HIPAA: Privacy Rule

Privacy Rule [45 CFR 164.500-534]

Rule: Covered entities may only use or disclose PHI as permitted by the Privacy Rule, typically requiring patient authorization except for treatment, payment, and healthcare operations.

Permitted Uses Without Authorization

Category	Description	Citation
Treatment	Provision of healthcare	§164.506
Payment	Billing, claims, eligibility	§164.506
Healthcare operations	Quality, training, compliance	§164.506
Required by law	Court orders, law enforcement	§164.512(a)
Public health	Disease reporting, FDA	§164.512(b)
Health oversight	Audits, investigations	§164.512(d)
Judicial proceedings	Subpoenas, court orders	§164.512(e)
Research	With IRB/Privacy Board approval	§164.512(i)

Authorization Required

Uses not listed above require valid written authorization:

• Marketing
• Sale of PHI
• Psychotherapy notes (with limited exceptions)
• Most research uses
• Disclosures to employers

Valid Authorization Must Include

1. Description of PHI to be disclosed
2. Who is authorized to disclose
3. Who will receive the information
4. Purpose of disclosure
5. Expiration date
6. Individual’s signature and date
7. Right to revoke statement
8. Notice authorization is voluntary

Minimum Necessary Standard [§164.502(b)]

Rule: Limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose.

Application	Requirement
Internal uses	Identify who needs access based on role
Disclosures	Limit to minimum needed for purpose
Requests	Only request what’s necessary

Exceptions to minimum necessary:

• Treatment disclosures
• Disclosures to the individual
• Uses authorized by individual
• Uses required by law

Notice of Privacy Practices [§164.520]

Covered entities must provide notice describing:

• How PHI may be used and disclosed
• Individual’s privacy rights
• Entity’s legal duties
• How to file complaints

Citation

45 CFR Part 164 Subpart E — Privacy of Individually Identifiable Health Information