When OCR settled with Premera Blue Cross for $6.85 million in 2020, the enforcement action didn't hinge on a single failure. Investigators found breakdowns on two distinct fronts: the organization failed to adequately protect electronic protected health information and failed to maintain proper safeguards around how PHI was used and disclosed. It was a textbook illustration of why HIPAA rules are divided into 2 sections — privacy and security — and why your organization must treat each with equal seriousness.

Many healthcare organizations I work with initially treat HIPAA as a single monolithic regulation. That misunderstanding leads to blind spots. You may have strong access controls on your EHR but no policies governing verbal disclosures at the front desk. Or you may have a thorough Notice of Privacy Practices but no encryption on workforce laptops. Both sides matter, and OCR evaluates them independently.

Why HIPAA Rules Are Divided Into 2 Sections: Privacy and Security

The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the HIPAA Security Rule (45 CFR Part 164, Subpart C) address fundamentally different risks. The Privacy Rule governs who can access protected health information, when it can be used or disclosed, and what rights patients have over their data. The Security Rule governs how electronic PHI (ePHI) is technically and physically protected from unauthorized access, alteration, or destruction.

Congress designed this two-part structure intentionally. The Privacy Rule came first, finalized in 2000, establishing the foundational rights and obligations around PHI in any form — paper, oral, or electronic. The Security Rule followed in 2003, adding specific technical, physical, and administrative safeguard requirements targeted exclusively at ePHI. Together, they create a comprehensive framework. Separately, they address distinct categories of risk that require different expertise and different organizational responses.

What the Privacy Rule Requires of Your Covered Entity

The Privacy Rule establishes the baseline permissions and restrictions for using and disclosing PHI. Every covered entity and business associate must comply. Here's what that means operationally:

  • Minimum necessary standard: Your workforce may only access, use, or disclose the minimum amount of PHI needed for a given purpose. This applies to internal operations, not just external disclosures.
  • Notice of Privacy Practices: You must provide patients with a clear written notice explaining how their PHI may be used, their rights regarding that information, and how to file complaints.
  • Patient rights: Individuals have the right to access their records, request amendments, receive an accounting of disclosures, and request restrictions on certain uses of their PHI.
  • Authorization requirements: Uses and disclosures not related to treatment, payment, or healthcare operations generally require written patient authorization.
  • Business associate agreements: Any third party handling PHI on your behalf must be bound by a written agreement that imposes Privacy Rule obligations.

Privacy Rule violations are among the most common HIPAA violations OCR investigates. Impermissible disclosures — whether through careless conversations, improper record access, or missing business associate agreements — account for a significant portion of enforcement actions and breach reports every year.

What the Security Rule Demands for ePHI Protection

The Security Rule narrows its focus to electronic protected health information and mandates three categories of safeguards:

  • Administrative safeguards: Risk analysis, workforce training, security management processes, contingency planning, and assigning a security official. The risk analysis requirement under 45 CFR §164.308(a)(1) is the single most-cited deficiency in OCR enforcement actions.
  • Physical safeguards: Facility access controls, workstation security, and device and media controls governing how hardware and electronic media containing ePHI are handled and disposed of.
  • Technical safeguards: Access controls, audit controls, integrity controls, and transmission security. Encryption is addressable — not optional. If you choose not to encrypt, you must document why and implement an equivalent alternative.

OCR has made abundantly clear through its enforcement history that an incomplete or missing risk analysis is the fastest path to a HIPAA violation finding. Between 2008 and 2024, the majority of significant settlements and civil money penalties have cited risk analysis failures. Your organization cannot afford to skip this step or treat it as a one-time exercise — it must be ongoing.

Where the Two Sections Overlap — and Where They Don't

Both rules require workforce training, but the substance differs. Privacy Rule training focuses on permissible uses and disclosures, patient rights, and organizational policies. Security Rule training addresses threat recognition, password management, phishing awareness, and proper handling of ePHI. A comprehensive HIPAA training and certification program should cover both domains in a unified curriculum so your staff understands the full scope of their obligations.

Both rules also require policies and procedures, but the policies serve different functions. A Privacy Rule policy might define when your organization can disclose PHI to law enforcement without patient authorization. A Security Rule policy might define your password complexity requirements or session timeout thresholds. Conflating the two — or maintaining only one set of policies — creates compliance gaps that OCR will identify during any investigation.

Business Associates Face Both Sets of Requirements

Since the 2013 Omnibus Rule, business associates are directly liable under both the Privacy Rule and the Security Rule. If your organization shares ePHI with a cloud hosting provider, a billing company, or an IT managed services firm, those entities must independently comply with the Security Rule's safeguard requirements and the Privacy Rule's use-and-disclosure restrictions. Ensure your business associate agreements reflect both obligations explicitly.

Building a Compliance Program That Addresses Both Sections

Healthcare organizations consistently struggle with operationalizing the two-section structure. Here's a practical framework:

  • Conduct a thorough risk analysis that addresses ePHI across all systems, devices, and workflows. Document it. Update it annually and after any significant change.
  • Develop separate policy sets for privacy and security, even if they share a common governance structure. Assign a Privacy Officer and a Security Officer — these can be the same person in smaller organizations, but the roles must be formally designated.
  • Train every workforce member on both the Privacy Rule and Security Rule within a reasonable period after hire, and provide refresher training at least annually. Invest in a structured workforce HIPAA compliance program that documents completion and comprehension.
  • Audit regularly. Conduct internal audits of both privacy practices (access logs, disclosure tracking, authorization forms) and security controls (vulnerability scans, access reviews, incident response tests).
  • Prepare for breach notification. The Breach Notification Rule (45 CFR Part 164, Subpart D) sits alongside both sections and requires specific actions within 60 days of discovering a breach of unsecured PHI.

Stop Treating HIPAA as a Single Checkbox

Understanding that HIPAA rules are divided into 2 sections — privacy and security — is not academic trivia. It's the structural foundation of every compliance program that actually works. When you treat HIPAA as one undifferentiated obligation, you inevitably overinvest in one area and underinvest in the other. OCR doesn't grade on a curve. A perfect Security Rule posture won't offset a Privacy Rule violation, and vice versa.

Map your current compliance efforts against both sections independently. Identify the gaps. Then close them — with documented policies, ongoing risk analysis, and workforce training that covers the full regulatory landscape. That's how organizations avoid becoming the next enforcement headline.