In 2023, OCR settled with Banner Health for $1.25 million after a breach affecting nearly 3 million individuals exposed critical failures across multiple HIPAA requirements. The investigation didn't cite a single vague "HIPAA violation" — it pointed to specific breakdowns under specific rules. If you've ever asked what is a HIPAA rule, the answer matters far more than academic curiosity. Each HIPAA rule carries distinct requirements, and your organization's compliance depends on understanding exactly how they apply to your operations.

What Is a HIPAA Rule, and Why Are There Multiple Rules?

HIPAA isn't a single regulation — it's a framework built from several interlocking rules, each codified under 45 CFR Parts 160 and 164. When people ask what is a HIPAA rule, they're usually surprised to learn that the term covers at least four major regulatory components, each with different compliance obligations.

The core HIPAA rules are the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule. The 2013 Omnibus Rule amended and strengthened all of them, extending direct liability to business associates and tightening breach notification standards. Every covered entity and business associate must comply with the rules that apply to their role in handling protected health information (PHI).

The Privacy Rule: Governing How PHI Is Used and Disclosed

The HIPAA Privacy Rule (45 CFR §164.500–534) establishes national standards for when and how PHI can be used, disclosed, and accessed. It applies to every covered entity — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.

Key obligations under the Privacy Rule include:

  • Providing every patient a Notice of Privacy Practices that explains their rights and your PHI handling practices
  • Applying the minimum necessary standard — limiting PHI use and disclosure to only what is needed for a specific purpose
  • Granting individuals the right to access, amend, and receive an accounting of disclosures of their health records
  • Obtaining valid written authorization before using PHI for marketing or selling PHI

In my work with covered entities, Privacy Rule failures are often the most visible. They generate the patient complaints that land on OCR's desk and trigger investigations.

The Security Rule: Protecting Electronic PHI

While the Privacy Rule covers all forms of PHI, the Security Rule (45 CFR §164.302–318) focuses specifically on electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards.

The Security Rule is built around three categories of safeguards:

  • Administrative safeguards: Risk analysis, workforce training, contingency planning, and security management processes
  • Physical safeguards: Facility access controls, workstation use policies, and device and media controls
  • Technical safeguards: Access controls, audit controls, integrity controls, and transmission security

OCR has made clear — repeatedly, through enforcement actions — that the risk analysis requirement is non-negotiable. Between 2016 and 2024, the majority of HIPAA settlements involved risk analysis failures. Your organization cannot protect ePHI if it hasn't systematically identified where that ePHI lives and what threatens it.

The Breach Notification Rule: What Happens When Safeguards Fail

The Breach Notification Rule (45 CFR §§164.400–414) requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media after an impermissible use or disclosure of PHI that compromises its security or privacy.

Timelines are strict. Individual notifications must go out without unreasonable delay and no later than 60 days after discovery of the breach. Breaches affecting 500 or more individuals require immediate notification to OCR and prominent media outlets in the affected jurisdiction. Smaller breaches must still be reported to HHS annually.

Healthcare organizations consistently struggle with breach risk assessments — the four-factor test used to determine whether an impermissible disclosure rises to the level of a reportable breach. Documenting this analysis is critical. OCR expects to see it during any investigation.

The Enforcement Rule and the Omnibus Rule: Teeth Behind Compliance

The Enforcement Rule (45 CFR Part 160, Subparts C–E) establishes OCR's authority to investigate complaints, conduct compliance reviews, and impose civil monetary penalties. Penalty tiers range from $137 to $68,928 per violation, with annual maximums reaching $2,067,813 per violation category (adjusted for inflation as of 2024).

The 2013 Omnibus Rule fundamentally changed HIPAA's reach. It made business associates directly liable for Security Rule and certain Privacy Rule violations — not just through their contracts with covered entities, but under federal law. If your organization works with vendors who access PHI, those business associate agreements must reflect current Omnibus Rule requirements.

The Workforce Training Requirement Most Organizations Underestimate

Every HIPAA rule connects back to your people. The Privacy Rule requires workforce training on PHI policies and procedures (§164.530(b)). The Security Rule requires security awareness training as an administrative safeguard (§164.308(a)(5)). These aren't suggestions — they are regulatory mandates.

OCR enforcement actions consistently cite inadequate or absent workforce training. Your compliance program is only as strong as your team's understanding of what the rules require day to day. Investing in comprehensive HIPAA training and certification is one of the most cost-effective risk reduction steps any covered entity or business associate can take.

How These Rules Work Together in Practice

Understanding what is a HIPAA rule means recognizing that these regulations don't operate in isolation. A single incident — a lost laptop containing ePHI, for example — can trigger obligations under the Privacy Rule (impermissible disclosure), the Security Rule (encryption and device control failures), and the Breach Notification Rule (reporting to individuals and HHS) simultaneously.

OCR doesn't investigate in silos. A complaint about one rule often leads to a broader compliance review. That's why your organization needs a program that addresses every HIPAA rule holistically, not just the one that seems most relevant today.

Building that program starts with accurate risk analysis, documented policies and procedures, current business associate agreements, and consistent workforce education. If your organization is looking to strengthen its compliance foundation, HIPAA Certify's workforce compliance platform provides the structure and training tools to address every rule under one program.

The Bottom Line for Your Organization

Each HIPAA rule exists to protect a specific dimension of patient privacy and data security. The Privacy Rule controls use and disclosure. The Security Rule mandates safeguards for ePHI. The Breach Notification Rule ensures accountability when protections fail. The Enforcement Rule and Omnibus Rule give OCR the authority — and the obligation — to hold covered entities and business associates accountable.

Your compliance program must address all of them. Not eventually. Now.