HIPAA Privacy and Security Rules Explained: Requirements, Scope, and Compliance Steps

This guide distills the HIPAA Privacy and Security Rules into practical actions you can apply today. You’ll see what the rules require, their scope, and clear compliance steps for handling Protected Health Information and Electronic Protected Health Information across your organization.

The emphasis is on risk-based safeguards, documentation, Breach Notification readiness, and Workforce Training—core elements that regulators and partners expect to find operating and provable.

HIPAA Privacy Rule Overview

Scope and what’s protected

The Privacy Rule protects Protected Health Information (PHI): individually identifiable health information related to a person’s health, care, or payment for care. PHI can exist in any form—paper, verbal, or electronic—and includes obvious identifiers (name, SSN) and indirect ones (dates, device IDs, IP addresses) when linked to health data.

Permitted uses and disclosures

Without an authorization, you may use or disclose PHI for treatment, payment, and health care operations, and for specific public-interest purposes (for example, public health reporting, certain law enforcement requests). Apply the “minimum necessary” standard to limit PHI to the least amount needed for the task, except where the rule exempts it (such as disclosures to the individual or for treatment).

Individual rights and required notices

Individuals have rights to access and obtain copies of their PHI (generally within 30 days, with one allowable 30-day extension), request amendments, obtain an accounting of disclosures, request restrictions, and ask for confidential communications. You must provide and post a Notice of Privacy Practices explaining these rights and your uses and disclosures.

Authorizations and de-identification

Uses and disclosures outside permitted purposes require a valid authorization. When appropriate, you may rely on de-identification (safe harbor or expert determination) to remove identifiers and reduce privacy risk while enabling analytics and sharing.

HIPAA Security Rule Standards

The Security Rule safeguards Electronic Protected Health Information (ePHI). It is risk-based and flexible, requiring controls commensurate with your size, complexity, technologies, and threats. Some implementation specifications are “required” and others are “addressable”; for addressable items, you must implement, implement an alternative, or document a reasoned decision.

Administrative Safeguards

• Risk analysis and risk management to identify threats and reduce risks to reasonable and appropriate levels.
• Assigned security responsibility and security management processes, including sanctions and periodic evaluations.
• Information access management using role-based access and the minimum necessary principle.
• Security awareness and Workforce Training, including phishing and incident reporting.
• Security incident procedures and a contingency plan (backup, disaster recovery, emergency mode operations).
• Business Associate management, including agreements and oversight.

Physical Safeguards

• Facility access controls and visitor management.
• Workstation use and workstation security standards for offices, clinical areas, and remote locations.
• Device and media controls, including inventory, secure disposal, re-use procedures, and media movement tracking.

Technical Safeguards

• Access controls (unique user IDs, emergency access, automatic logoff, encryption as appropriate).
• Audit controls to log and review system activity involving ePHI.
• Integrity protections to prevent improper alteration or destruction.
• Person or entity authentication to verify users and systems.
• Transmission security, such as TLS or VPNs, to protect ePHI in transit.

Encryption is an addressable specification but strongly recommended; properly encrypted ePHI reduces exposure risk and supports safe-harbor treatment under Breach Notification rules.

Roles of Covered Entities

Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. Your core duties are to protect PHI, respect individual rights, and demonstrate compliance through policies, safeguards, and documentation.

• Appoint a privacy official and a security official to own the program.
• Publish a Notice of Privacy Practices and operationalize minimum necessary access.
• Execute and manage Business Associate Agreements for vendors handling PHI/ePHI.
• Implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
• Deliver initial and ongoing Workforce Training; enforce sanctions for violations.
• Maintain required documentation for at least six years from creation or last effective date.

Responsibilities of Business Associates

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity. They are directly regulated by the Security Rule and subject to Breach Notification duties.

• Sign a Business Associate Agreement that limits uses/disclosures and defines safeguards and reporting.
• Implement Security Rule controls for ePHI and applicable privacy obligations.
• Flow down requirements to subcontractors who handle PHI/ePHI.
• Report security incidents and potential breaches to the covered entity without unreasonable delay.
• Return or securely destroy PHI when services end, when feasible.

