A small dermatology practice in Connecticut thought they had HIPAA covered. They had a privacy notice on their website and a shredder in the back office. Then a laptop disappeared from an employee's car, and 9,712 patient records went with it. The Office for Civil Rights (OCR) came knocking — and found the practice couldn't demonstrate compliance with any of the three core HIPAA rules. The result was a corrective action plan and a painful settlement.

If you've ever Googled what are the 3 rules of HIPAA, you're asking the right question. These three rules form the entire regulatory backbone of how covered entities and business associates must handle protected health information (PHI). Miss one, and you've built a house on sand.

I've spent years helping organizations untangle HIPAA compliance, and I can tell you: most violations trace back to a misunderstanding — or flat-out ignorance — of these three rules. Let's break them down in language that actually makes sense.

The 3 Rules of HIPAA: A Quick Answer

The three rules of HIPAA are:

  • The Privacy Rule — governs who can access and share PHI
  • The Security Rule — sets safeguards for electronic PHI (ePHI)
  • The Breach Notification Rule — dictates what you must do when a breach occurs

Each rule has its own regulatory section under the U.S. Department of Health and Human Services (HHS). Each carries its own enforcement teeth. And each one trips up organizations in different ways.

Rule 1: The Privacy Rule — Who Gets to See What

The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) established national standards for when and how PHI can be used or disclosed. It took effect in 2003 and remains the most widely recognized piece of HIPAA.

Here's what it covers in practice:

  • Patients' rights to access their own medical records
  • The "minimum necessary" standard — you share only the PHI needed for a specific purpose
  • Requirements for a Notice of Privacy Practices (NPP)
  • Rules for authorizations and when you can use PHI without one
  • Restrictions on marketing and fundraising communications

Where Organizations Actually Fail on Privacy

In my experience, the Privacy Rule violations I see most often aren't dramatic data heists. They're casual. A front-desk staffer confirms a patient's appointment to a caller who isn't authorized. A physician's office faxes records to the wrong number. A hospital employee snoops in a celebrity's chart.

That last scenario isn't hypothetical. UCLA Health System paid $865,500 to settle charges that employees repeatedly accessed celebrity patient records without authorization. The OCR documented the settlement as a clear Privacy Rule failure.

Your workforce needs to understand that PHI access is role-based and purpose-driven. Curiosity is not a valid reason.

Rule 2: The Security Rule — Locking Down ePHI

The HIPAA Security Rule (45 CFR Part 164, Subparts A and C) zeroes in on electronic protected health information. While the Privacy Rule covers PHI in all formats — paper, oral, electronic — the Security Rule is laser-focused on ePHI.

It requires three categories of safeguards:

  • Administrative safeguards: Risk assessments, workforce training, contingency plans, security management processes
  • Physical safeguards: Facility access controls, workstation security, device and media controls
  • Technical safeguards: Access controls, audit controls, integrity controls, transmission security

The Risk Analysis Gap That Costs Millions

If there's one Security Rule requirement that generates the most enforcement actions, it's the risk analysis. OCR has made this crystal clear through settlement after settlement.

Premera Blue Cross paid $6.85 million in 2020 after a breach affecting over 10.4 million people. A central finding: the organization failed to conduct an adequate, organization-wide risk analysis. You can review OCR's Premera resolution agreement for the details.

I've walked into organizations that haven't done a risk analysis in five years. Some have never done one. They assume their IT vendor handles it, or they confuse a vulnerability scan with a risk analysis. Those are not the same thing.

A proper risk analysis identifies threats and vulnerabilities to ePHI across every system, every device, and every workflow. It's documented. It's updated. And it drives your security decisions.

Workforce Training Isn't Optional

The Security Rule explicitly requires workforce training under its administrative safeguards (§164.308(a)(5)). Every member of your workforce — employees, volunteers, trainees, anyone under your operational control — must receive training on your security policies and procedures.

This is where I see a dangerous gap. Organizations train people once at onboarding and never revisit it. That's not compliant, and it's not effective. Threats evolve. Your training should too.

Our HIPAA training catalog covers the Security Rule requirements your workforce needs to understand — from phishing awareness to device management to access control protocols.

Rule 3: The Breach Notification Rule — What Happens When Things Go Wrong

The Breach Notification Rule (45 CFR §§164.400-414) was added by the HITECH Act in 2009. It requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media, when unsecured PHI is breached.

Here's how the timeline works:

  • Individual notification: Within 60 days of discovering the breach
  • HHS notification: Within 60 days for breaches affecting 500+ individuals; annually for smaller breaches
  • Media notification: Required when a breach affects 500+ residents of a single state or jurisdiction

The 4-Factor Risk Assessment You Must Perform

Not every incident is a breach. The Breach Notification Rule gives you a four-factor risk assessment to determine if an impermissible use or disclosure of PHI is reportable:

  • The nature and extent of PHI involved
  • Who accessed or received the PHI
  • Whether the PHI was actually acquired or viewed
  • The extent to which risk has been mitigated

If after applying these factors you can't demonstrate a low probability of compromise, you treat it as a breach. Period. The burden of proof is on your organization.

The Penalty for Delayed Notification

Presence Health paid $475,000 in 2017 for failing to notify affected individuals in a timely manner after paper-based operating room schedules — containing PHI of 836 individuals — went missing. The breach itself was manageable. The late notification made it an enforcement action.

Timing matters. If you discover a breach on day one, your 60-day clock starts ticking. Not when you finish your investigation. Not when legal signs off. Day one.

How the 3 HIPAA Rules Work Together

These three rules aren't standalone checklists. They're interdependent.

Your Privacy Rule policies define what PHI can be used and disclosed. Your Security Rule safeguards protect the ePHI you've identified. And your Breach Notification Rule procedures kick in when those safeguards fail.

Think of it this way: the Privacy Rule draws the boundaries. The Security Rule builds the walls. The Breach Notification Rule is the alarm system.

When I audit an organization, I look at all three together. A Privacy Rule violation usually reveals a Security Rule gap. A breach notification failure usually means neither of the other two rules was properly implemented.

What This Means for Your Organization in 2026

OCR has signaled repeatedly that enforcement is intensifying, not easing. The HHS breach portal — sometimes called the "Wall of Shame" — lists every breach affecting 500 or more individuals. It's public. It's permanent. And it's growing.

You can search it yourself at HHS's Breach Portal.

Here's what you should do right now:

  • Audit your risk analysis. When was it last updated? Does it cover all systems containing ePHI?
  • Review your NPP. Does your Notice of Privacy Practices reflect current operations?
  • Test your breach response plan. Can your team execute notification within 60 days?
  • Train your workforce. Not once. Regularly. With documentation you can produce on demand.

If your team hasn't completed role-based HIPAA training this year, explore our HIPAA compliance training options to close that gap before OCR finds it for you.

The Bottom Line

When someone asks what are the 3 rules of HIPAA, they're really asking: "What do I actually have to do?" The answer is straightforward but demanding. Protect the privacy of health information. Secure it electronically. And when something goes wrong, notify people fast.

Every covered entity and business associate in the country is bound by these three rules. The organizations that thrive under them aren't the ones with the biggest IT budgets. They're the ones that take the rules seriously, train their people, and document everything.

I've seen organizations survive OCR investigations with nothing more than solid documentation and a trained workforce. I've also seen organizations crumble because they couldn't produce a single risk analysis. The difference is always preparation.