the Privacy Rule Protects

The HIPAA Privacy Rule (Health Insurance Portability and Accountability Act of 1996, codified at 45 CFR Part 160 and Part 164 Subpart E) sets national standards for protecting Protected Health Information (PHI). PHI is individually identifiable health information — any data that relates to a person's physical or mental health, the provision of care, or payment for care, and that identifies the individual or could reasonably be used to identify them.

PHI is protected in any form or medium: electronic (ePHI), paper, and oral. The 18 HIPAA identifiers include name, all dates more specific than a year (birth, admission, discharge, death), geographic subdivisions smaller than a state, phone/fax numbers, email, Social Security number, medical record number, health plan and account numbers, certificate/license numbers, vehicle and device identifiers, URLs and IP addresses, biometric identifiers, full-face photos, and any other unique identifying code.

Strip all 18 (the Safe Harbor method) or obtain an expert determination of low re-identification risk, and the data is de-identified — no longer PHI and outside the Rule.

A limited data set removes most direct identifiers but may keep dates, city/state/ZIP (not street address), and ages; it is still PHI and may be used for research, public health, or operations only under a data use agreement (DUA). The Privacy Rule itself sits within HIPAA's broader Administrative Simplification provisions, which also include standard transactions and code sets and unique identifiers such as the National Provider Identifier (NPI). RHIT candidates should distinguish PHI (identifiable) from de-identified data and a limited data set, because the permitted uses differ sharply.

The Privacy Rule is enforced by the HHS Office for Civil Rights (OCR), which investigates complaints, conducts compliance reviews, and imposes corrective action or civil penalties. There is no private right of action under HIPAA — individuals cannot sue a covered entity directly under the statute, though state law may provide separate remedies. Understanding this enforcement structure helps RHIT candidates frame why documented policies, training, and the minimum necessary standard matter operationally.

Who Must Comply

The Rule binds covered entities and their business associates. There are three types of covered entity:

• Health plans — insurers, HMOs, Medicare/Medicaid, employer group plans.
• Health care clearinghouses — entities that translate claims between standard and non-standard formats.
• Health care providers who transmit health information electronically in a HIPAA standard transaction (e.g., billing a claim).

A business associate (BA) is a person or organization that creates, receives, maintains, or transmits PHI to perform a function on the covered entity's behalf — billing companies, transcription vendors, EHR hosts, Release of Information (ROI) vendors, coding consultants, shredding services, and cloud storage providers. Before sharing PHI, the covered entity must execute a Business Associate Agreement (BAA), a contract requiring the BA to safeguard PHI, use it only as permitted, report breaches and security incidents, ensure subcontractors agree to the same terms, and return or destroy PHI at contract end.

Since the HITECH Act (2009), business associates are directly liable to the Office for Civil Rights (OCR) for many HIPAA violations, not just contractually liable to the covered entity.

Some organizations are hybrid entities — only part of the operation is a covered function — or part of an organized health care arrangement (OHCA), such as a hospital and its medical staff sharing PHI for joint operations. Workforce members (employees, volunteers, trainees under the entity's control) are not business associates; their access is governed by internal policy and the minimum necessary standard. Mislabeling a vendor as "just a contractor" and skipping the BAA is a frequent compliance failure the RHIT exam probes.

TPO, Minimum Necessary, and the NPP

Covered entities may use and disclose PHI without authorization for Treatment, Payment, and health care Operations (TPO). Treatment is care coordination; payment is billing and reimbursement; operations are quality improvement, audits, training, and business management.

The minimum necessary standard requires limiting PHI to the least amount needed to accomplish the purpose. Crucially, it does NOT apply to: (1) disclosures to or requests by a provider for treatment, (2) disclosures to the individual who is the subject, (3) uses pursuant to a valid authorization, and (4) disclosures required by law or to HHS for enforcement.

The Notice of Privacy Practices (NPP) describes how the entity uses and discloses PHI, the individual's rights, and the entity's duties. Direct-treatment providers must give it at the date of first service delivery, make a good-faith effort to obtain written acknowledgment of receipt, post it prominently on-site, and put it on their website. In an emergency, the NPP may be delivered as soon as reasonably practicable afterward.

Finally, distinguish a use (sharing PHI within the entity) from a disclosure (releasing it outside the entity), and separate permitted disclosures (allowed without authorization, like TPO, public health, and required-by-law) from authorized disclosures (requiring the patient's signed authorization). Incidental disclosures — a visitor overhearing a hallway conversation — are not violations if reasonable safeguards and minimum necessary were applied.