HIPAA Privacy, Security & Breach Rules: What Each Requires
By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026
Quick Comparison: The Three Rules
| Rule | CFR Location | What It Covers | Applies To |
|---|---|---|---|
| Privacy Rule | §§ 164.500–164.534 | Use/disclosure of all PHI (any form) | Covered entities + BAs |
| Security Rule | §§ 164.302–164.318 | Safeguards for ePHI only | Covered entities + BAs |
| Breach Notification Rule | §§ 164.400–164.414 | Reporting requirements after a breach | Covered entities + BAs |
The HIPAA Privacy Rule (§§ 164.500–164.534)
The Privacy Rule, issued by HHS in 2002 and substantially amended by the 2013 Omnibus Rule and the 2024 Reproductive Health Privacy Rule, establishes the framework for how covered entities and business associates may use and disclose PHI. Its core principle is the minimum necessary standard: covered entities may only use, disclose, or request the minimum amount of PHI necessary to accomplish the intended purpose.
Permitted Uses and Disclosures
The Privacy Rule permits — without patient authorization — uses and disclosures for: (1) treatment (sharing records among treating providers); (2) payment (billing insurers); and (3) healthcare operations (quality improvement, training, auditing). Certain public interest purposes are also permitted without authorization: public health activities, law enforcement, judicial proceedings, and research under specific conditions.
Patient Rights Under the Privacy Rule
- Right of access (§ 164.524): Patients may request access to their PHI within 30 days. Covered entities cannot charge unreasonable fees. OCR's Right of Access Initiative has aggressively enforced this right with penalties against organizations that deny or delay records access.
- Right to amend (§ 164.526): Patients may request corrections to their PHI. The covered entity may deny the request in specific circumstances but must document the denial.
- Right to an accounting of disclosures (§ 164.528): Patients may request a six-year accounting of disclosures made without authorization (excluding treatment, payment, and operations).
- Right to request restrictions: Patients may request restrictions on certain disclosures — covered entities must honor restrictions on disclosures to health plans when the patient pays out-of-pocket in full.
The Notice of Privacy Practices Requirement
Every covered entity that has a direct relationship with patients must provide a Notice of Privacy Practices (NPP) under § 164.520. The NPP must describe: how the covered entity uses and discloses PHI; patient rights; the covered entity's legal duties; how to file complaints; and effective date. The HHS released an updated model NPP in February 2026 incorporating Reproductive Health Privacy Rule changes. Existing NPPs may need updating — see our BAA vs NPP guide for the practical difference between these two key documents.
The HIPAA Security Rule (§§ 164.302–164.318)
The Security Rule applies specifically to electronic PHI (ePHI) — PHI in electronic form. Unlike the Privacy Rule, it does not apply to paper records or oral communications. It requires covered entities and business associates to implement three categories of safeguards:
Administrative Safeguards (§ 164.308)
Administrative safeguards are the policies, procedures, and management controls required to protect ePHI. Key required specifications include:
- Security management process: Risk analysis (identify threats and vulnerabilities to ePHI), risk management (implement security measures to reduce risk to reasonable level), sanction policy (apply penalties to workforce members who violate security policies), and information system activity review.
- Workforce security: Authorization and/or supervision of workforce members with access to ePHI.
- Information access management: Access authorization and establishment/modification procedures.
- Security awareness and training: Security reminders, protection from malicious software, log-in monitoring, password management.
- Contingency plan: Data backup plan, disaster recovery plan, emergency mode operation plan, and testing/revision procedures.
Physical Safeguards (§ 164.310)
Physical safeguards govern how facilities and equipment that contain ePHI are physically secured. Required specifications include facility access controls (contingency operations, facility security plan, access control/validation procedures, maintenance records), workstation use policies, workstation security (physical positioning to minimize unauthorized viewing), and device and media controls (disposal, media re-use, accountability, and backup).
Technical Safeguards (§ 164.312)
Technical safeguards are the technology controls applied to ePHI. Required specifications include: access controls (unique user identification, emergency access procedure, automatic logoff, encryption/decryption); audit controls (hardware/software/procedural mechanisms to record and examine activity in systems containing ePHI); integrity controls (mechanisms to authenticate ePHI and ensure it has not been altered); and transmission security (encryption of ePHI in transit).
