In February 2024, OCR settled with a Louisiana medical group for $480,000 after investigators found the organization had failed to implement even the most fundamental safeguards required under HIPAA. The practice lacked a current risk analysis, had no written policies, and had never trained its workforce. These weren't obscure technicalities — they were violations of the HIPAA basic rules that every covered entity and business associate is expected to follow from day one.

If your organization handles protected health information (PHI), you cannot afford to treat compliance as optional. OCR has repeatedly demonstrated that ignorance of foundational requirements is not a defense.

Understanding the HIPAA Basic Rules: Three Pillars of Compliance

HIPAA is not a single regulation. It's a framework built on three core rules codified in 45 CFR Parts 160 and 164. Every healthcare organization — whether a solo practitioner or a multi-state health system — must comply with all three.

These three pillars are the Privacy Rule, the Security Rule, and the Breach Notification Rule. Together, they define how PHI must be used, protected, and reported when compromised. The Omnibus Rule of 2013 extended many of these obligations directly to business associates.

Let's break down what each rule actually requires of your organization.

The Privacy Rule: Controlling How PHI Is Used and Disclosed

The HIPAA Privacy Rule (45 CFR §164.500–534) governs who can access protected health information and under what circumstances it may be shared. It applies to all forms of PHI — paper, electronic, and verbal.

Your covered entity must designate a Privacy Officer, develop and distribute a Notice of Privacy Practices to patients, and establish written policies that govern every use and disclosure of PHI. The rule also requires you to apply the minimum necessary standard: only the minimum amount of PHI needed to accomplish a task should be used or disclosed.

In my work with covered entities, the Privacy Rule is where I see the most day-to-day violations. Staff members access records they don't need. Front-desk conversations expose patient details. Authorization forms are outdated or missing entirely. These are the gaps OCR investigators look for during complaint-driven audits.

Patient Rights You Must Honor

  • The right to access and obtain a copy of their PHI within 30 days of a request
  • The right to request amendments to their health records
  • The right to an accounting of disclosures made outside treatment, payment, and healthcare operations
  • The right to request restrictions on certain uses and disclosures
  • The right to request confidential communications through alternative means

Failing to provide patient access to records has been one of OCR's top enforcement priorities since 2019 under its Right of Access Initiative, resulting in over 45 enforcement actions and settlements ranging from $3,500 to $240,000.

The Security Rule: Safeguarding Electronic PHI

While the Privacy Rule covers all PHI, the Security Rule (45 CFR §164.302–318) focuses specifically on electronic protected health information (ePHI). It requires your organization to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

The Security Rule is built around one non-negotiable requirement: the risk analysis. Under §164.308(a)(1), every covered entity and business associate must conduct an accurate and thorough assessment of risks to ePHI. OCR has cited the absence of a risk analysis in the majority of its enforcement settlements — it is the single most common finding in HIPAA violation investigations.

Key Safeguard Categories

  • Administrative safeguards: Risk analysis, workforce training, access management policies, contingency planning, and security incident procedures
  • Physical safeguards: Facility access controls, workstation security, and device and media disposal protocols
  • Technical safeguards: Access controls, audit logs, integrity mechanisms, and transmission security including encryption

Healthcare organizations consistently struggle with documentation. The Security Rule doesn't just require you to implement safeguards — it requires you to document your decisions, policies, and procedures and retain that documentation for six years.

The Breach Notification Rule: Reporting Compromised PHI

The Breach Notification Rule (45 CFR §§164.400–414) establishes what your organization must do when an impermissible use or disclosure of PHI compromises its security or privacy. Not every incident qualifies as a breach, but you must be prepared to evaluate and respond to every one.

If a breach affects 500 or more individuals, your covered entity must notify affected individuals, OCR, and prominent media outlets within 60 days of discovery. Breaches affecting fewer than 500 individuals must still be reported to OCR, but may be submitted in an annual log no later than 60 days after the end of the calendar year.

Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. Your business associate agreements must spell out these obligations clearly.

The Workforce Training Requirement Most Organizations Underestimate

Among the HIPAA basic rules, workforce training is one of the most frequently neglected — and most heavily scrutinized during OCR investigations. Under 45 CFR §164.530(b), every member of your workforce must receive training on your organization's HIPAA policies and procedures. Under the Security Rule at §164.308(a)(5), security awareness training is a required administrative safeguard.

Training isn't a one-time event. New hires must be trained before accessing PHI, and ongoing training is required whenever material changes occur in your policies. OCR expects documentation: who was trained, when, and on what topics.

If your organization needs a structured, up-to-date training program, our HIPAA Training & Certification course covers all three rules and delivers the documentation you need for compliance.

Business Associate Obligations Under the Omnibus Rule

Since the 2013 Omnibus Rule, business associates are directly liable for HIPAA violations. If a vendor, IT provider, billing company, or cloud service handles PHI on your behalf, they must comply with the Security Rule and relevant provisions of the Privacy Rule independently.

Your organization must have a written business associate agreement (BAA) in place before any business associate creates, receives, maintains, or transmits PHI. OCR has imposed penalties specifically for the absence of BAAs, and a missing agreement can turn a vendor's breach into your compliance failure.

Build Compliance Into Your Organization's Daily Operations

Understanding the HIPAA basic rules is the starting point — but compliance lives in execution. Risk analyses must be updated regularly. Policies must reflect current operations. Workforce members must understand their responsibilities every time they interact with PHI.

OCR's enforcement data tells a consistent story: organizations that lack foundational safeguards face the steepest penalties. Between 2003 and 2024, OCR has collected over $142 million in HIPAA enforcement settlements and civil monetary penalties. The overwhelming majority involved failures in basic requirements — not sophisticated cyberattacks.

Start with a current risk analysis. Train every workforce member. Document everything. If you're looking for a comprehensive compliance foundation, HIPAA Certify's workforce compliance platform can help your organization meet these obligations systematically and demonstrate compliance when it matters most.