HIPAA Privacy vs Security Rule Explained: Scope, Safeguards, and Practical Examples

HIPAA Privacy Rule Scope

The HIPAA Privacy Rule governs how covered entities and their business associates use and disclose Protected Health Information (PHI) in any form—paper, oral, or electronic. It defines permissible uses, requires patient authorization for most non–treatment, payment, and healthcare operations (TPO) purposes, and sets the “minimum necessary” standard to limit exposure.

Under this rule, individuals gain robust rights: to access and obtain copies of their records, request amendments, receive an accounting of certain disclosures, ask for restrictions, and choose confidential communication channels. Organizations must publish a Notice of Privacy Practices and maintain policies, training, and sanctions that safeguard privacy.

What the Privacy Rule covers

• Who: Health plans, healthcare clearinghouses, and most providers that transmit health information electronically, plus their business associates via contracts.
• What: Protected Health Information (PHI) that can identify a person and relates to health status, care, or payment.
• Where: All environments—front desk, call center, clinic, billing office, and remote workspaces.

Practical examples

• Disclosing PHI for treatment without separate authorization, while sharing only what is needed with the receiving clinician.
• Providing a patient with an electronic copy of their records within required timeframes and in the format they request if readily producible.
• Limiting what staff can view on shared screens and using privacy filters to reduce incidental disclosures in waiting areas.

Key documents and processes

• Notice of Privacy Practices, authorization forms, and documented privacy policies and procedures retained for at least six years.
• Workforce training, sanctions for violations, complaint handling, and mitigation steps when unauthorized disclosures occur.

HIPAA Security Rule Scope

The HIPAA Security Rule focuses on Electronic Protected Health Information ePHI—the subset of PHI created, received, maintained, or transmitted in electronic form. Its objective is to ensure the confidentiality, integrity, and availability of ePHI through Administrative Safeguards, Physical Safeguards, and Technical Safeguards that scale to your size, complexity, and risk profile.

Core duties include conducting a formal Risk Analysis, implementing risk management measures, establishing Security Incident Procedures, and maintaining ongoing evaluation and documentation. Business associates are directly obligated to meet Security Rule requirements for ePHI they handle.

Practical examples

• Encrypting laptops and mobile devices that store ePHI and enforcing automatic screen lock with short timeouts.
• Using secure messaging or patient portals for care coordination instead of unencrypted email or consumer texting apps.
• Reviewing audit logs from the EHR and cloud services and acting on anomalous access patterns.

Administrative Safeguards Comparison

Both rules require governance, training, and accountability, but they emphasize different outcomes. The Privacy Rule centers on permissible uses and patient rights for PHI in any format; the Security Rule mandates a risk-based security program to protect ePHI specifically.

Security Rule administrative safeguards (what you must operationalize)

• Security management process: formal Risk Analysis and risk management, sanction policy, and information system activity review.
• Assigned security responsibility: designate a security official accountable for ePHI protection.
• Workforce security and information access management: authorize, supervise, and remove access using role-based controls aligned to minimum necessary.
• Security awareness and training: ongoing reminders, phishing education, and password/multi-factor practices.
• Security Incident Procedures: detect, report, contain, investigate, and document incidents; learn and improve.
• Contingency planning: data backup, disaster recovery, emergency mode operations, testing and revision, and application/data criticality analysis.
• Evaluation: periodic technical and nontechnical assessments to verify control effectiveness.
• Business associate management: ensure contracts require appropriate safeguards and incident reporting.

Privacy Rule administrative requirements (how you manage uses and rights)

• Designate a privacy official, train workforce on permissible uses/disclosures, and enforce sanctions for violations.
• Publish and honor the Notice of Privacy Practices; manage authorizations and revocations.
• Implement policies for minimum necessary, de-identification, and responding to individual rights requests.
• Establish processes to receive complaints and mitigate harmful effects of improper disclosures.

Make them work together

• Map “minimum necessary” to role-based access and data segmentation in systems.
• Pair privacy training with security awareness so staff understand both permissible sharing and secure handling.
• Use Security Incident Procedures to trigger privacy evaluation of potential unauthorized disclosures and determine follow-up steps.

Physical Safeguards Implementation

Physical Safeguards address how facilities, workstations, devices, and media protect ePHI in the real world. Your goal is controlled access, secure use, and proper disposal to prevent loss or theft.

Facility access controls

• Create and maintain a facility security plan covering server rooms, wiring closets, and records storage.
• Use badges, keys, or biometrics with visitor sign-in and escort procedures; keep maintenance logs.
• Plan for contingency operations so authorized staff can access systems during emergencies.

Workstation use and security

• Define acceptable use and secure locations for workstations; avoid public-facing screens displaying ePHI.
• Require automatic logoff and privacy screens; lock devices when unattended.
• Harden kiosks and shared terminals; separate clinical from public networks where feasible.

Device and media controls

• Inventory devices that store ePHI; enable full-disk encryption and remote wipe on laptops and mobile phones.
• Use chain-of-custody for removable media; sanitize or destroy drives before reuse or disposal.
• Back up data before maintenance or transfers to prevent loss of integrity or availability.

Practical examples

• Secure telehealth spaces with door locks and sound masking; verify no smart speakers are capturing sessions.
• Implement locked bins and certified destruction for paper with ePHI exported from electronic systems.
• Store backups offsite or in hardened cloud regions with tested recovery procedures.