Each safeguard specification is either "required" (must be implemented) or "addressable" (must be implemented if reasonable and appropriate, or an equivalent alternative must be documented). "Addressable" does not mean optional — it means the organization must assess and document its decision. See our risk assessment guide for how to conduct the Security Rule's required risk analysis.
The Breach Notification Rule (§§ 164.400–164.414)
The Breach Notification Rule, added by HITECH and codified in the 2013 Omnibus Rule, requires covered entities and business associates to follow specific notification procedures when a breach of unsecured PHI occurs.
What Is a Breach?
A breach is defined as an impermissible use or disclosure of PHI that compromises the security or privacy of the information — unless a low-probability exception applies. The rule creates a presumption of breach: any impermissible use or disclosure is presumed a breach unless the covered entity or BA can demonstrate a low probability that PHI was compromised based on a four-factor risk assessment: (1) nature and extent of the PHI involved; (2) who used or received the PHI; (3) whether the PHI was actually acquired or viewed; (4) the extent to which the risk has been mitigated.
Notification Requirements
- Individual notification: Covered entities must notify affected individuals within 60 days of discovering a breach. Notification must be in writing, first-class mail (or email if the individual agreed to receive notices electronically).
- HHS notification: For breaches affecting 500 or more individuals, CEs must notify HHS simultaneously with individual notification. For smaller breaches, CEs maintain a log and submit annually. HHS posts large breaches on the "Wall of Shame" website.
- Media notification: For breaches of 500 or more individuals in a state or jurisdiction, covered entities must notify prominent media outlets in that state within 60 days.
- Business associate obligations: BAs must notify the covered entity within 60 days of discovering a breach — even if the BA cannot immediately identify all individuals affected. BAs may not provide individual notifications directly unless the BA agreement specifies otherwise.
How the Three Rules Interact
The three rules work together as an integrated compliance framework. The Privacy Rule defines what PHI is and when it can be used — it sets the substantive limits. The Security Rule specifies how ePHI must be technically protected to prevent unauthorized use — it provides the technical implementation requirements. The Breach Notification Rule specifies what must happen when the Privacy or Security Rule is violated in a way that compromises PHI — it provides the accountability mechanism.
A practical example: A covered entity's employee emails unencrypted patient records to a personal email account. This is potentially an impermissible disclosure (Privacy Rule violation) of unencrypted ePHI (Security Rule failure — transmission security requirement not met), which triggers a presumption of breach and notification obligations (Breach Notification Rule). All three rules activate simultaneously.
Frequently Asked Questions
What is the HIPAA Privacy Rule?
The Privacy Rule (45 CFR §§ 164.500–164.534) governs when covered entities and BAs may use and disclose PHI. It applies to all forms of PHI (electronic, paper, oral), grants patients rights of access, amendment, and accounting of disclosures, and requires covered entities to distribute a Notice of Privacy Practices. The minimum necessary standard is its core operating principle.
What is the HIPAA Security Rule?
The Security Rule (45 CFR §§ 164.302–164.318) requires covered entities and BAs to implement administrative, physical, and technical safeguards for ePHI. It applies only to electronic PHI. The Security Rule's risk analysis requirement under § 164.308(a)(1) is one of the most frequently cited violations in OCR enforcement actions.
What is the Breach Notification Rule?
The Breach Notification Rule (45 CFR §§ 164.400–164.414) requires covered entities to notify affected individuals, HHS, and (for large breaches) the media within 60 days of discovering a breach of unsecured PHI. Business associates must notify covered entities within 60 days. All breaches are presumed unless a documented four-factor risk assessment demonstrates a low probability of compromise.
Does the Security Rule apply to paper records?
No. The Security Rule specifically covers ePHI only. Paper records are governed by the Privacy Rule's reasonable safeguard requirements but not by the Security Rule's specific technical safeguard provisions. Paper records must still be securely stored, protected from unauthorized access, and properly disposed of (e.g., shredded).
What's the difference between the Privacy Rule and Security Rule?
The Privacy Rule governs who can use or disclose PHI (in any form) and under what conditions. The Security Rule governs how ePHI must be technically safeguarded. The Privacy Rule is about information governance; the Security Rule is about information security. Both apply to covered entities and business associates. The Privacy Rule has broader scope (all PHI formats); the Security Rule has more detailed technical requirements (all targeted at ePHI).