In February 2024, OCR settled with a healthcare system for $4.75 million after investigators found the organization had failed to conduct an enterprise-wide risk analysis and lacked adequate access controls — two obligations that sit at the intersection of the HIPAA privacy and security rule framework. The settlement reinforced what compliance professionals already know: understanding how these two rules work together is not optional. It is the foundation of every viable compliance program your organization builds.

How the HIPAA Privacy and Security Rule Framework Protects PHI

Healthcare organizations consistently confuse these two rules or treat them as a single regulation. They are distinct but deeply interconnected. The Privacy Rule (45 CFR Part 164, Subpart E) governs who can access protected health information, when PHI can be used or disclosed, and what rights patients have over their data. The Security Rule (45 CFR Part 164, Subpart C) governs how electronic PHI must be protected through administrative, physical, and technical safeguards.

Think of it this way: the Privacy Rule sets the policies, and the Security Rule enforces the technical and operational controls that make those policies real. A covered entity that writes strong privacy policies but fails to encrypt ePHI or implement audit controls has satisfied neither rule.

The Privacy Rule Requirements That Trigger the Most Violations

OCR enforcement actions consistently cluster around a handful of Privacy Rule failures. The minimum necessary standard requires your workforce to limit PHI access and disclosure to only the information needed for a specific purpose. Yet in my work with covered entities, I find this standard is routinely ignored in day-to-day operations — staff pulling full patient records when they need a single data point.

Your organization must also maintain and distribute a Notice of Privacy Practices that accurately describes how you use and disclose PHI. This document is not a formality. OCR has cited organizations for outdated notices that fail to reflect current data practices, particularly around health information exchanges and telehealth.

Other high-risk areas include:

  • Failure to honor patient access requests within the 30-day window
  • Impermissible disclosures to business associates without a compliant BAA
  • Using or disclosing PHI for marketing without valid authorization
  • Not applying reasonable safeguards when discussing PHI verbally or in shared spaces

Security Rule Safeguards Your Risk Analysis Must Address

The Security Rule organizes its requirements into three safeguard categories, and your risk analysis must evaluate every one of them. This is not a suggestion — 45 CFR § 164.308(a)(1)(ii)(A) mandates it. Yet risk analysis failures remain the single most cited deficiency in OCR investigations, appearing in the majority of settlements since 2016.

Administrative Safeguards

These include your risk analysis itself, workforce training, access management policies, and incident response procedures. Your organization needs a designated security official and documented policies that are reviewed and updated regularly — not filed away after initial creation.

Physical Safeguards

Workstation security, facility access controls, and device and media disposal fall here. If your workforce uses laptops or mobile devices that contain ePHI, you need policies governing their physical protection — including what happens when a device is lost or stolen.

Technical Safeguards

Access controls, audit logs, integrity controls, and transmission security are the core technical requirements. Encryption is addressable rather than required, but OCR has made clear that choosing not to encrypt ePHI demands a documented, equivalent alternative. In practice, there is rarely one. Encrypt your data.

The Workforce Training Requirement Most Organizations Underestimate

Both the HIPAA privacy and security rule frameworks require workforce training — 45 CFR § 164.530(b) for the Privacy Rule and 45 CFR § 164.308(a)(5) for the Security Rule. Training must be provided to every member of your workforce, including volunteers, trainees, and contractors who access PHI.

Annual training is the widely accepted standard, but the rules also require training when job functions change or new policies are implemented. Generic, once-a-year slide decks do not satisfy this requirement. Your training program must be role-specific and documented, with records showing who completed it and when.

If your organization needs a structured, regulation-aligned program, HIPAA training and certification through HIPAACertify provides the documentation and role-based content that OCR expects to see during an investigation.

Business Associate Obligations Under Both Rules

A business associate that creates, receives, maintains, or transmits PHI on behalf of a covered entity is directly liable under both rules since the Omnibus Rule took effect in 2013. This means your cloud storage vendor, billing company, IT managed service provider, and shredding service all must comply with the Security Rule's safeguard requirements and the applicable provisions of the Privacy Rule.

Your business associate agreements must clearly define permitted uses and disclosures, require breach notification, and mandate compliance with the Security Rule. OCR has repeatedly penalized covered entities for failing to execute BAAs before sharing PHI — not just for having weak agreement language.

Breach Notification: Where Both Rules Converge

The Breach Notification Rule (45 CFR §§ 164.400–414) activates when either a privacy or security failure leads to an impermissible acquisition, access, use, or disclosure of unsecured PHI. If a HIPAA violation results in a breach affecting 500 or more individuals, your covered entity must notify OCR and affected individuals within 60 days and alert prominent media outlets in the affected jurisdiction.

Smaller breaches must be logged and reported to OCR annually. In 2023, OCR received over 700 reports of breaches affecting 500 or more individuals — a record number that underscores the escalating threat landscape healthcare organizations face.

Building a Compliance Program That Satisfies Both Rules

Compliance with the HIPAA privacy and security rule requirements is not a one-time project. It demands ongoing risk analysis, policy updates, workforce training, vendor management, and incident response testing. Organizations that treat compliance as an annual checkbox are the ones that end up in OCR's enforcement spotlight.

Start with these concrete steps:

  • Conduct or update your enterprise-wide risk analysis now — not when an incident forces your hand
  • Review every business associate agreement for Omnibus Rule compliance
  • Audit your Notice of Privacy Practices against your current data handling workflows
  • Implement role-based access controls and review audit logs quarterly
  • Document every workforce training session with attendance records and content summaries

If your organization is building or strengthening its compliance infrastructure, HIPAACertify's workforce HIPAA compliance platform provides the tools, training, and documentation framework that covered entities and business associates need to meet both Privacy Rule and Security Rule obligations — before OCR comes knocking.