All CRS Reports
R43991

HIPAA Privacy, Security, Enforcement, and Breach Notification Standards

Federal & State Law Editorial TeamLast reviewed: July 2026
April 17, 2015

Summary

The Privacy Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, comprises a set of federal standards governing the use of personal health information. The Privacy Rule generally applies to individually identifiable health information created and maintained by payers and providers of health care, collectively referred to as covered entities. The rule establishes certain individual rights, including the right to inspect and obtain a copy of one’s health information; describes the circumstances under which covered entities are permitted to use or disclose health information; and requires covered entities to put in place administrative, physical, and technical safeguards to protect health information from unauthorized access, use, or disclosure.

Broadly speaking, the Privacy Rule prohibits a covered entity from using or disclosing “protected health information” (PHI) except as expressly permitted or, in two instances, required by the rule. The Privacy Rule describes a wide range of circumstances under which it is permissible to use or disclose PHI. In so doing, the rule seeks to preserve the discretion that health care professionals have traditionally exercised when using or disclosing patient information. For all uses or disclosures of PHI that are not otherwise permitted or required by the rule, a covered entity must obtain a patient’s written authorization.

Under the Privacy Rule, covered entities generally may use or disclose PHI for the purposes of treatment, payment, and other routine health care operations. Under certain other circumstances, the rule requires covered entities to give individuals the opportunity to object to the use or disclosure of their PHI. The rule also permits the use or disclosure of PHI for various specified activities not directly connected to treatment (e.g., research, law enforcement, public health).

The Privacy Rule does not specify the types of safeguards that need to be implemented to protect PHI from misuse. That is the purpose of the companion HIPAA Security Rule, under which each of the safeguards—administrative, physician, and technical—is composed of a number of standards. The security standards are designed to be scalable to the size and complexity of the covered entity, as well as technology-neutral. They include implementing security management policies and procedures, workforce security procedures, facility access controls, and controls on access to information technology (IT) systems. Each standard consists of one or more implementation specifications (i.e., detailed instructions for implementing the standard). Covered entities have considerable discretion and flexibility in how they implement the security standards.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 included a series of modifications to the HIPAA privacy and security standards. Many of the changes were enacted to address the concerns of privacy advocates and other stakeholders. The HITECH Act created a notification requirement for breaches of unsecured (i.e., unencrypted) PHI, increased the civil monetary penalties for violating HIPAA, and expanded and strengthened enforcement activities by the Office for Civil Rights. It also made business associates of covered entities (i.e., companies and consultants with whom covered entities share PHI to help them operate) directly liable and subject to civil and criminal penalties for HIPAA violations.

Read full report on EveryCRSReport.com

Note: CRS reports are prepared for Members of Congress and their staffs. This summary is provided for informational purposes and does not constitute legal advice.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.