Most People Only Know Two of the Five Parts of HIPAA
I was running a compliance workshop for a mid-size hospital system last year when I asked the room a simple question: How many titles does HIPAA have? Out of forty people — administrators, nurses, IT staff — exactly two got it right. Everyone else said two. They knew the Privacy Rule and the Security Rule, and that was it.
That's a problem. Because the parts of HIPAA extend well beyond patient privacy. The law has five distinct titles, and ignoring the ones that don't seem "relevant" to your daily work is exactly how organizations end up blindsided by enforcement actions they never saw coming.
This post breaks down every title of HIPAA, explains which sections carry the most operational weight for covered entities and business associates, and connects each part to the real-world consequences I've watched organizations face. If you handle PHI in any capacity, this is the structural knowledge you need to have.
The Five Titles — A Quick Framework
HIPAA — the Health Insurance Portability and Accountability Act of 1996 — is organized into five titles. Each addresses a different dimension of health care reform. Here's the full map before we go deeper:
- Title I: Health Care Access, Portability, and Renewability
- Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification
- Title III: Tax-Related Health Provisions
- Title IV: Application and Enforcement of Group Health Plan Requirements
- Title V: Revenue Offsets
Titles I and II get nearly all the attention. But each title plays a role in the broader regulatory architecture. Let's walk through them.
Title I: The Portability Promise That Started It All
Before HIPAA, losing your job often meant losing your health insurance — and potentially being denied new coverage because of a preexisting condition. Title I was designed to fix that.
This title limits how group health plans can restrict coverage for preexisting conditions. It prohibits discrimination based on health status. And it guarantees the ability to renew coverage in most circumstances.
If you work in benefits administration or HR at a covered entity, Title I isn't abstract. It dictates your enrollment policies, your portability documentation, and how you communicate coverage rights to employees. I've seen organizations get tangled up here during mergers and acquisitions, when insurance portability questions become urgent and high-stakes.
Title II: Where Compliance Lives and Dies
This is the title most people mean when they talk about the parts of HIPAA that affect day-to-day operations. Title II contains the Administrative Simplification provisions, which gave HHS the authority to create the rules that dominate your compliance program.
The Privacy Rule
The Privacy Rule establishes national standards for the protection of individually identifiable health information — what we call PHI. It defines who can access PHI, under what conditions, and what rights patients have over their own data.
This is where minimum necessary standards live. This is where Notice of Privacy Practices requirements come from. And this is where the concept of "permitted uses and disclosures" gets codified. If your workforce hasn't been trained on these distinctions, our HIPAA Introduction Training 2026 covers them thoroughly.
The Security Rule
While the Privacy Rule covers all forms of PHI, the Security Rule zeroes in on electronic protected health information — ePHI. It requires covered entities and business associates to implement administrative, physical, and technical safeguards.
Think risk assessments, access controls, audit logs, encryption standards, and contingency planning. The Security Rule is where most OCR enforcement actions land, because failures here leave a paper trail that investigators can follow.
In 2018, the University of Texas MD Anderson Cancer Center lost an appeal of a $4.3 million penalty after OCR found the organization had failed to encrypt ePHI on portable devices — a clear Security Rule violation. The case is a landmark example of what happens when technical safeguards get deprioritized. You can review OCR's enforcement outcomes on the HHS Resolution Agreements page.
The Breach Notification Rule
Added through the HITECH Act of 2009, the Breach Notification Rule requires covered entities to notify affected individuals, HHS, and sometimes the media when unsecured PHI is breached. Breaches affecting 500 or more individuals get posted on the OCR Breach Portal — the so-called "Wall of Shame."
I've worked with organizations that discovered a breach on a Friday afternoon and had no idea they were on a 60-day notification clock. Having breach notification procedures documented and rehearsed isn't optional. It's a regulatory requirement.
The Enforcement Rule
The Enforcement Rule outlines how HHS investigates complaints, conducts compliance reviews, and imposes civil monetary penalties. Penalty tiers range from $137 to over $2 million per violation category per year, depending on the level of culpability. These numbers get adjusted annually for inflation, as outlined in the HHS enforcement overview.