Conducting Risk Assessments

Method that works in practice

• Define scope: inventory systems, applications, endpoints, cloud services, integrations, backups, and vendors that store or process ePHI.
• Map ePHI data flows from collection to archival and disposal; include remote work and medical devices.
• Identify threats and vulnerabilities across Administrative, Physical, and Technical Safeguards.
• Evaluate existing controls; rate likelihood and impact; prioritize risks.
• Select treatments (implement, enhance, transfer, or accept), with rationale and owners.
• Document “required” vs “addressable” decisions and planned alternatives where applicable.
• Execute a remediation plan with milestones; reassess after major changes or at least annually.

Common pitfalls to avoid

• Under-scoping cloud, APIs, and mobile/BYOD endpoints where ePHI resides.
• Not logging or reviewing access to ePHI, limiting the ability to detect misuse.
• Skipping documentation of addressable decisions, weakening defensibility.
• Ignoring vendor and subcontractor risks tied to Business Associates.

Developing Policies and Procedures

Policies translate standards into daily practice and evidence. Build concise, enforceable procedures that staff can follow, then audit for adherence.

• Access control and least privilege (role design, approvals, periodic reviews, termination/transfer procedures).
• Password/MFA requirements, session timeouts, and secure configuration baselines.
• Data classification, encryption at rest and in transit, key management, and secure disposal.
• Workstation, mobile, and BYOD rules; remote work and telehealth safeguards.
• Change, patch, and vulnerability management; secure software development where applicable.
• Incident response and Breach Notification playbooks with on-call roles and decision trees.
• Contingency planning (backups, disaster recovery, emergency mode operations) with testing.
• Consumer rights processes (access, amendment, accounting) with service-level targets.
• Vendor/Business Associate lifecycle management, including due diligence and contract controls.
• Workforce Training at hire and periodically; track attendance and assess comprehension.

Keep all policies, risk analyses, training logs, and BAAs for at least six years. Review after incidents, audits, or technology and organizational changes.

Breach Notification Requirements

When notification is required

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. Unless you demonstrate a low probability of compromise, you must notify affected individuals. The low-probability determination considers four factors: the nature and extent of PHI involved, the unauthorized person who used/received it, whether the PHI was actually viewed or acquired, and the extent to which the risk has been mitigated.

Timelines and who to notify

• Individuals: without unreasonable delay and no later than 60 days from discovery.
• HHS: contemporaneously for incidents affecting 500 or more individuals; for fewer than 500, no later than 60 days after the end of the calendar year in which the breach was discovered.
• Media: for breaches involving 500 or more residents of a state or jurisdiction.
• Substitute notice: required when contact information is insufficient or out of date.
• Business Associates: must notify the covered entity without unreasonable delay (and include, when known, identification of affected individuals and the nature of the information).

Content of the notice

• A brief description of what happened, including dates of breach and discovery.
• Types of PHI involved (for example, names, diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate, and prevent future occurrences.
• Contact methods for questions: toll-free number, email, or postal address.

PHI rendered unusable, unreadable, or indecipherable (for example, through strong encryption) is not “unsecured” and typically does not trigger Breach Notification obligations.

Steps for Compliance Implementation

• Appoint privacy and security leaders with authority to drive decisions and budgets.
• Inventory PHI/ePHI, systems, data flows, and vendors; define your compliance scope.
• Perform a Security Rule risk analysis and Privacy Rule gap assessment; prioritize risks.
• Implement safeguards: Administrative, Physical, and Technical Safeguards aligned to risks.
• Establish Business Associate management and execute compliant BAAs.
• Publish policies and procedures; train the workforce and enforce sanctions.
• Deploy core controls: MFA, encryption, endpoint protection, logging/auditing, secure backups.
• Test incident response and Breach Notification; run tabletop exercises and adjust playbooks.
• Validate contingency capabilities with restore and disaster recovery tests.
• Operationalize individual rights fulfillment with tracked turnaround times.
• Monitor continuously, conduct periodic evaluations, and retain documentation for six years.

By aligning your program to the HIPAA Privacy and Security Rules Explained: Requirements, Scope, and Compliance Steps, you create a defensible, risk-based posture. Effective safeguards, clear procedures, timely Breach Notification, and ongoing Workforce Training work together to protect patients and keep your organization compliant.