In 2023, the HHS Office for Civil Rights (OCR) settled or imposed penalties in cases totaling over $4 million — many involving organizations that simply failed to understand the scope of their obligations. The question what are the HIPAA regulations sounds basic, but in my work with covered entities and business associates, I've found that even experienced compliance officers have gaps in their understanding of how these rules interconnect and apply to daily operations.

What Are the HIPAA Regulations and Why Do They Exist?

HIPAA — the Health Insurance Portability and Accountability Act of 1996 — established a national framework for protecting individuals' health information. But the statute itself is just the foundation. The regulations that enforce it are codified primarily in 45 CFR Parts 160 and 164 and are organized into distinct rules, each with specific compliance requirements.

These regulations apply to covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates — any organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.

Understanding each rule individually — and how they work together — is essential before your organization can claim meaningful compliance.

The Privacy Rule: Controlling How PHI Is Used and Disclosed

The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) governs who can access protected health information and under what circumstances. It establishes patients' rights over their own data, including the right to access their records, request amendments, and receive an accounting of disclosures.

Your organization must maintain a current Notice of Privacy Practices that clearly informs patients how their PHI may be used. This isn't optional — OCR has investigated multiple organizations for failing to provide or update this notice.

The Privacy Rule also codifies the minimum necessary standard, which requires that your workforce access, use, or disclose only the minimum amount of PHI needed to accomplish the intended purpose. This standard is one of the most frequently misunderstood — and violated — requirements I see in practice.

The Security Rule: Safeguarding Electronic PHI

While the Privacy Rule covers all forms of PHI, the Security Rule (45 CFR Part 164, Subpart C) specifically addresses electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards.

Key requirements include:

  • Risk analysis: Your organization must conduct a thorough and ongoing risk analysis to identify vulnerabilities to ePHI. This is the single most cited deficiency in OCR enforcement actions.
  • Access controls: Unique user identification, emergency access procedures, automatic logoff, and encryption mechanisms.
  • Audit controls: Hardware, software, and procedural mechanisms to record and examine access to ePHI.
  • Integrity controls: Policies and procedures to protect ePHI from improper alteration or destruction.

OCR's enforcement history makes one thing clear: organizations that skip or shortcut the risk analysis requirement are the ones that face the largest penalties. The 2023 settlement with Banner Health for $1.25 million specifically cited risk analysis failures.

The Breach Notification Rule: What Happens When Something Goes Wrong

The Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered entities to notify affected individuals, HHS, and in some cases the media, following an impermissible use or disclosure of PHI that compromises its security or privacy.

If a breach affects 500 or more individuals, your organization must notify HHS within 60 days and alert prominent media outlets in the affected state. Breaches affecting fewer than 500 individuals must be reported to HHS annually. Every breach — regardless of size — requires individual notification without unreasonable delay.

Business associates have independent breach notification obligations as well. They must notify the covered entity within the timeframe specified in their business associate agreement.

The Omnibus Rule: Closing the Gaps

The HIPAA Omnibus Rule of 2013 significantly expanded the regulatory landscape. It made business associates directly liable for compliance with certain HIPAA provisions, strengthened the Breach Notification Rule by introducing a presumption that any impermissible use or disclosure is a breach unless a risk assessment demonstrates a low probability of compromise, and increased penalty tiers for HIPAA violations.

Penalty tiers now range from $137 to $68,928 per violation (adjusted annually for inflation), with annual maximums reaching $2,067,813 per violation category. Criminal penalties, enforced by the Department of Justice, can include fines up to $250,000 and imprisonment up to 10 years.

The Workforce Training Requirement Most Organizations Underestimate

Both the Privacy Rule and the Security Rule require that your workforce receive training on HIPAA policies and procedures. Under 45 CFR §164.530(b), training must occur for every workforce member and must be provided within a reasonable time after hiring and whenever material changes to policies occur.

Healthcare organizations consistently struggle with documenting this training. OCR expects evidence — not just a policy stating that training happens, but records proving who was trained, when, and on what content. A missing training log can turn a minor incident into a costly HIPAA violation.

If your organization needs a structured approach, HIPAA training and certification programs can provide both the education and the documentation that OCR looks for during investigations.

Practical Steps to Apply the HIPAA Regulations Today

Knowing what are the HIPAA regulations is only the first step. Applying them requires deliberate action:

  • Conduct a comprehensive risk analysis — and document it thoroughly. Update it at least annually or when your environment changes.
  • Review your Notice of Privacy Practices — ensure it reflects current uses and disclosures, including any telehealth or digital health platforms adopted in recent years.
  • Audit business associate agreements — confirm that every vendor handling PHI has a current, Omnibus-compliant agreement in place.
  • Enforce the minimum necessary standard — implement role-based access controls so workforce members can only access the PHI they need.
  • Invest in ongoing workforce training — not a one-time onboarding exercise, but recurring education that reflects current threats and policy changes.

For organizations building or refreshing a compliance program, HIPAA Certify's workforce compliance platform offers a practical foundation that covers these core regulatory requirements.

OCR Enforcement Is Increasing — Not Slowing Down

Between its Right of Access Initiative and ongoing breach investigations, OCR has signaled that enforcement will remain aggressive. In 2024, investigations into risk analysis failures and insufficient workforce training continue to dominate the docket.

Your organization's best defense isn't a single audit or a policy binder collecting dust. It's an operational understanding of the HIPAA regulations — applied consistently, documented thoroughly, and reinforced through regular training. The regulations aren't ambiguous about what's required. The organizations that face penalties are overwhelmingly those that knew the rules existed but failed to operationalize them.