DHHS HIPAA Explained: Key Rules, Compliance Requirements, and Guidance

HIPAA sets national standards for safeguarding Protected Health Information (PHI) across the U.S. health ecosystem. Under the U.S. Department of Health and Human Services (often called DHHS or HHS), the Office for Civil Rights (OCR) administers and enforces these rules for Covered Entities and their Business Associates.

This guide breaks down the core HIPAA rules—Privacy, Security, Breach Notification, Enforcement, and Omnibus—then points you to practical compliance guidance and risk assessment tools you can use today.

Privacy Rule Requirements

Scope and key definitions

The Privacy Rule governs how PHI is created, used, and disclosed in any form (paper, verbal, or electronic). It applies to health plans, health care clearinghouses, most health care providers, and—through contracts and the Omnibus Rule—Business Associates handling PHI on their behalf.

PHI is any individually identifiable health information related to a person’s past, present, or future health, care, or payment. De-identified data falls outside the rule when it meets accepted de-identification standards.

Permitted uses and disclosures

• Treatment, payment, and health care operations without patient authorization.
• Public interest and legal disclosures (for example, certain public health activities, law enforcement, or court orders) under defined conditions.
• All other non-permitted purposes require a valid, revocable authorization.

Individual rights

• Access to their PHI and the right to receive copies, including electronic formats where available.
• Request amendments and an accounting of certain disclosures.
• Request restrictions and confidential communications, including the right to restrict disclosures to health plans when paying out-of-pocket in full.

Minimum necessary and de-identification

You must limit uses, disclosures, and requests to the minimum necessary to accomplish the purpose, except for treatment and a few other defined scenarios. When possible, reduce risk by using de-identified data or limited data sets with data use agreements.

Notice of Privacy Practices and governance

Provide a clear Notice of Privacy Practices explaining how you use PHI, patient rights, and contact channels. Back it with policies, role-based access, workforce training, and Business Associate Agreements that bind partners to Privacy Rule standards.

Security Rule Safeguards

What the rule covers

The Security Rule protects electronic PHI (ePHI) held or transmitted by Covered Entities and Business Associates. It is risk-based and scalable, requiring “reasonable and appropriate” safeguards based on your size, complexity, and risks.

Administrative Safeguards

• Risk analysis and risk management to identify and treat threats to ePHI.
• Assigned security responsibility, workforce security, and role-based access.
• Security awareness and training, including phishing and incident reporting.
• Contingency planning: data backups, disaster recovery, and emergency mode operations.
• Policies, procedures, and periodic evaluations to verify effectiveness.

Physical Safeguards

• Facility access controls and visitor management.
• Workstation security, screen privacy, and session timeouts.
• Device and media controls, including secure disposal and reuse procedures.

Technical Safeguards

• Access controls: unique user IDs, strong authentication, and emergency access.
• Audit controls: system logs, review routines, and anomaly detection.
• Integrity: controls to prevent improper alteration or destruction of ePHI.
• Transmission security: encryption and protections against unauthorized interception.

Implementation specifications

Some specifications are “required,” while others are “addressable.” Addressable does not mean optional—you must assess feasibility, implement equivalent measures where appropriate, and document your decisions.

Breach Notification Procedures

What constitutes a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. There are limited exceptions (for example, certain unintentional or inadvertent disclosures within an authorized workforce) and an encryption safe harbor for properly secured PHI.

Risk assessment for low probability of compromise

When an incident occurs, you must assess: the nature and extent of PHI involved, who used or received it, whether it was actually viewed or acquired, and the extent of mitigation. Unless you can demonstrate a low probability of compromise, it is presumed a breach.

Notice timing and recipients

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Notify HHS; for incidents affecting 500 or more individuals in a state or jurisdiction, notify HHS and prominent media without unreasonable delay.
• Maintain a breach log and submit annually for smaller incidents.

Notification content and method

Notices must describe what happened, the types of PHI involved, steps individuals should take, actions you are taking, and contact information. Use first-class mail or electronic notice where permitted; substitute and urgent notices may apply in specific cases.

Business Associate responsibilities

Business Associates must notify the Covered Entity without unreasonable delay, provide details about affected individuals, and support individual notifications. Your Business Associate Agreement should spell out these HIPAA Breach Notification duties.

Enforcement Rule Processes

How investigations begin

Office for Civil Rights Investigations start from complaints, breach reports, or compliance reviews. OCR can request documents, conduct interviews, and perform on-site visits to evaluate policies, safeguards, and incident handling.

