In 2023, OCR settled with a dental practice for $350,000 after investigators discovered the organization had no written security policies, no risk analysis, and no evidence of workforce training. The practice's leadership believed that simply protecting paper records was enough. They had fundamentally misunderstood how HIPAA works — and which rules applied to them. If you've ever searched for clarity on this question, the three parts of HIPAA are the Privacy Rule, the Security Rule, and the Breach Notification Rule. Each carries distinct requirements, and failing to comply with even one can expose your covered entity to significant penalties.

The Three Parts of HIPAA Are Built on Different Regulatory Foundations

Healthcare organizations consistently struggle with a basic structural question: what exactly does HIPAA require? The confusion is understandable. HIPAA was enacted in 1996, but its major regulatory components were phased in over more than a decade, with the Omnibus Rule of 2013 finalizing critical updates.

Understanding that the three parts of HIPAA are separate but interconnected rules is the first step toward building a compliance program that actually works. Each part addresses a different dimension of protecting protected health information (PHI), and each imposes obligations on covered entities and their business associates.

Part One: The HIPAA Privacy Rule (45 CFR Part 164, Subpart E)

The Privacy Rule establishes national standards for when and how PHI can be used and disclosed. It applies to all forms of PHI — electronic, paper, and oral. In my work with covered entities, this is the rule that generates the most day-to-day compliance questions.

Key requirements under the Privacy Rule include:

  • Notice of Privacy Practices: Your organization must provide patients with a clear written notice describing how their PHI may be used, their rights, and your legal duties.
  • Minimum necessary standard: When using or disclosing PHI, your workforce must limit the information to the minimum necessary to accomplish the intended purpose.
  • Patient rights: Individuals have the right to access their records, request amendments, and receive an accounting of disclosures.
  • Authorization requirements: Uses and disclosures beyond treatment, payment, and healthcare operations generally require written patient authorization.

OCR enforcement actions frequently cite Privacy Rule failures. Organizations that lack a compliant Notice of Privacy Practices or routinely share more PHI than necessary are putting themselves directly in the crosshairs.

Part Two: The HIPAA Security Rule (45 CFR Part 164, Subpart C)

While the Privacy Rule covers all PHI, the Security Rule focuses specifically on electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI against reasonably anticipated threats.

The Security Rule's three safeguard categories include:

  • Administrative safeguards: Conducting a thorough risk analysis, designating a security official, implementing workforce training programs, and managing business associate agreements.
  • Physical safeguards: Controlling facility access, securing workstations, and governing the disposal of devices containing ePHI.
  • Technical safeguards: Implementing access controls, audit controls, integrity controls, and transmission security measures.

The risk analysis requirement under the Security Rule is the single most cited deficiency in OCR enforcement actions. Between 2008 and 2024, the majority of resolution agreements and civil money penalties involved organizations that had never completed an adequate risk analysis — or had not updated one in years.

If your organization stores, transmits, or processes ePHI in any form, the Security Rule applies to you. There is no small-practice exemption.

Part Three: The Breach Notification Rule (45 CFR Part 164, Subpart D)

The Breach Notification Rule defines what constitutes a breach of unsecured PHI and prescribes exactly how your organization must respond. A breach is any acquisition, access, use, or disclosure of PHI that is not permitted under the Privacy Rule and that compromises the security or privacy of the information.

Your obligations under this rule depend on the scale of the breach:

  • Breaches affecting 500 or more individuals: You must notify affected individuals, the HHS Secretary, and prominent media outlets in the affected jurisdiction — all within 60 days of discovery.
  • Breaches affecting fewer than 500 individuals: You must notify affected individuals within 60 days and log the breach for annual reporting to HHS.
  • Business associate obligations: If a business associate discovers a breach, they must notify the covered entity within the timeframe specified in the business associate agreement.

OCR publishes all breaches affecting 500 or more individuals on its public breach portal — commonly known as the "Wall of Shame." As of early 2024, it listed over 6,000 reported breaches. Appearing on that list triggers reputational damage that can far exceed the financial penalties.

How the Three Rules Work Together to Protect PHI

These three rules are not isolated checklists. They form an integrated compliance framework. The Privacy Rule tells you what to protect and when disclosure is permissible. The Security Rule tells you how to protect ePHI with specific safeguards. The Breach Notification Rule tells you what to do when protections fail.

Organizations that treat these rules as separate projects — or worse, delegate them to different departments with no coordination — inevitably develop gaps. OCR has made clear through its enforcement priorities that it evaluates compliance holistically. A HIPAA violation in one area often signals systemic failures across all three.

The Workforce Training Requirement Most Organizations Underestimate

All three parts of HIPAA share a common dependency: your workforce. The Privacy Rule requires training on PHI policies and procedures. The Security Rule requires security awareness training. The Breach Notification Rule requires that your team knows how to identify and report a potential breach.

Yet in practice, many organizations provide generic onboarding training and never revisit it. OCR expects ongoing, documented training that reflects your organization's specific risks and policies. This is where investing in comprehensive HIPAA training and certification pays dividends — not only in compliance, but in reducing the likelihood of a reportable incident.

Bringing Your Organization Into Full Compliance

Understanding that the three parts of HIPAA are the Privacy Rule, the Security Rule, and the Breach Notification Rule gives your compliance team a clear framework to build from. But knowledge alone isn't enough. You need documented policies, a current risk analysis, signed business associate agreements, and a trained workforce.

If your organization hasn't recently assessed its compliance posture across all three rules, now is the time. Start by ensuring every member of your workforce completes role-appropriate training through a program like HIPAA Certify's workforce compliance platform. Then audit your documentation — your Notice of Privacy Practices, your risk analysis, and your breach response plan — against current regulatory requirements.

OCR doesn't ask whether you intended to comply. It asks whether you can demonstrate compliance. Build your program around all three rules, document everything, and train your people. That's how you stay off the Wall of Shame.