Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Guidance: Privacy Rule Introduction

This page provides guidance on Privacy Rule Introduction under HIPAA.

Final

Issued by: Office for Civil Rights (OCR)

Introduction

45 CFR Parts 160 and 164  (Download a copy in PDF - PDF)

Introduction

This guidance explains and answers questions about key elements of the requirements of the HIPAA Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule). The Department of Health and Human Services (HHS) published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002.

The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) provides the first comprehensive Federal protection for the privacy of health information. All segments of the health care industry have expressed support for the objective of enhanced patient privacy in the health care system. The Privacy Rule, as modified, is carefully balanced to provide strong privacy protections that do not interfere with patient access to, or the quality of, health care delivery.

The guidance that follows is meant to communicate as clearly as possible the privacy policies contained in the Privacy Rule. For a particular segment in the Privacy Rule, the guidance will provide a brief explanation of the segment and how the Rule works.

The guidance does not address all of the relevant provisions in the Rule, although we anticipate adding segments in the future as we develop guidance on more Privacy Rule standards. We will also be adding to the “Frequently Asked Questions” on an ongoing basis as new questions arise. HHS plans to work expeditiously to address these additional questions to facilitate understanding of the Rule and to encourage voluntary compliance with its requirements. However, for a full understanding of one’s rights and responsibilities under the Rule, it is important to consult the Rule itself.

The Privacy Rule Standards Addressed

General Overview
Incidental Uses and Disclosures (45 CFR 164.502(a))
Minimum Necessary (45 CFR 164.502(b), 164.514(d))
Personal Representatives (45 CFR 164.502(g))
Business Associates (45 CFR 164.502(e), 164.504(e), 164.532(d) and (e))
Uses and Disclosures for Treatment, Payment, and Health Care Operations (45 CFR 164.506)
Marketing (45 CFR 164.501, 164.508(a))
Public Health (45 CFR 164.512(b))
Research (45 CFR 164.501, 164.508, 164.512(i), 164.514(e), 164.528, 164.532)
Workers’ Compensation Laws (45 CFR 164.512(l))
Notice (45 CFR 164.520)
Government Access (45 CFR Part 160, Subpart C, 164.512(f))

Please review our Frequently Asked Questions about the Privacy Rule.

Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.