Outcomes and penalties

Outcomes range from technical assistance and voluntary compliance to resolution agreements with Corrective Action Plans and civil money penalties. Penalty tiers scale by culpability and the nature and extent of harm; willful neglect and failure to correct typically draw the highest sanctions.

Mitigation and ongoing oversight

Timely mitigation, cooperation, and documented remediation can reduce exposure. Resolution agreements often include multi-year monitoring, progress reporting, and validation of sustained compliance improvements.

Criminal exposure

In egregious cases, the Department of Justice may pursue criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA, especially for personal gain or malicious harm.

Omnibus Rule Provisions

Direct liability for Business Associates

The Omnibus Rule expands direct compliance obligations to Business Associates and their subcontractors. You must execute Business Associate Agreements and verify downstream protections for PHI.

Breach presumption and notification refinements

Omnibus established the presumption that an impermissible use or disclosure is a breach unless you can show low probability of compromise through a documented assessment.

Marketing, sale of PHI, and fundraising

The rule tightens limits on marketing and the sale of PHI and clarifies when authorizations are required. It also sets conditions for fundraising communications and opt-out rights.

Enhanced individual rights and special categories

Individuals have stronger rights to electronic copies of ePHI and to restrict disclosures to health plans when services are paid in full out-of-pocket. The rule also addresses decedent information and treats genetic information as PHI for certain purposes.

Compliance Guidance Resources

Build a practical compliance program

• Establish governance: designate privacy and security leaders with clear authority.
• Create and maintain written policies mapped to HIPAA standards and your operations.
• Provide role-based training with routine refreshers and documented attendance.
• Conduct periodic internal audits and independent reviews of key controls.
• Test incident response and breach notification playbooks at least annually.

Business Associate management

• Inventory all vendors touching PHI and classify them as Business Associates where applicable.
• Use standardized due diligence, security questionnaires, and contract clauses.
• Monitor performance with attestations, assessments, and right-to-audit provisions.

Operational tips

• Data map your PHI: where it is collected, processed, stored, and transmitted.
• Apply the minimum necessary standard to workflows and system permissions.
• Document decisions, especially for “addressable” controls and compensating measures.

Risk Assessment Tools

Core steps in a HIPAA risk analysis

• Identify assets containing ePHI (systems, apps, devices, data flows, vendors).
• Catalog threats and vulnerabilities, including human error and third-party risks.
• Evaluate likelihood and impact, then score inherent and residual risk.
• Select Administrative, Physical, and Technical Safeguards to reduce risk to reasonable and appropriate levels.
• Document the methodology, findings, remediation plans, and target dates.

Scoring and prioritization

Use a simple matrix (for example, 1–5 for likelihood and impact) to rank scenarios and focus on the highest combined scores. Tie each risk to specific controls, owners, and measurable milestones.

Continuous monitoring

• Track key indicators such as patch latency, access anomalies, and failed logins.
• Reassess risks after system changes, new integrations, or security incidents.
• Review your analysis at least annually and after material changes to your environment.

Conclusion

HIPAA compliance is achievable when you align Privacy Rule practices with Security Rule controls, prepare for HIPAA Breach Notification, and understand Enforcement processes. Use Omnibus-era expectations, robust vendor oversight, and disciplined risk analysis to protect PHI and build trust.

FAQs.

What are the main components of the DHHS HIPAA Privacy Rule?

The Privacy Rule defines PHI and sets standards for how Covered Entities and Business Associates use and disclose it. It outlines permitted uses (such as treatment, payment, and operations), requires the minimum necessary principle, and grants individuals rights to access, amend, and receive an accounting of certain disclosures. It also mandates Notices of Privacy Practices and governance controls.

How does the Security Rule protect electronic health information?

The Security Rule requires a risk-based program for ePHI with Administrative, Physical, and Technical Safeguards. Core elements include risk analysis, role-based access, training, contingency planning, facility and device protections, audit logging, integrity controls, and transmission security such as encryption. Required and addressable specifications must be implemented or formally justified.

What constitutes a breach under HIPAA?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. It is presumed a breach unless a documented assessment shows a low probability of compromise. Exceptions exist for certain unintentional or inadvertent disclosures, and properly encrypted or destroyed PHI is generally considered secured.

How does the Enforcement Rule affect covered entities?

The Enforcement Rule authorizes OCR to investigate complaints, breach reports, and compliance reviews, seeking corrective action where needed. Outcomes range from technical assistance to civil money penalties and resolution agreements with ongoing monitoring. Prompt mitigation, cooperation, and strong documentation can significantly influence the result of an investigation.