What is HIPAA Privacy Rule?

The HIPAA Privacy Rule (45 CFR Part 164, Subparts A and E) sets national standards for how covered entities use and disclose protected health information in any form — paper, oral, or electronic. It permits disclosures for treatment, payment, and health care operations, requires patient authorization for most other uses, and grants individuals rights to access and amend their records.

The Privacy Rule matters because it governs the everyday handling of patient information: who may see it, when you need authorization, and what rights patients have. It applies to PHI in every format, which is broader than the Security Rule's focus on electronic data, and it underpins the Notice of Privacy Practices every provider must give patients.

A concrete example: a clinic may share a patient's record with another provider for treatment without separate authorization, but using that same record for marketing generally requires the patient's signed authorization. The rule also gives patients the right to access their records, usually within 30 days of a request.

Documented privacy policies, an authorization form, and a Notice of Privacy Practices make compliance demonstrable and speed up audits and patient-rights requests. Templates accelerate this paperwork, but they do not make a practice compliant by themselves — you still have to follow the procedures and honor patient rights in practice.

Related terms: HIPAA Security Rule · Minimum Necessary Standard · Protected Health Information (PHI) · Data Subject Access Request (DSAR)

Frequently asked questions

What are treatment, payment, and health care operations (TPO)?
TPO are the core permitted purposes for which a covered entity may use and disclose PHI without separate patient authorization — providing care, getting paid, and running the business of the practice (such as quality review and training).
Do patients have a right to see their own records?
Yes. The Privacy Rule gives individuals the right to access and obtain a copy of their PHI, generally within 30 days of a written request, and to request corrections to inaccurate information.
When is patient authorization required?
Authorization is required for most uses and disclosures beyond treatment, payment, and operations — for example, most marketing, the sale of PHI, and the use of psychotherapy notes. Certain disclosures required by law are separate exceptions.

Toolkits that cover HIPAA Privacy Rule

HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Medical Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.

$7930% off with codeView toolkit
HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Dental Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written specifically for dental offices.

$7930% off with codeView toolkit
HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Mental Health Practices

18 editable HIPAA policies written for therapists and behavioral-health practices — teletherapy security, psychotherapy-notes handling — plus the Security Risk Assessment workbook and audit evidence checklist.

$7930% off with codeView toolkit

Learn more in our HIPAA guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.