The Transaction and Code Sets Rule
This one rarely makes headlines, but it standardizes the electronic data interchange (EDI) formats used for claims, eligibility inquiries, and other administrative transactions. If your billing team processes electronic claims, they're operating under these standards daily.
Title III: Tax Provisions You Won't Lose Sleep Over
Title III addresses tax-related health provisions, including medical savings accounts and deductions. For compliance officers and clinical staff, this title has minimal operational impact. It primarily concerns the IRS and tax professionals.
That said, if your organization administers health savings accounts or similar benefit structures, Title III's provisions shape the rules your finance team follows.
Title IV: Group Health Plan Requirements
Title IV builds on Title I by further defining how group health plans must treat individuals with preexisting conditions, and how COBRA continuation coverage interacts with HIPAA portability protections.
This title matters most to benefits coordinators, third-party administrators, and employer-sponsored plan managers. I've seen confusion between HIPAA and COBRA responsibilities cause real administrative chaos during employee terminations. If your HR team conflates the two, they're creating risk.
Title V: Revenue Offsets
Title V deals with company-owned life insurance, treatment of individuals who lose U.S. citizenship, and other revenue provisions. It has virtually no bearing on PHI protection or clinical compliance. I mention it only because knowing all five parts of HIPAA demonstrates a completeness that regulators respect and auditors expect.
Which Parts of HIPAA Actually Trigger Enforcement?
Let's be direct: Title II is where organizations get fined. Specifically, Privacy Rule violations, Security Rule failures, and Breach Notification Rule lapses account for the vast majority of OCR settlements and civil monetary penalties.
Premera Blue Cross paid $6.85 million in 2020 after a breach affecting over 10.4 million people exposed systemic Security Rule failures. The root cause? An inadequate risk analysis — one of the most common findings in OCR investigations.
These aren't edge cases. They're patterns. And they reinforce why workforce training on these specific titles isn't a checkbox exercise. Clinical staff, in particular, interact with PHI in ways that create unique vulnerabilities. That's why role-specific programs like our HIPAA Training for Nurses exist — to ground these regulatory concepts in the workflows where mistakes actually happen.
What Does HIPAA Stand For and What Are Its Parts?
HIPAA stands for the Health Insurance Portability and Accountability Act. It contains five titles: Title I covers insurance portability, Title II addresses administrative simplification (including the Privacy, Security, Breach Notification, and Enforcement Rules), Title III handles tax provisions, Title IV defines group health plan requirements, and Title V addresses revenue offsets. Title II is the most operationally significant for covered entities and business associates handling PHI.
Why Structural Knowledge Changes How You Comply
Understanding the parts of HIPAA isn't academic. It changes how you build your compliance program. When you know the Privacy Rule and Security Rule are both housed under Title II but serve different functions, you stop treating "HIPAA compliance" as a single initiative and start addressing each rule with its own controls, assessments, and training cadence.
When you understand that breach notification is a separate regulatory obligation with its own timelines and thresholds, you build incident response plans that actually meet the standard — instead of improvising after a laptop goes missing.
And when you can articulate all five titles to an auditor or an OCR investigator, you demonstrate the kind of organizational maturity that shifts conversations from adversarial to collaborative.
Build Compliance Around the Whole Law
Most organizations build their HIPAA programs around fragments — a privacy notice here, an encryption policy there. That approach leaves gaps. The law is structured for a reason, and your compliance program should mirror that structure.
Start with a comprehensive risk analysis under the Security Rule. Layer in Privacy Rule policies that address every permitted use and disclosure. Document your breach notification procedures with specific timelines. Train every member of your workforce — not just clinicians — on the parts that affect their role.
If you're looking for a structured starting point, our full training catalog maps directly to these regulatory requirements. Because knowing the law's architecture isn't just smart — it's the foundation everything else gets built on.