In 2023, OCR settled with Banner Health for $1.25 million after a breach affecting nearly 3 million individuals revealed failures across multiple HIPAA requirements — not just one rule, but a systemic breakdown. When healthcare organizations ask what are the 5 main components of HIPAA, the answer isn't academic. Each component represents a distinct regulatory obligation, and OCR expects compliance with all of them simultaneously.

Understanding these five components isn't optional. It's the foundation of every risk analysis, every workforce training program, and every business associate agreement your organization maintains.

What Are the 5 Main Components of HIPAA and Why They Matter Together

HIPAA isn't a single rule — it's a framework built from five interconnected components, each codified in federal regulation. They work together to protect protected health information (PHI) at every stage: creation, storage, transmission, access, and breach response. A gap in any single component can expose your entire organization to OCR enforcement.

Here are the five main components every covered entity and business associate must understand and operationalize.

1. The Privacy Rule (45 CFR Part 164, Subpart E)

The Privacy Rule establishes national standards for when and how PHI can be used and disclosed. It applies to every form of protected health information — electronic, paper, and oral. Your organization must implement policies that govern access to PHI based on the minimum necessary standard, meaning workforce members should only access the information they need to perform their job functions.

Key requirements include providing patients a Notice of Privacy Practices, honoring individual rights to access and amend their records, and documenting all PHI disclosures. OCR routinely investigates complaints related to unauthorized disclosures, and Privacy Rule violations account for a significant share of enforcement actions each year.

2. The Security Rule (45 CFR Part 164, Subpart C)

While the Privacy Rule covers all forms of PHI, the Security Rule focuses specifically on electronic protected health information (ePHI). It requires covered entities and business associates to implement three categories of safeguards: administrative, physical, and technical.

Administrative safeguards include conducting a thorough risk analysis, designating a security officer, and establishing workforce training programs. Physical safeguards address facility access and workstation security. Technical safeguards cover encryption, access controls, and audit logs.

The Security Rule is where most organizations fall short. OCR's enforcement history shows that failure to perform an adequate risk analysis is the single most cited deficiency in settlement agreements. If your organization hasn't completed a current risk analysis, that gap alone puts you at serious exposure. Comprehensive HIPAA training and certification programs can help your workforce understand these safeguard requirements in practice.

3. The Breach Notification Rule (45 CFR Part 164, Subpart D)

The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs. For breaches affecting 500 or more individuals, notification to HHS must happen within 60 days, and the breach is posted publicly on OCR's breach portal — commonly called the "Wall of Shame."

For smaller breaches affecting fewer than 500 individuals, covered entities must maintain a log and report them to HHS annually. Business associates have an independent obligation to notify the covered entity of any breach they discover.

Organizations consistently struggle with determining whether an incident qualifies as a breach versus a permissible disclosure. A proper risk assessment of the incident — evaluating factors like the nature of the PHI involved, who accessed it, and whether it was actually acquired or viewed — is required before concluding that notification isn't necessary.

4. The Enforcement Rule (45 CFR Part 160, Subparts C–E)

The Enforcement Rule gives OCR the authority and procedures to investigate complaints, conduct compliance reviews, and impose penalties for HIPAA violations. Penalty tiers range from $137 to $68,928 per violation, with annual maximums reaching $2,067,813 per violation category. These amounts are adjusted annually for inflation.

OCR considers several factors when determining penalties: the nature and extent of the violation, the organization's compliance history, its financial condition, and whether the violation was due to willful neglect. Criminal violations are referred to the Department of Justice and can result in fines up to $250,000 and imprisonment.

The Enforcement Rule is the reason your compliance program needs documentation. In my work with covered entities, the organizations that fare best during OCR investigations are those that can demonstrate a good-faith, documented compliance effort — even when something goes wrong.

5. The Omnibus Rule (2013 Final Rule)

The Omnibus Rule, finalized in January 2013, was the most significant update to HIPAA since its original passage. It formally extended HIPAA's Security Rule and Breach Notification Rule requirements to business associates and their subcontractors — not just covered entities.

It also strengthened patient rights regarding electronic health records, tightened restrictions on using PHI for marketing and fundraising, and increased penalty amounts. The Omnibus Rule eliminated the previous "harm standard" for breach notification, replacing it with a more objective risk assessment approach.

For your organization, the Omnibus Rule means that every vendor, contractor, or service provider that handles PHI on your behalf must sign a business associate agreement and independently comply with applicable HIPAA requirements. Managing these relationships is a compliance function that demands ongoing attention.

Building Compliance Across All Five Components

Understanding what are the 5 main components of HIPAA is the starting point. Operationalizing them requires documented policies, regular risk analysis, incident response procedures, and continuous workforce education. OCR has made clear — through years of enforcement actions and resolution agreements — that compliance is not a one-time event.

Every member of your workforce who touches PHI needs to understand these five components and how they apply to daily operations. A structured workforce HIPAA compliance program ensures that your covered entity or business associate isn't just aware of the rules but actively following them.

Where Organizations Get It Wrong

The most common mistake is treating HIPAA as a single checklist. In reality, a Privacy Rule violation can trigger a Breach Notification obligation, which can lead to an Enforcement Rule investigation — all stemming from a Security Rule gap that an Omnibus-era business associate agreement should have addressed. These components are deeply interdependent.

Start with a current risk analysis. Update your business associate agreements. Ensure your Notice of Privacy Practices reflects current requirements. Train every workforce member — not just clinicians. And document everything.

That's how you move from knowing the five components to actually achieving compliance with them.