5 Rules of HIPAA: What Every Covered Entity Must Know

In 2023, OCR settled with Banner Health for $1.25 million after a breach affecting nearly 3 million individuals exposed failures across multiple HIPAA requirements — from inadequate risk analysis to insufficient access controls. The case underscored something healthcare organizations consistently underestimate: HIPAA isn't a single regulation. It's a framework built on five distinct rules, and a breakdown in any one of them can trigger enforcement action. Understanding the 5 rules of HIPAA isn't optional — it's the foundation of every defensible compliance program.

The 5 Rules of HIPAA and Why Each One Matters

When Congress passed the Health Insurance Portability and Accountability Act in 1996, the Department of Health and Human Services (HHS) was tasked with developing standards to protect health information. What emerged over the following years were five interconnected rules, each addressing a different dimension of healthcare data protection and organizational accountability.

Every covered entity and business associate operating in the U.S. healthcare system must comply with all five. Here's what each rule requires and where organizations most frequently fall short.

Rule 1: The HIPAA Privacy Rule (45 CFR Part 164, Subpart E)

The Privacy Rule establishes national standards for how protected health information (PHI) can be used and disclosed. It applies to PHI in any form — electronic, paper, or oral — and defines patient rights including the right to access their records, request amendments, and receive a Notice of Privacy Practices.

One of the most misunderstood provisions is the minimum necessary standard. Your workforce should only access, use, or disclose the minimum amount of PHI needed to accomplish the intended purpose. In my work with covered entities, I've seen organizations fail this standard simply because they never defined role-based access policies.

The Privacy Rule also governs authorizations, accounting of disclosures, and restrictions on marketing communications. If your staff can't articulate when patient authorization is required versus when a permitted use applies, that's a training gap with real enforcement consequences.

Rule 2: The HIPAA Security Rule (45 CFR Part 164, Subpart C)

While the Privacy Rule covers all PHI, the Security Rule focuses specifically on electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

The centerpiece of Security Rule compliance is the risk analysis — a thorough, documented assessment of potential threats and vulnerabilities to ePHI in your environment. OCR has cited the failure to conduct an adequate risk analysis in the majority of its enforcement actions. It is not a one-time exercise. Your organization must update it regularly as systems, vendors, and threats evolve.

Technical safeguards include access controls, audit controls, transmission security, and integrity controls. Administrative safeguards cover workforce training, security management processes, and contingency planning. Physical safeguards address facility access and workstation security. Neglecting any category leaves your organization exposed.

Rule 3: The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)

The Breach Notification Rule, finalized under the 2013 Omnibus Rule, requires covered entities to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs. Breaches affecting 500 or more individuals must be reported to OCR within 60 days. Smaller breaches must be logged and reported annually.

A critical detail many organizations miss: under the rule, any impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless your organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI was compromised. Document that assessment every time — even when you conclude notification isn't required.

Rule 4: The HIPAA Enforcement Rule (45 CFR Part 160, Subparts C-E)

The Enforcement Rule gives OCR the authority and procedures to investigate complaints, conduct compliance reviews, and impose penalties for HIPAA violations. It establishes the tiered penalty structure that ranges from $141 to $2,134,831 per violation (adjusted annually for inflation), with calendar-year caps for each tier.

Penalties fall into four tiers based on the level of culpability:

• Tier 1: The covered entity did not know and could not reasonably have known of the violation.
• Tier 2: The violation was due to reasonable cause, not willful neglect.
• Tier 3: The violation was due to willful neglect but was corrected within 30 days.
• Tier 4: The violation was due to willful neglect and was not timely corrected.

OCR also has the authority to refer cases to the Department of Justice for criminal prosecution in cases involving intentional misuse of PHI. The Enforcement Rule is why documentation matters — your compliance posture determines which tier you fall into.

Rule 5: The Omnibus Rule of 2013

The Omnibus Rule wasn't an entirely new regulation — it was a sweeping update that modified and strengthened the other four rules. It extended direct liability under the Security Rule and Breach Notification Rule to business associates and their subcontractors. Before 2013, business associates had limited direct obligations. That is no longer the case.

The Omnibus Rule also tightened restrictions on using PHI for marketing and fundraising, expanded patient rights to request electronic copies of their records, and adopted the HITECH Act's enhanced penalty structure. If your business associate agreements haven't been updated since 2013, your organization is out of compliance.

The Workforce Training Requirement Most Organizations Underestimate

Knowing the 5 rules of HIPAA at the leadership level is necessary but insufficient. The Privacy Rule at §164.530(b) and the Security Rule at §164.308(a)(5) both require workforce training. Every member of your workforce — employees, volunteers, trainees, and anyone under your organization's direct control — must receive training on HIPAA policies and procedures relevant to their role.

OCR has repeatedly flagged inadequate training as a contributing factor in enforcement actions. A signed acknowledgment form from three years ago does not constitute an active training program. Your organization needs current, role-appropriate education that covers all five HIPAA rules and is documented with completion records.

If your program needs strengthening, HIPAA training and certification courses provide a structured path to get every workforce member up to standard. For organizations building or rebuilding their compliance program from the ground up, HIPAA Certify's workforce compliance platform offers the tools to train, track, and document across your entire organization.

Building Compliance Across All Five Rules

The 5 rules of HIPAA don't operate in isolation. A breach triggers the Notification Rule, which is investigated under the Enforcement Rule, and the root cause almost always traces back to a failure under the Privacy Rule or Security Rule — often one that the Omnibus Rule made directly enforceable against a business associate.

Your compliance program must address all five rules as an integrated framework. Conduct your risk analysis annually. Update business associate agreements. Train your workforce consistently. Document everything. The organizations that face the harshest penalties from OCR are the ones that treated HIPAA as a checkbox rather than an ongoing operational commitment.