In February 2024, OCR announced a $4.75 million settlement with a healthcare system that failed to implement even basic safeguards for protected health information. The investigation revealed no enterprise-wide risk analysis, no encryption on portable devices, and workforce members accessing records without authorization. Every one of those failures traces back to a single compliance obligation: the HIPAA protection rule framework that governs how covered entities and business associates handle PHI.

When healthcare professionals reference the "HIPAA protection rule," they're typically referring to the interconnected regulatory requirements under the Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) and the Security Rule (45 CFR Part 164, Subparts A and C). Together, these rules form the backbone of PHI protection. Understanding how they work — and where your organization is most exposed — is the difference between compliance and an OCR enforcement action.

What the HIPAA Protection Rule Actually Requires

There is no single regulation titled the "HIPAA protection rule." Instead, this term describes the combined obligations of the Privacy Rule and the Security Rule, both of which were strengthened significantly by the Omnibus Rule of 2013. The Privacy Rule sets the standards for who can access protected health information and under what circumstances. The Security Rule dictates the administrative, physical, and technical safeguards required to protect electronic PHI (ePHI).

Your organization must comply with both. A hospital that has perfect access controls on its EHR system but hands paper records to an unauthorized vendor has violated the Privacy Rule. A clinic that has airtight privacy policies but stores ePHI on an unencrypted laptop has violated the Security Rule. OCR investigates both with equal seriousness.

The Minimum Necessary Standard: Where Most Violations Start

Healthcare organizations consistently struggle with the minimum necessary standard — a core Privacy Rule requirement that limits PHI access and disclosure to only the information needed for a specific purpose. This isn't a suggestion. Under 45 CFR § 164.502(b), your covered entity must implement policies that restrict workforce access based on job role and function.

In practice, this means your front-desk staff should not have the same EHR access as your treating physicians. Your billing department should see only the data elements needed for claims processing. Every access level should be justified, documented, and periodically reviewed.

OCR has repeatedly cited minimum necessary violations in enforcement actions. If your organization hasn't audited role-based access in the last 12 months, you're overdue.

Risk Analysis: The Non-Negotiable Foundation of the HIPAA Protection Rule

If there is one requirement that OCR flags more than any other, it is the risk analysis mandate under 45 CFR § 164.308(a)(1)(ii)(A). A thorough, documented risk analysis is the foundation of every Security Rule safeguard your organization implements. It identifies where ePHI lives, how it moves, and what threats exist.

Yet in my work with covered entities, I've seen organizations treat risk analysis as a one-time checkbox exercise — completed during an EHR implementation and never revisited. That approach will not survive an OCR audit. Risk analysis must be ongoing, updated whenever you adopt new technology, change vendors, or experience a security incident.

Your risk analysis should cover every system that creates, receives, maintains, or transmits ePHI. That includes cloud platforms, mobile devices, email systems, medical devices with network connectivity, and any system used by a business associate on your behalf.

Business Associate Agreements and Downstream PHI Protection

The Omnibus Rule extended HIPAA protection rule requirements directly to business associates and their subcontractors. Your organization is responsible for executing compliant Business Associate Agreements (BAAs) under 45 CFR § 164.502(e) with every entity that handles PHI on your behalf — from cloud hosting providers to shredding companies.

A BAA is not just a legal formality. It must specify the permitted uses and disclosures of PHI, require the business associate to implement appropriate safeguards, and mandate breach reporting. If a business associate suffers a breach and you don't have a compliant BAA in place, your covered entity shares the liability.

Review your BAA inventory annually. Terminated vendors who still have access to PHI represent one of the most common — and most preventable — compliance gaps.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR § 164.530(b), every member of your workforce must receive training on your HIPAA policies and procedures. This includes employees, volunteers, trainees, and any person whose conduct is under your direct control — whether or not they are paid. Training must occur within a reasonable period after hiring and whenever material changes affect PHI handling.

Generic, once-a-year slide decks do not meet this standard. Your training program must address your organization's specific policies, the types of PHI your workforce handles, and the real scenarios they encounter. OCR has specifically noted inadequate workforce training as a contributing factor in multiple enforcement settlements.

Investing in structured HIPAA training and certification ensures your team receives current, regulation-specific education rather than outdated boilerplate content. Documented completion records also give you critical evidence during an OCR investigation.

Breach Notification: What Happens When Protection Fails

Even with robust safeguards, breaches occur. The Breach Notification Rule (45 CFR §§ 164.400-414) requires your covered entity to notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals must also be reported to OCR and prominent media outlets in the affected jurisdiction.

The key term is "unsecured PHI" — information that has not been rendered unusable, unreadable, or indecipherable through encryption or destruction as specified in HHS guidance. If you encrypt ePHI at rest and in transit using NIST-recommended standards, a lost device may not trigger notification requirements. This is precisely why the Security Rule's encryption addressable specification deserves serious attention in your risk analysis.

Your Notice of Privacy Practices Must Be More Than a Formality

Your Notice of Privacy Practices (NPP) is a legal document that communicates patients' rights and your organization's PHI handling practices. Under 45 CFR § 164.520, it must describe how you use and disclose PHI, the individual's rights regarding their information, and your legal duties. It must be provided at the first point of service and posted prominently in your facility and on your website.

OCR expects the NPP to reflect your actual practices — not template language copied from another organization. If your NPP says you don't share PHI with marketing partners but your analytics vendor receives patient data, you have a compliance problem.

Building a Sustainable HIPAA Protection Rule Compliance Program

Compliance is not a project with a finish line. The HIPAA protection rule framework demands continuous effort: regular risk analyses, updated policies, active BAA management, documented workforce training, and real-time breach response capabilities. Organizations that treat HIPAA as an annual task inevitably appear in OCR's enforcement database.

Start by assessing where your organization stands today. Identify gaps in your risk analysis, audit your access controls against the minimum necessary standard, verify your BAA inventory, and ensure every workforce member has completed compliant training. Platforms like HIPAA Certify provide the structured tools and workforce compliance tracking your organization needs to maintain ongoing adherence to every HIPAA protection rule requirement.

OCR's enforcement budget and audit activity continue to grow. The organizations that fare best are those that built compliance into daily operations — not those scrambling to respond after a complaint lands on an investigator's desk.