Technical Safeguards Requirements

Technical Safeguards prescribe the controls your systems and applications must implement to protect ePHI. Focus on access, logging, data integrity, authentication, and secure transmission—each reinforced by Risk Analysis and continuous improvement.

Access control

• Assign unique user IDs, enforce strong authentication (preferably MFA), and define role-based access aligned to job duties.
• Implement emergency access procedures for continuity of care; require automatic logoff on inactivity.
• Apply encryption for data at rest where reasonable and appropriate; segment networks and restrict admin privileges.

Audit controls

• Enable audit logs on EHRs, databases, servers, and APIs; centralize logs in a SIEM for correlation.
• Define review schedules and alert thresholds for unusual access, mass exports, or after-hours activity.
• Retain logs long enough to support investigations and compliance reviews.

Integrity

• Use hashing, checksums, and write-once storage or versioning to detect and prevent improper alteration of ePHI.
• Protect backups from unauthorized changes with immutability and separate credentials.
• Validate application inputs and apply database constraints to preserve data quality.

Person or entity authentication

• Strengthen identity proofing for remote access; adopt MFA tokens or authenticator apps.
• Use SSO with federated identity to reduce password reuse and simplify access revocation.

Transmission security

• Encrypt ePHI in transit with TLS for web and API traffic; use VPN or secure email gateways where appropriate.
• Disable insecure protocols; require secure file transfer (SFTP/HTTPS) for partners and business associates.
• Protect messaging on mobile devices with managed, encrypted apps governed by MDM policies.

Practical examples

• Small practice: EHR with built-in role-based access, MFA, device disk encryption, and managed cloud backups.
• Hospital: Network segmentation, privileged access management, SIEM with behavioral analytics, and zero-trust remote access.

Required vs Addressable Specifications

The Security Rule classifies some implementation specifications as “required” and others as “addressable.” Required specifications must be implemented as stated. Addressable specifications still demand action: you must assess reasonableness, implement the control if appropriate, or use a suitable alternative and document the rationale and residual risk.

How to interpret “addressable”

• Addressable ≠ optional. It means you decide how to achieve the objective based on your Risk Analysis and environment.
• Cost alone is not sufficient to reject a control if significant risk remains; consider likelihood and impact.
• Document decisions, alternatives, and improvement timelines; revisit as technology and risks evolve.

Examples (non-exhaustive)

• Required: Risk Analysis; risk management; unique user identification; emergency access procedures; information system activity review; data backup plan; disaster recovery plan; disposal and media reuse controls.
• Addressable: Automatic logoff; encryption and decryption of data at rest; transmission encryption; log-in monitoring; password management; workforce clearance; termination procedures; testing and revision of contingency plans.

Practical decisioning

• If full-disk encryption is technically feasible on laptops that store ePHI, implement it rather than relying on storage closets or sign-out sheets.
• When clinical workflows need idle screens, set automatic logoff to a short, risk-based interval and deploy session reauthentication.
• If a legacy device cannot support modern controls, isolate it on the network, restrict access, and plan for replacement.

Overlap Between Privacy and Security Rules

The Privacy Rule defines what you may do with PHI; the Security Rule defines how you must protect ePHI while doing it. They reinforce each other: minimum-necessary policies inform access design; training covers both acceptable disclosures and secure handling; incident response blends Security Incident Procedures with privacy evaluation of potential unauthorized disclosures.

Where they intersect

• Role-based access implements minimum necessary, reducing privacy exposure and security risk simultaneously.
• Audit logs support privacy investigations into suspected snooping and security monitoring for account compromise.
• Business associate management spans both permissible use limits and required security commitments.

Practical examples across both rules

• Patient portal: Privacy governs what information is shared and with whom; Security ensures MFA, TLS, and logging protect that access.
• Care coordination with a community partner: A business associate agreement sets permitted PHI uses and obligates encryption, access controls, and incident reporting.
• Lost smartphone with messaging: Security requires remote wipe and containment; Privacy drives the assessment of whether a reportable unauthorized disclosure occurred.

Conclusion and key takeaways

• Use the Privacy Rule to set boundaries on PHI uses and to honor patient rights across all media.
• Use the Security Rule to harden systems holding ePHI via Administrative, Physical, and Technical Safeguards.
• Base choices on a current Risk Analysis, document addressable decisions, and practice Security Incident Procedures.

FAQs.

What are the main differences between HIPAA Privacy and Security Rules?

The Privacy Rule applies to PHI in any form and governs permissible uses, disclosures, and patient rights. The Security Rule applies only to ePHI and requires safeguards that ensure confidentiality, integrity, and availability through Administrative Safeguards, Physical Safeguards, and Technical Safeguards backed by Risk Analysis and ongoing governance.

How do required and addressable specifications differ under the Security Rule?

Required specifications must be implemented as written. Addressable specifications require you to evaluate reasonableness, implement the control if appropriate, or adopt an effective alternative. In every case, document the decision, rationale, and residual risk, and revisit as conditions change.

What safeguards are mandated to protect electronic PHI?

You must implement Administrative Safeguards (Risk Analysis, training, access management, Security Incident Procedures, contingency planning), Physical Safeguards (facility controls, workstation security, device/media controls), and Technical Safeguards (access control with unique IDs and MFA, audit logs, integrity protections, authentication, and transmission security such as TLS and VPN). Encryption, though often addressable, is expected where feasible and risk warrants it.