The HIPAA rule establishing national standards for protecting individuals' medical records and other protected health information in all forms.
The HIPAA Privacy Rule, formally known as the Standards for Privacy of Individually Identifiable Health Information, was published in 2000 and took effect in 2003. It establishes national standards for the protection of individuals' medical records and other personal health information. Unlike the Security Rule, which applies only to electronic PHI, the Privacy Rule covers PHI in all forms: electronic, paper, and oral. The Privacy Rule defines who is covered by HIPAA, what information is protected, how PHI can be used and disclosed, and what rights individuals have over their health information.
The Privacy Rule establishes several foundational requirements. It permits the use and disclosure of PHI without individual authorization for treatment, payment, and health care operations (TPO). It requires individual authorization for most other uses and disclosures, with specific exceptions for public health, law enforcement, judicial proceedings, and other public interest purposes. It grants individuals rights including access to their records, the right to request amendments, accounting of disclosures, and restrictions on certain uses. It requires covered entities to provide a Notice of Privacy Practices, designate a Privacy Officer, train workforce members, and implement safeguards to protect PHI. The Minimum Necessary Standard applies to most uses and disclosures except treatment.
While the Privacy Rule and Security Rule work together to protect health information, they differ in important ways. The Privacy Rule covers all PHI regardless of format and focuses on the permissible uses and disclosures of that information and individual rights. The Security Rule focuses exclusively on ePHI and specifies the administrative, physical, and technical safeguards that must be in place to protect it. Organizations must comply with both rules. The Privacy Rule tells organizations what they can and cannot do with PHI, while the Security Rule tells them how to protect the electronic portion of that information. Together, they form the core of HIPAA's data protection framework.