In 2023, the Office for Civil Rights (OCR) settled or imposed penalties in cases totaling over $4 million — many of which traced back to organizations that misunderstood the scope of their obligations under federal law. The most common thread? Leadership assumed HIPAA was primarily about data security and overlooked entire regulatory domains. If you're asking what are the main areas that HIPAA regulates, the answer is broader than most covered entities realize, and the consequences of gaps in understanding are measurable in enforcement actions.

The Five Core Regulatory Areas Every Covered Entity Must Address

HIPAA is not a single rule. It's a framework of interconnected regulations codified primarily in 45 CFR Parts 160 and 164. Healthcare organizations consistently struggle to see the full picture because each area has its own requirements, timelines, and enforcement mechanisms.

The main areas that HIPAA regulates fall into five distinct categories: the Privacy Rule, the Security Rule, the Breach Notification Rule, the Enforcement Rule, and the requirements established by the Omnibus Rule of 2013. Each one imposes specific obligations on your organization, your workforce, and your business associates.

The Privacy Rule: Controlling How PHI Is Used and Disclosed

The HIPAA Privacy Rule (45 CFR §164.500–534) establishes national standards for when and how protected health information (PHI) can be used, disclosed, and accessed. It applies to every form of PHI — paper, electronic, and oral.

Under the Privacy Rule, your organization must implement policies that enforce the minimum necessary standard: only the minimum amount of PHI required for a given purpose should be accessed or shared. This standard trips up more organizations than almost any other provision.

You're also required to provide every patient with a Notice of Privacy Practices that clearly explains their rights and your organization's PHI handling practices. Patients have the right to access their records, request amendments, and receive an accounting of disclosures — and your covered entity must have documented processes to honor those rights.

The Security Rule: Safeguarding Electronic PHI

While the Privacy Rule covers all forms of PHI, the Security Rule (45 CFR §164.302–318) focuses specifically on electronic protected health information (ePHI). It requires covered entities and business associates to implement three categories of safeguards:

  • Administrative safeguards — including workforce training, security management processes, and contingency planning
  • Physical safeguards — covering facility access controls, workstation security, and device disposal
  • Technical safeguards — such as access controls, audit controls, integrity controls, and transmission security

At the foundation of the Security Rule sits the risk analysis requirement (45 CFR §164.308(a)(1)). OCR has made clear — through enforcement actions like the $4.3 million settlement with the University of Texas MD Anderson Cancer Center — that failure to conduct a thorough, organization-wide risk analysis is the single most cited HIPAA violation in enforcement history.

A risk analysis isn't a one-time checkbox. It must be updated regularly as your systems, workflows, and threats evolve. If your organization hasn't revisited its risk analysis in the past 12 months, you're likely out of compliance.

The Breach Notification Rule: What Happens When PHI Is Compromised

The Breach Notification Rule (45 CFR §§164.400–414) dictates exactly what your organization must do when an impermissible use or disclosure of PHI occurs. The requirements vary depending on the size of the breach:

  • Breaches affecting 500+ individuals — You must notify affected individuals, OCR, and prominent media outlets within 60 days of discovery.
  • Breaches affecting fewer than 500 individuals — Individual notification within 60 days, with an annual log submitted to OCR.

Business associates have their own obligation to notify the covered entity without unreasonable delay, and no later than 60 days after discovering a breach. Your business associate agreements must explicitly address these notification timelines.

The Enforcement Rule and the Omnibus Rule: Teeth Behind the Regulations

The Enforcement Rule (45 CFR Part 160, Subparts C–E) establishes OCR's authority to investigate complaints, conduct compliance reviews, and impose civil monetary penalties. The penalty tiers range from $137 to $68,928 per violation, with annual caps reaching $2,067,813 per violation category — figures adjusted annually for inflation.

The Omnibus Rule of 2013 expanded HIPAA's reach significantly. It made business associates directly liable for compliance with the Security Rule and certain Privacy Rule provisions. It strengthened breach notification requirements and tightened the definition of what constitutes a breach. If your compliance program hasn't been updated since 2013, it's built on an outdated foundation.

The Workforce Training Requirement Most Organizations Underestimate

Across every main area that HIPAA regulates, one obligation appears repeatedly: workforce training. The Privacy Rule requires training on PHI policies and procedures. The Security Rule requires security awareness training. OCR expects documented proof that every workforce member — not just clinical staff — has been trained and that training is updated when regulations or internal policies change.

In my work with covered entities, I've seen organizations invest heavily in technical safeguards while neglecting the human element. Yet OCR investigation files consistently show that workforce errors — misdirected emails, improper record access, verbal disclosures — cause the majority of reported breaches.

Implementing a structured HIPAA training and certification program is the most cost-effective step your organization can take to reduce risk across every regulatory area. Training must be role-specific, documented, and repeated — not a once-a-year afterthought.

How to Build Compliance Across All HIPAA Regulatory Areas

Understanding what are the main areas that HIPAA regulates is the starting point, not the finish line. Compliance requires a coordinated program that addresses each area with documented policies, assigned responsibilities, and ongoing monitoring.

Start with these priorities:

  • Conduct or update your organization-wide risk analysis — and document it thoroughly.
  • Review and refresh your Notice of Privacy Practices and patient rights procedures.
  • Audit every business associate agreement for Omnibus Rule compliance.
  • Implement breach notification procedures with clear roles and timelines.
  • Deploy ongoing, documented workforce training that covers Privacy, Security, and Breach Notification requirements.

Platforms like HIPAA Certify give healthcare organizations the tools to deliver consistent, trackable workforce compliance training that meets OCR's expectations. When the next complaint or audit arrives, documented training is your strongest evidence of a good-faith compliance program.

HIPAA's regulatory scope is wide, but it's not unmanageable. The organizations that face enforcement actions aren't the ones with imperfect systems — they're the ones that never mapped the full landscape of their obligations in the first place.