In February 2023, OCR settled with a healthcare provider for $1.25 million after investigators found failures spanning all three HIPAA rules — inadequate safeguards for electronic protected health information, missing policies on PHI disclosures, and a breach notification that came months too late. The case wasn't unusual. In my work with covered entities, I consistently see organizations that understand bits and pieces of HIPAA but fail to grasp how the three rules interconnect and reinforce each other.

If your organization handles protected health information — whether you're a covered entity or a business associate — you need a working command of all three. Here's what each rule actually requires and where enforcement actions reveal the most common gaps.

The Three HIPAA Rules: Privacy, Security, and Breach Notification

HIPAA's regulatory framework under 45 CFR Part 164 is built on three distinct but interlocking rules. Each addresses a different dimension of protecting PHI, and compliance with one does not satisfy the others.

The Privacy Rule (45 CFR §164.500–534) governs how PHI can be used and disclosed. The Security Rule (45 CFR §164.302–318) sets standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards. The Breach Notification Rule (45 CFR §164.400–414) dictates what happens when a breach of unsecured PHI occurs.

Understanding the three HIPAA rules as a unified system — rather than isolated checklists — is what separates compliant organizations from those that end up in OCR's enforcement pipeline.

What the Privacy Rule Requires Beyond a Notice of Privacy Practices

Most organizations know they need a Notice of Privacy Practices. Far fewer have implemented the Privacy Rule's operational requirements with any rigor.

The Privacy Rule establishes the minimum necessary standard, which limits PHI use and disclosure to only the information needed for a given purpose. This isn't a suggestion — it's an enforceable requirement that applies to your workforce, your internal workflows, and your business associate relationships.

Your organization must also honor individual rights: access to records within 30 days, an accounting of disclosures, and the right to request amendments. OCR has pursued enforcement actions specifically targeting access failures, issuing over $14 million in settlements through its Right of Access Initiative between 2019 and 2023.

Privacy Rule compliance demands documented policies, consistent workforce training, and active oversight. Posting a notice in the lobby and filing it away is not compliance.

Security Rule Safeguards That OCR Investigates First

The Security Rule requires covered entities and business associates to implement safeguards that protect the confidentiality, integrity, and availability of ePHI. It breaks these into three categories: administrative, physical, and technical.

Administrative safeguards include conducting a thorough risk analysis — the single most cited deficiency in OCR enforcement actions. Under 45 CFR §164.308(a)(1), your organization must identify threats to ePHI, assess vulnerabilities, and implement measures to reduce risk to a reasonable level. A risk analysis is not a one-time event. It must be updated whenever your environment changes.

Physical safeguards address facility access, workstation security, and device controls. Technical safeguards cover access controls, audit logs, transmission security, and integrity mechanisms.

  • Access controls: Unique user IDs and emergency access procedures are required, not optional.
  • Audit controls: You must have mechanisms to record and examine access to ePHI.
  • Transmission security: Encryption of ePHI in transit is an addressable specification — meaning you must implement it or document why an equivalent alternative is appropriate.

If your workforce hasn't been trained on these safeguards, your technical investments are undermined. Comprehensive HIPAA training and certification ensures every team member understands their role in protecting ePHI.

Breach Notification Rule: The 60-Day Clock Starts Immediately

The third of the three HIPAA rules — the Breach Notification Rule — was strengthened significantly by the Omnibus Rule in 2013. It introduced a presumption that any impermissible use or disclosure of unsecured PHI constitutes a breach unless your organization can demonstrate a low probability that PHI was compromised, based on a four-factor risk assessment.

Those four factors are:

  • The nature and extent of the PHI involved
  • The unauthorized person who used the PHI or to whom it was disclosed
  • Whether PHI was actually acquired or viewed
  • The extent to which risk to the PHI has been mitigated

For breaches affecting 500 or more individuals, you must notify affected individuals, OCR, and prominent media outlets within 60 calendar days of discovery. For smaller breaches, OCR must be notified within 60 days of the end of the calendar year in which the breach was discovered.

Late notifications draw scrutiny and penalties. In several enforcement actions, OCR has imposed six-figure penalties specifically because the covered entity delayed breach reporting — even when the underlying incident was relatively contained.

How the Three Rules Work Together in Practice

A HIPAA violation rarely implicates just one rule. Consider a common scenario: an employee accesses a patient record without a treatment, payment, or operations purpose. That's a Privacy Rule violation. If audit controls failed to flag the access, that's a Security Rule deficiency. If the improper access constitutes a breach and your organization doesn't perform the four-factor risk assessment, you've now triggered a potential Breach Notification Rule violation.

OCR investigators follow these threads. A complaint about one rule often surfaces failures across all three. This is precisely why piecemeal compliance strategies fail.

Building Compliance Across All Three HIPAA Rules

Effective compliance requires an integrated approach:

  • Conduct and maintain a current risk analysis that addresses administrative, physical, and technical vulnerabilities.
  • Document your Privacy Rule policies — including minimum necessary determinations, authorization procedures, and individual rights workflows.
  • Establish a breach response plan with clear timelines, designated personnel, and documented risk assessment procedures.
  • Train your entire workforce — not just clinical staff. Administrative employees, IT teams, and contractors with PHI access are all within scope.

Workforce training is the connective tissue between all three HIPAA rules. Without it, policies exist only on paper. The organizations that avoid HIPAA violations are the ones investing in ongoing education, not annual checkbox exercises. HIPAA Certify's workforce compliance program is designed to address this gap with practical, role-specific training that maps directly to regulatory requirements.

The Compliance Gap OCR Keeps Exploiting

Between 2003 and 2024, OCR has resolved over 30,000 HIPAA cases and collected more than $142 million in settlements and civil monetary penalties. The patterns are consistent: incomplete risk analyses, untrained workforce members, missing breach documentation, and Privacy Rule policies that haven't been updated since implementation.

Your organization doesn't need to be perfect. But it does need to demonstrate a good-faith, documented effort across all three HIPAA rules. That starts with understanding what each rule demands — and building the infrastructure, training, and accountability to meet those demands every day.