The HIPAA Rules Explained: Privacy, Security, Breach & More

How the HIPAA Rules fit together

The rules that make up HIPAA were issued over time by the Department of Health and Human Services to implement the law passed in 1996. Each rule addresses a specific concern: who may use health information, how electronic data must be secured, what happens after a breach, and how the law is enforced. Together they form a complete framework, but each can be understood on its own.

Building and maintaining HIPAA compliance means satisfying all of these rules that apply to you — which, for most covered entities and business associates, means the Privacy, Security, and Breach Notification Rules at minimum.

The Privacy Rule

The Privacy Rule sets national standards for the use and disclosure of protected health information (PHI) in any form — paper, electronic, or spoken. Its core principle is that PHI may only be used or disclosed for permitted purposes, chiefly treatment, payment, and healthcare operations, unless the patient provides written authorization.

The Privacy Rule also grants patients important rights: to access their records, request amendments, request restrictions on certain disclosures, and receive an accounting of disclosures. It introduced the “minimum necessary” principle, which requires limiting PHI use and disclosure to the least amount needed to accomplish the purpose.

The Security Rule

The Security Rule applies specifically to electronic protected health information (ePHI). Where the Privacy Rule is about who may access information, the Security Rule is about how that electronic information is protected technically and operationally. It requires three categories of safeguards — administrative, physical, and technical — and mandates a documented, ongoing risk analysis as the foundation.

A distinctive feature of the Security Rule is its split between “required” and “addressable” implementation specifications. Addressable does not mean optional; it means you must implement the safeguard or document a reasonable equivalent alternative and the rationale for your choice.

The Breach Notification Rule

The Breach Notification Rule defines what organizations must do when unsecured PHI is compromised. Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery, notify the Secretary of HHS, and — for large breaches affecting 500 or more residents of a state or jurisdiction — notify prominent media outlets.

Business associates must notify the covered entity when they discover a breach. Importantly, properly encrypted data that is lost or stolen is generally not considered a reportable breach, which is one reason encryption is so strongly encouraged.

The Omnibus Rule

The Omnibus Rule of 2013 implemented changes from the HITECH Act and significantly strengthened HIPAA. Its most consequential change was making business associates — and their subcontractors — directly liable for compliance, rather than only contractually responsible to the covered entity. It also tightened the breach-notification standard and enhanced penalties.

For modern health-tech vendors and cloud providers, the Omnibus Rule is why HIPAA applies to you directly: if you handle PHI on a covered entity’s behalf, you carry real legal obligations and exposure.

The Enforcement Rule

The Enforcement Rule governs how HIPAA is investigated and penalized. It gives the HHS Office for Civil Rights (OCR) authority to investigate complaints, conduct compliance reviews, and impose civil monetary penalties. Penalties are tiered by culpability, ranging from modest fines for unknowing violations to substantial penalties for willful neglect that is not corrected.

The Enforcement Rule also establishes the procedures OCR follows, including the opportunity for organizations to demonstrate corrective action. It is the mechanism that turns the other rules from guidance into enforceable obligations. Together these rules define the obligations that make up HIPAA compliance.

The Transactions and Code Sets Rule

Less commonly discussed but still part of HIPAA, the Transactions and Code Sets standards require the use of standardized formats and code sets for electronic healthcare transactions such as claims and eligibility checks. This is the “administrative simplification” side of HIPAA, aimed at reducing cost and friction in the exchange of healthcare data.

Which rules apply to you

Most organizations that handle health data must address the Privacy, Security, and Breach Notification Rules, with the Omnibus and Enforcement Rules shaping liability and consequences. Covered entities engaged in standard electronic transactions also fall under the Transactions and Code Sets standards. Mapping which rules apply to your specific role — covered entity or business associate — is the practical starting point for any compliance program.

How the rules evolved over time

The HIPAA Rules were not all issued at once. The Privacy Rule and Security Rule came first in the early 2000s, followed by enforcement provisions, and then the HITECH Act in 2009 strengthened the framework and led to the 2013 Omnibus Rule. Understanding this history helps explain why the rules sometimes overlap and why business-associate liability is a relatively recent feature.

This layered evolution means HIPAA is best understood as a living framework. Regulators continue to issue guidance and updates, so a compliant organization treats the rules as a baseline to maintain rather than a static target to hit once.

Required vs addressable specifications

A frequent source of confusion within the Security Rule is the distinction between “required” and “addressable” implementation specifications. Required specifications must be implemented exactly. Addressable specifications, by contrast, allow flexibility: you must implement the safeguard, or implement a reasonable alternative and document why, or document that the safeguard is not reasonable and appropriate in your context.

Addressable never means optional. Treating it that way is a common compliance failure. The correct approach is always to make and document a deliberate, defensible decision for each addressable specification.

Penalties and how they are tiered

The Enforcement Rule establishes a tiered penalty structure based on culpability. The lowest tier applies when an organization did not know and could not reasonably have known of a violation; higher tiers apply to reasonable cause, willful neglect that is corrected, and willful neglect that is not corrected. Each tier carries escalating minimum and maximum penalties, with annual caps for identical violations.

This structure rewards organizations that act in good faith and move quickly to fix problems, while reserving the harshest penalties for those that ignore their obligations.

Putting the rules into practice

Knowing the rules is one thing; operationalizing them is another. In practice, the Privacy and Security Rules translate into a concrete program: documented policies, a risk analysis, administrative, physical, and technical safeguards, workforce training, Business Associate Agreements, and incident-response procedures. The Breach Notification Rule translates into a tested plan for detecting, assessing, and reporting incidents.

The goal is to turn the rules from abstract regulations into everyday operating practices that protect data continuously, not just at audit time.

Bringing the rules together

The HIPAA Rules can seem daunting in isolation, but they form a logical whole. The Privacy Rule decides who may use health information and for what; the Security Rule protects the electronic version of that information; the Breach Notification Rule dictates what happens when protection fails; the Omnibus Rule extends these duties across the supply chain; and the Enforcement Rule makes them all stick.

For any organization handling health data, the path forward is to identify which rules apply to your role, then build the policies, safeguards, and procedures that satisfy them. Approached this way, the rules become a practical blueprint for protecting patients and your organization alike, rather than a set of obstacles to navigate.