In February 2023, OCR settled with a dental practice in New England for $30,000 after investigators found the organization had no written HIPAA policies, no risk analysis, and no workforce training program in place. The practice's leadership said they thought HIPAA only applied to hospitals. Understanding what are the rules of HIPAA isn't optional — it's the baseline legal obligation for every covered entity and business associate that touches protected health information.

What Are the Rules of HIPAA? The Four Core Regulations

HIPAA is not a single rule. It's a framework built from four interlocking regulations, each codified under 45 CFR Parts 160 and 164. Healthcare organizations consistently struggle because they treat HIPAA as a checkbox rather than an integrated compliance system.

The four rules every covered entity must understand and implement are the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule. Each addresses a distinct dimension of how your organization handles PHI.

The Privacy Rule: Controlling Who Accesses PHI

The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) establishes national standards for when and how protected health information can be used and disclosed. It applies to all forms of PHI — paper, electronic, and verbal.

At its core, the Privacy Rule requires your organization to implement the minimum necessary standard: workforce members should access only the PHI they need to perform their specific job function. In my work with covered entities, this is the provision most frequently violated without anyone realizing it.

Key Privacy Rule requirements include:

  • Providing every patient a Notice of Privacy Practices that explains their rights and your organization's PHI handling policies.
  • Obtaining valid written authorization before using PHI for marketing, most research purposes, or the sale of PHI.
  • Granting patients the right to access, amend, and receive an accounting of disclosures of their health records.
  • Designating a Privacy Officer responsible for developing and enforcing policies.

OCR has made clear through its enforcement actions that having a Notice of Privacy Practices alone is not enough. Your workforce must be trained to operationalize these standards daily.

The Security Rule: Safeguarding Electronic PHI

The HIPAA Security Rule (45 CFR Part 164, Subpart C) focuses specifically on electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI against reasonably anticipated threats.

The most critical — and most frequently cited — requirement under the Security Rule is the risk analysis. Under 45 CFR § 164.308(a)(1), your organization must conduct a thorough, documented assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

OCR's enforcement data tells the story: between 2008 and 2024, the failure to perform a comprehensive risk analysis was the single most common finding in HIPAA settlement agreements. If your organization hasn't completed or updated its risk analysis, you are exposed.

Required safeguards include:

  • Administrative: Workforce training, access management policies, incident response procedures, and contingency planning.
  • Physical: Facility access controls, workstation security, and device and media disposal protocols.
  • Technical: Access controls, audit logs, integrity controls, and transmission security such as encryption.

The Breach Notification Rule: What Happens When Things Go Wrong

The Breach Notification Rule (45 CFR Part 164, Subpart D), strengthened by the 2013 Omnibus Rule, requires covered entities to notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI.

For breaches affecting 500 or more individuals, notification to HHS and prominent media outlets must occur without unreasonable delay and no later than 60 calendar days from discovery. Smaller breaches must be reported to HHS annually. Every breach, regardless of size, demands individual notification.

The Omnibus Rule shifted the burden of proof: a presumed breach exists unless your organization demonstrates through a documented four-factor risk assessment that there is a low probability the PHI was compromised. This means documentation isn't just good practice — it's your legal defense.

The Enforcement Rule and Real Penalty Tiers

The Enforcement Rule (45 CFR Part 160, Subparts C through E) gives OCR the authority to investigate complaints, conduct compliance reviews, and impose civil monetary penalties. Penalty tiers under the HITECH Act range from $137 to $68,928 per violation, with an annual maximum of $2,067,813 per violation category (amounts adjusted for inflation as of 2024).

Criminal penalties, enforced by the Department of Justice, can reach up to $250,000 in fines and 10 years of imprisonment for offenses committed with intent to sell or use PHI for personal gain.

Business Associate Obligations You Cannot Ignore

If your organization shares PHI with any third party — billing companies, IT vendors, cloud storage providers, shredding services — you must have a business associate agreement (BAA) in place. Since the Omnibus Rule took effect, business associates are directly liable for HIPAA compliance, not just contractually bound.

OCR enforcement actions against business associates have increased steadily. In 2024, multiple settlements involved business associates that failed to encrypt ePHI or conduct a risk analysis. Your organization is responsible for ensuring every business associate relationship is documented and governed by a compliant BAA.

The Workforce Training Requirement Most Organizations Underestimate

Under both the Privacy Rule (45 CFR § 164.530(b)) and the Security Rule (45 CFR § 164.308(a)(5)), your organization must train every workforce member — employees, volunteers, trainees, contractors — on HIPAA policies and procedures. Training must occur at onboarding and must be reinforced when material changes occur.

In practice, annual training has become the de facto standard because OCR expects organizations to demonstrate ongoing compliance awareness. A one-time orientation session from 2019 will not protect you in 2025.

If your organization needs a structured, up-to-date training program, HIPAA training and certification courses provide the documentation and workforce education that OCR investigators look for during audits and complaint investigations.

Building a Compliance Program That Holds Up to Scrutiny

Knowing what are the rules of HIPAA is only the starting point. Compliance requires action: documented policies, completed risk analyses, executed BAAs, workforce training records, and incident response plans that your team has actually tested.

OCR doesn't penalize organizations for having a breach. It penalizes organizations for lacking the systems that should have prevented or mitigated one. Every enforcement action I've reviewed comes down to gaps in fundamentals — not exotic threat scenarios.

Start with a risk analysis. Train your workforce. Document everything. If you need a centralized platform to manage workforce HIPAA compliance across your organization, invest in one now — before an OCR complaint forces you to explain why you didn't.