The HIPAA Privacy Rule in Practice

Healthcare compliance officers know the routine: risk analysis, encryption, and multi-factor authentication.  

Most conversations about HIPAA are dominated by the Security Rule and the proposed changes, but while the industry has been watching the Security Rule, something quieter has been happening with its older, less glamorous counterpart. 

The HIPAA Privacy Rule, which governs who can access patient information and under what circumstances, has not undergone a major update since the Omnibus Rule of 2013. It doesn’t have a shiny new proposed rulemaking to debate, nor does it generate the same buzz. And yet, in 2025 and into 2026, it has become one of the most active areas of HIPAA enforcement. 

The reason is straightforward: Healthcare organizations have invested heavily in building strong security systems, but privacy practices haven’t always kept pace. Data flows sometimes go undocumented, business associate relationships aren’t always double-checked, and the workforce might not be sure what “minimum necessary” means without a little guidance. And regulators have noticed this.  

According to a February 2026 analysis by healthcare attorneys at Foley Hoag, a single incident can now trigger an Office of Civil Rights (OCR) inquiry, consumer litigation, an FTC examination, and state attorney general inquiries simultaneously. The enforcement perimeter has expanded to sit squarely at the center of the Privacy Rule. 

This article is about what the Privacy Rule requires, where organizations are falling short, and why 2026 may be the year it finally gets the attention it deserves. 

What the Privacy Rule Actually Does 

The Privacy Rule has been in effect since 1996, with mandatory compliance for covered entities (providers, health plans, and clearinghouses) since 2003. It’s been around long enough that it can be genuinely misunderstood, especially when the Security Rule is so often in the spotlight. Even people who have worked in healthcare their whole careers can forget what makes the Privacy Rule unique. 

The most common misconception is that the Security Rule and the Privacy Rule are essentially the same thing, or that one covers the other. The Security Rule governs how electronic protected health information (ePHI) is protected, the technical, physical, and administrative safeguards that keep data secure.  

The Privacy Rule was created to establish a national standard for safeguarding protected health information (PHI). It governs: 

• Who is permitted to use or disclose PHI 
• In what form 
• For what purpose 
• And with whose knowledge 

 

At its core, the Privacy Rule establishes two foundational rules. First, PHI in any form (electronic, written, or spoken) may not be used or disclosed unless the rule explicitly permits it, or the patient has authorized it in writing. Second, even when a use or disclosure is permitted, it must be limited to the minimum amount of information necessary to accomplish the intended purpose. 

Those two principles sound simple. In practice, they impact nearly every area of healthcare from clinical and administrative roles to operational tasks and, more than ever, digital functions. 

The rule also establishes a framework of individual rights that includes:  

1. the right to access and obtain copies of one’s own records, 
2. the right to request amendments, 
3. the right to know how information has been disclosed,  
4. the right to receive a clear, plain-language Notice of Privacy Practices before care begins 

 

Although protecting PHI and prioritizing patient rights have been cornerstones of healthcare for over twenty years, what’s new today is the expanding number of ways modern healthcare operations can create Privacy Rule exposures that often go unrecognized.  

Common OCR enforcements that stem from the Privacy Rule include: 

• Improper PHI destruction 
• Impermissible Uses and Disclosures 
• Inadvertent and unauthorized disclosures 
• Use or disclosure of more than the minimum necessary 
• Patient rights to access PHI

 

Permitted Uses & Disclosures 

A central concept of the Privacy Rule is the set of guidelines governing the use and disclosure of PHI. This is worth revisiting, as it’s easy for organizations to treat permitted uses and disclosures under a blanket green light rather than a structured framework with clear limits. 

Under HIPAA, a use refers to the sharing, application, or analysis of PHI within your organization.  

For example, when a nurse accesses a patient’s medical record after a visit, when the billing department reviews a claim, or when a physician coordinates patient care with a surgeon by sending medical records. 

A disclosure is when the PHI is shared outside the healthcare organization. For example, when a specialist receives a referral from a primary care physician or when an insurance company processes a payment.  

Permitted use and disclosures carry a responsibility that can be defined as: use only the information needed, limit the sharing to prevent over-disclosure, and document why. This is called the Minimum Necessary Standard and it is a foundational and frequently misapplied Privacy Rule principle.

The minimum necessary standard requires that covered entities and business associates limit the amount of information to what is necessary to accomplish the intended purpose while protecting the patient’s privacy during essential information exchanges for the treatment, payment, and operations of a healthcare encounter. The minimum necessary applies to all formats of PHI, including verbal, written, and electronic. 

The standard is straightforward in principle. When using or disclosing PHI, the covered entity must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose of the use or disclosure.  

