In 2023, OCR settled with a dental practice for $350,000 after investigators found the organization had addressed its Privacy Rule obligations but had done virtually nothing to comply with the Security Rule. The practice had a Notice of Privacy Practices posted in the lobby, patient authorization forms on file, and a designated privacy officer — yet it lacked encryption, had never performed a risk analysis, and stored electronic PHI on an unprotected desktop visible from the reception area. This case illustrates exactly why understanding privacy vs security rule HIPAA requirements is not academic — it is operationally critical.

Healthcare organizations consistently treat these two rules as interchangeable. They are not. Each rule has a distinct scope, different standards, and separate enforcement triggers. Confusing them — or addressing one while neglecting the other — is one of the fastest paths to an OCR corrective action plan.

Privacy vs Security Rule HIPAA: What Each Rule Actually Governs

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, establishes national standards for how covered entities and business associates use and disclose protected health information in any form — paper, oral, or electronic. It gives patients rights over their health information, including the right to access, amend, and receive an accounting of disclosures.

The HIPAA Security Rule, found at 45 CFR Part 164 Subpart C, is narrower in one critical way: it applies only to electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

Think of it this way: the Privacy Rule dictates when and how PHI can be shared. The Security Rule dictates how ePHI must be protected from unauthorized access, alteration, or destruction.

The Scope Difference That Trips Up Most Organizations

The Privacy Rule covers all forms of protected health information — the paper chart in your filing cabinet, a verbal conversation between a nurse and a physician in a hallway, and digital records in your EHR system. Its requirements include maintaining a Notice of Privacy Practices, applying the minimum necessary standard when using or disclosing PHI, and training your workforce on permissible uses and disclosures.

The Security Rule, by contrast, is exclusively concerned with ePHI. But do not mistake that narrower scope for simplicity. The Security Rule demands that your organization conduct a thorough risk analysis to identify vulnerabilities to ePHI, implement access controls, maintain audit logs, establish contingency plans, and ensure that any business associate with access to ePHI has appropriate safeguards in place.

OCR has stated repeatedly — including in its published guidance and in resolution agreements — that the failure to perform an adequate risk analysis is the single most common HIPAA violation it identifies during investigations.

Administrative, Physical, and Technical: The Security Rule's Three Safeguard Categories

While the Privacy Rule organizes its requirements around permitted uses, individual rights, and organizational obligations, the Security Rule uses a three-pillar framework:

  • Administrative safeguards: Security management processes, workforce security procedures, contingency planning, and assigning a security official responsible for ePHI protection.
  • Physical safeguards: Facility access controls, workstation use policies, and device and media controls governing how hardware containing ePHI is handled and disposed of.
  • Technical safeguards: Access controls (unique user IDs, emergency access procedures), audit controls, integrity controls, and transmission security including encryption.

The Security Rule also distinguishes between required and addressable implementation specifications. "Addressable" does not mean optional — it means your organization must assess whether the specification is reasonable and appropriate, and if not, document why and implement an equivalent alternative.

Where the Two Rules Overlap — And Where They Diverge

Both rules require workforce training. Under the Privacy Rule, every member of your workforce must understand permissible uses and disclosures of PHI. Under the Security Rule, training must cover your security policies and procedures related to ePHI. In practice, effective HIPAA training and certification programs address both rules simultaneously, because your workforce interacts with PHI in all forms throughout the day.

Both rules apply to covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically — and to their business associates. The Omnibus Rule of 2013 made business associates directly liable under both rules, a change that significantly expanded OCR's enforcement reach.

The key divergence is in patient-facing obligations. The Privacy Rule gives patients the right to access their records, request amendments, request restrictions on uses, and receive a Notice of Privacy Practices. The Security Rule has no patient-facing component — it operates entirely behind the scenes to protect the systems and data that make those patient rights meaningful.

Breach Notification: The Rule That Connects Both

The Breach Notification Rule (45 CFR Part 164 Subpart D) acts as the enforcement bridge between the Privacy and Security Rules. A breach — an impermissible use or disclosure of PHI that compromises its security or privacy — can result from a Privacy Rule failure (an employee sharing records without authorization) or a Security Rule failure (a hacker exploiting an unpatched server).

Between 2009 and 2024, OCR has received reports of more than 5,800 breaches affecting 500 or more individuals. Many of these breaches trace directly back to gaps that would have been caught by a proper risk analysis or prevented by following the minimum necessary standard. When OCR investigates, it examines compliance with both rules — which is why organizations cannot afford to focus on one at the expense of the other.

Building a Compliance Program That Covers Both Rules

Your organization needs a unified compliance strategy that treats the Privacy and Security Rules as complementary obligations:

  • Conduct a comprehensive risk analysis annually, and update it whenever your environment changes — new EHR vendor, new office location, new telehealth platform.
  • Appoint both a Privacy Officer and a Security Officer. These can be the same person in smaller organizations, but the functions must be explicitly assigned.
  • Implement workforce training that covers both rules. A training program that only discusses patient rights but ignores password policies and phishing awareness leaves your organization exposed. Platforms like HIPAA Certify provide workforce compliance training that addresses both Privacy and Security Rule requirements in a single, structured curriculum.
  • Review business associate agreements to confirm they include both privacy and security obligations as required by the Omnibus Rule.
  • Document everything. Both rules require that policies, procedures, and training records be maintained for a minimum of six years.

The Compliance Gap You Cannot Afford

Understanding the privacy vs security rule HIPAA framework is not about passing a quiz — it is about building an organization that can withstand an OCR investigation, respond to a breach without panic, and protect patients whose health information you are entrusted with. The Privacy Rule defines the boundaries of permissible conduct. The Security Rule ensures the technology and processes supporting that conduct are resilient.

Neither rule is optional. Neither rule is sufficient on its own. And OCR has shown — through enforcement actions totaling more than $142 million in settlements and civil monetary penalties since 2003 — that it expects covered entities and business associates to comply with both, fully and demonstrably.