The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.

The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.

Click here to view the combined regulation text of all HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164.

Privacy Rule History

• April 26, 2024 - HIPAA Privacy Rule to Support Reproductive Health Care Privacy - Final Rule
• April 17, 2023 - HIPAA Privacy Rule to Support Reproductive Health Care Privacy - Proposed Rule
• March 10, 2021 - Extension of Comment Period for Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement – Proposed Rule
• January 21, 2021 - Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens - Proposed Rule
• December 14, 2018 - Modifying the HIPAA Rules to Improve Coordinated Care - Request for Information
• January 6, 2016 - HIPAA Privacy Rule and the National Instant Criminal Background Check System (NICS) - Final Rule
• February 6, 2014 - Patients' Access to Test Reports Under the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) Program - Final Rule
• January 7, 2014 - HIPAA Privacy Rule and NICS - Proposed Rule
• April 23, 2013 - HIPAA Privacy Rule and NICS - Advance Notice of Proposed Rulemaking
• January 25, 2013 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act, and Other Modifications - Final Rule (The "Omnibus HIPAA Final Rule")
• September 14, 2011 - Patients' Access to Test Reports Under the HIPAA Privacy Rule and CLIA Program - Proposed Rule
• May 31, 2011 - HIPAA Privacy Rule Accounting of Disclosures Under the HITECH Act - Proposed Rule
• July 14, 2010 - Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the HITECH Act - Proposed Rule
• May 3, 2010 - HIPAA Privacy Rule Accounting of Disclosures Under the HITECH Act - Request for Information
• October 7, 2009 - HIPAA Privacy Rule; Modifications Under the Genetic Information Nondiscrimination Act - Proposed Rule
• August 14, 2002 - Modifications to the HIPAA Privacy Rule - Final Rule (PDF)
• March 27, 2002 - Modifications to the HIPAA Privacy Rule - Proposed Rule (PDF)
• February 28, 2001 - Request for Comments on December 28, 2000, Final HIPAA Privacy Rule (PDF)
• February 26, 2001 - Correction of Effective and Compliance Dates of the Final HIPAA Privacy Rule (PDF)
• December 29, 2000 - Technical Corrections to the Final HIPAA Privacy Rule (PDF)
• December 28, 2000 - HIPAA Privacy Rule - Final Rule (PDF)
• November 3, 1999 - HIPAA Privacy Rule - Proposed Rule (PDF)

Other Privacy Rule Notices

• March 20, 2003 - Notice of Addresses for Submission of HIPAA Health Information Privacy Complaints (PDF)
• March 11, 2003 - Notice of Address for Submission of Requests for Preemption Exception Determinations (PDF)
• December 28, 2000 - Statement of Delegation of Authority to the Office for Civil Rights (PDF)

Other Administrative Simplification Rules

• Code Set Standards
• Employer Identifier Standard
• National Provider Identifier Standard
• Security Rule
• Enforcement Rule
• Breach Notification Rule
• Transactions