In February 2023, OCR settled with Banner Health for $1.25 million after a breach affecting nearly 3 million individuals exposed failures across multiple HIPAA requirements. The investigation revealed gaps not in just one area — but across all three primary rules of HIPAA. It's a pattern I've seen repeated in enforcement action after enforcement action: organizations that misunderstand one rule almost always have blind spots in the other two.

If your covered entity or business associate treats these rules as separate silos, you're setting yourself up for the kind of cascading compliance failure that draws OCR's attention. Here's exactly what each rule requires and where organizations consistently fall short.

The Three Primary Rules of HIPAA and How They Work Together

HIPAA's regulatory framework rests on three pillars codified primarily in 45 CFR Part 164: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Each addresses a different dimension of protecting protected health information (PHI), but they are deeply interconnected. A weakness in your Security Rule safeguards creates a Privacy Rule violation the moment unauthorized access occurs — and triggers Breach Notification obligations immediately after.

Understanding each rule in isolation is necessary. Understanding how they interact is what separates compliant organizations from those facing corrective action plans.

The Privacy Rule: Controlling Who Accesses PHI and Why

The HIPAA Privacy Rule (45 CFR §164.500–534) establishes the conditions under which protected health information can be used and disclosed. It applies to PHI in any form — electronic, paper, or oral — and sets the floor for patient rights and organizational accountability.

Your organization must implement these core Privacy Rule requirements:

  • Minimum necessary standard: Limit PHI use and disclosure to only the information reasonably needed for a specific purpose. This applies to internal access, not just external disclosures.
  • Notice of Privacy Practices: Provide every patient a clear notice explaining how your organization uses their PHI, their rights to access and amend records, and how to file complaints.
  • Patient rights: Individuals have the right to access their records, request amendments, receive an accounting of disclosures, and request restrictions on certain uses.
  • Workforce training: Every member of your workforce — not just clinicians — must be trained on Privacy Rule policies relevant to their role.

In my work with covered entities, the minimum necessary standard is the requirement most frequently underestimated. Organizations grant broad EHR access to entire departments when role-based access controls would limit exposure significantly. OCR has flagged this exact issue in multiple investigations.

The Security Rule: Safeguarding Electronic PHI

While the Privacy Rule covers all forms of PHI, the Security Rule (45 CFR §164.302–318) focuses specifically on electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of ePHI.

The Security Rule demands three categories of safeguards:

  • Administrative safeguards: Conduct a thorough risk analysis, designate a security officer, implement workforce training programs, and establish contingency plans. The risk analysis requirement under §164.308(a)(1) is the single most cited deficiency in OCR enforcement actions.
  • Physical safeguards: Control physical access to facilities and workstations where ePHI is accessible. This includes device and media controls for hardware containing patient data.
  • Technical safeguards: Implement access controls, audit controls, integrity controls, and transmission security. Encryption is addressable — not optional. If you choose not to encrypt, you must document why an equivalent alternative is reasonable.

Healthcare organizations consistently struggle with the risk analysis requirement. A one-time checklist completed during an EHR implementation does not satisfy the Security Rule. OCR expects an ongoing, enterprise-wide risk analysis that is reviewed and updated as your environment changes. Between 2016 and 2023, the absence of an adequate risk analysis appeared in the vast majority of OCR settlements exceeding $1 million.

If your workforce hasn't completed formalized HIPAA training and certification, your administrative safeguards are incomplete — full stop.

The Breach Notification Rule: What Happens When Safeguards Fail

The Breach Notification Rule (45 CFR §§164.400–414), strengthened by the 2013 Omnibus Rule, establishes what your organization must do when an impermissible use or disclosure of PHI occurs. Under the Omnibus Rule's presumption, any impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless you can demonstrate a low probability that the information was compromised.

Your breach notification obligations depend on the scale:

  • Breaches affecting 500 or more individuals: Notify affected individuals, the HHS Secretary, and prominent media outlets within 60 days of discovery.
  • Breaches affecting fewer than 500 individuals: Notify affected individuals within 60 days and report to HHS annually by March 1 of the following year.
  • Business associate obligations: A business associate must notify the covered entity within the timeframe specified in the business associate agreement — typically no more than 30 days.

The four-factor risk assessment for determining breach probability examines the nature and extent of PHI involved, the unauthorized person who accessed it, whether PHI was actually acquired or viewed, and the extent of risk mitigation. Document this analysis thoroughly. OCR reviews these assessments during investigations, and unsupported conclusions that "no breach occurred" invite scrutiny.

The Workforce Training Requirement Most Organizations Underestimate

All three primary rules of HIPAA converge on one operational requirement: workforce training. The Privacy Rule mandates training on PHI handling policies. The Security Rule requires security awareness training as an administrative safeguard. The Breach Notification Rule demands that your workforce can recognize and report potential breaches.

Yet training remains one of the weakest links. A 2022 OCR investigation into a small provider found that no staff member had received HIPAA training in over four years. The resulting corrective action plan required monitored training for every employee — a costly and disruptive outcome that proper planning would have prevented.

Investing in comprehensive workforce HIPAA compliance programs ensures your team understands not just the rules, but how those rules apply to their daily responsibilities. Annual training isn't a best practice — it's a regulatory expectation.

Bridging the Gap Between Knowledge and Compliance

Knowing the three primary rules of HIPAA is foundational, but compliance lives in the details: documented policies, completed risk analyses, role-based access controls, tested contingency plans, and a trained workforce. OCR's enforcement priorities have made clear that paper compliance — policies that exist on a shelf but aren't operationalized — carries the same risk as no compliance at all.

Start with your risk analysis. Audit your Notice of Privacy Practices. Review your business associate agreements. And make sure every member of your workforce has current, documented HIPAA training. The organizations that take these steps proactively are the ones that never appear on OCR's breach portal.