For example, a billing team doesn’t need a full clinical history to process a claim. A front desk coordinator doesn’t need access to every record in your system to schedule an appointment. A business associate doesn’t need unrestricted PHI access to perform a narrowly scoped function. 

Common Minimum Necessary Standard Violations 

According to OCR, violations of the minimum necessary standard are the fifth-most-common compliance issue they investigate each year. 

The consequences for disclosing more PHI than is necessary depend on the circumstances of the disclosure. Common minimum necessary failures include:

• Unreasonable or excessive disclosures, such as sending a full patient chart to an insurance company instead of confirming only the relevant procedure and date, which is the information needed for their purpose. This type of excessive disclosure is often from a “more is better” approach, but it creates exposure because once PHI leaves your organization, your control over it is limited.  
• Routine disclosure errors are the most common types of breaches reported to the OCR. An example is when a physician’s office faxes a patient’s lab results to the wrong provider, either because an outdated contact number is in the system, a transposition error in the fax number, or staff work too quickly under time pressure. 
• Inadequate Access Controls are often overlooked, even though they are reasonable safeguards to protect PHI from unauthorized use or disclosure. For example, a medical practice terminates an employee. The offboarding process covers the logistics of collecting a badge and closing out HR paperwork, but it does not include removing an employee’s access credentials to the EHR system. Maintaining active credentials for individuals who no longer have a permissible reason to access patient information is not a reasonable safeguard, and it can become an irresistible entry point for intruders.  

 

Read our in-depth article all about the hidden dangers of forgotten service accounts. 

Best Practices for the Minimum Necessary 

In practice, the minimum necessary violations often aren’t the result of bad intent. They’re the result of systems configured for convenience rather than compliance, roles with broader access than their functions require, and workflows that have never been formally reviewed against Privacy Rule standards. That’s a manageable problem, but only if organizations are willing to look at it honestly. 

Review current sharing and privacy practices to strike the right balance between safeguarding PHI and delivering effective healthcare for your patients. This includes reviewing your business associate agreements to confirm what your business associates are doing with PHI, verifying that appropriate safeguards are in place, and maintaining documentation that demonstrates ongoing oversight.  

Guarantee that role-based access controls are in place, as these are the structural mechanisms that make your policy operational. Define access levels based on job roles and functions. A nurse practitioner, a billing coordinator, and a front desk employee all interact with PHI differently. Their system access should reflect that. And update access permissions whenever an employee changes roles, transfers to a different department, or leaves the organization.  

Ensure employee training is a significant part of your compliance measures. When all members of your staff, from covered entities to the administrative front desk personnel, understand what the minimum necessary standard requires, how your organization has adopted procedures for the minimum necessary, and the policies and procedures that define these methods, they have more opportunities to act in accordance with your organizational standards. 

Build access controls into your offboarding checklists to ensure that PHI remains safeguarded when employees or business associates are removed from their roles. A written policy that defines the offboarding workflow, along with routine access credential audits, can close gaps and demonstrate your commitment to protecting PHI. Remember to conduct routine audits for who is accessing what and how often. 

Having a documented and consistent approach to how PHI moves through your organization is a practical discipline step. Organizations that map their permitted disclosure categories, review their access controls against minimum necessary standards, and actively manage their business associate relationships are proactively complying with the Privacy Rule.  

Patient Rights Under the Privacy Rule 

Another important guarantee the Privacy Rule established was the protection of patient rights and the right of individuals to have control over their PHI. HIPAA grants patients the right to access, review, and request corrections to their medical records, as well as to understand how their information is used and shared. These rights put patients in a meaningful position to stay informed and involved in decisions about their healthcare while holding organizations accountable for respecting their privacy.  

A patient’s right to access includes the rights to: 

• Access and obtain copies of their own PHI held by a covered entity or business associate. 
• Request amendments to their health information if they believe it is incorrect or incomplete. 
• Receive an accounting of disclosures of when and to whom their PHI has been shared outside of treatment, payment, and healthcare operations. 
• Request restrictions on certain uses and disclosures of their PHI. 
• Request confidential communications, such as asking that appointment reminders be sent to a specific phone number or address. 
• Receive a Notice of Privacy Practices that clearly explains how their information is used and how to file a complaint. 
• File a complaint with the covered entity or directly with the OCR without fear of retaliation.

 

All of these are enforceable obligations, and the OCR has demonstrated a strong commitment to upholding them. In fact, in 2022, the OCR assessed twenty-two penalties, averaging $98,643 per penalty. 

Real-World Right of Access Violations 

Denying or delaying patient access to medical records is the most common violation of all the patient rights established under the Privacy Rule and has generated the most OCR enforcement actions. The reason is straightforward: patients request their records, organizations fail to provide them in a timely and complete manner, complaints are filed, and OCR investigates. 

The Privacy Rule is specific about what covered entities are required to do regarding medical record releases. When a patient requests access to their records, the covered entity must respond within 30 days. If the records cannot be provided within that window, a single 30-day extension is permitted, provided the patient is notified in writing before the original deadline passes. The records must be provided in the format requested by the patient, when reasonably possible. And the fee charged for producing those records must be reasonable and cost-based for the patient.  

Denying or delaying patient access to medical records is the most common violation of all the patient rights established under the Privacy Rule and has generated the most OCR enforcement actions. The reason is straightforward: patients request their records, organizations fail to provide them in a timely and complete manner, complaints are filed, and OCR investigates. 

The Privacy Rule is specific about what covered entities are required to do regarding medical record releases. When a patient requests access to their records, the covered entity must respond within 30 days. If the records cannot be provided within that window, a single 30-day extension is permitted, provided the patient is notified in writing before the original deadline passes. The records must be provided in the format requested by the patient, when reasonably possible. And the fee charged for producing those records must be reasonable and cost-based for the patient. 

Frequent right to access issues:

• Failing to provide medical records within 30 days, or the timeframe required by state law 
• Charging unreasonable fees that exceed the reasonable, cost-based limit for copies 
• Refusing to provide records in the format requested by the patient, such as denying an electronic copy 
• Implementing restrictive policies that block patients from accessing their own PHI (information blocking) 
• Not sending records to a third party, such as another healthcare provider, when the patient requests it 

 

Where organizations go wrong, fall into a few consistent patterns. Some simply don’t respond at all, assuming the request will go away. Others cite internal policies, system limitations, or pending legal reviews as reasons to delay, none of which OCR recognizes as valid justifications for withholding access. Some charge fees that bear no relationship to actual copying costs, effectively pricing patients out of their own information. And some provide incomplete records, omitting portions of the file without explanation or authorization. 

Since launching its enforcement initiative, the OCR has shown little tolerance for violations of the right of access. The agency has levied financial penalties against covered entities of all sizes, from solo physician practices to large health systems. OCR’s message has been consistent: the size of your organization does not determine your obligation to respond. 

For patients, timely access to their records is far more than a bureaucratic formality; it directly impacts care decisions, second opinions, insurance appeals, and peace of mind. For covered entities, providing prompt access is one of the most visible and measurable indicators that their compliance policies are truly being followed. 

Administrative Requirements 

Another important pillar of the Privacy Rule, and consequently a consistent HIPAA enforcement action, is maintaining documentation and having policies and procedures in place. This administrative requirement within the rule exists as a compliance strategy because good intentions do not hold up. The OCR does not audit intentions; it only audits documentation. In 2026, organizations with strong administrative foundations for both the Privacy and Security Rules are well-positioned for a robust compliance program. 

One of the requirements within the Privacy Rule is that a covered entity designate an individual, known as the Privacy Official, to be responsible for developing and implementing policies and procedures, receiving and investigating patient complaints, and ensuring the workforce understands its obligations under HIPAA. The Privacy Official is an active role that oversees many aspects of HIPAA compliance within an organization. The Privacy Official is responsible for training programs, patient complaint records, logging policy reviews, and serving as a clear, reliable compliance point of contact for staff with questions or concerns.  

Policy and procedure documentation is often where organizations feel the administrative burden the most. Because the Privacy Rule requires covered entities to maintain written policies and procedures that accurately reflect current operations, policies, and training materials, these must be updated regularly to avoid compliance gaps. 

The bottom line is this: your documentation is part of your audit trail. Every policy review, training record, complaint log, access audit, and Business Associate Agreement serves as proof of your organization’s commitment to HIPAA compliance. By building and maintaining your records, you’re not just safeguarding against enforcement; you’re laying the foundation for a trustworthy and well-managed compliance program. This shows patients, partners, and regulators alike that privacy isn’t an afterthought but a core practice. 

Privacy Rule Enforcement is Now Front and Center

The HIPAA Privacy Rule has been part of the healthcare compliance landscape for more than two decades and will continue to be the backbone of ensuring patients can trust the organizations responsible for safeguarding their sensitive health information.  

What 2026 is making clear is that the enforcement environment has matured. The organizations that will manage this landscape successfully are not necessarily the largest or the best-resourced. They are the ones that have taken the time to understand what the Privacy Rule actually requires, built the administrative infrastructure to support it, trained their workforce to practice it, and documented everything along the way.