Is HIPAA a Privacy or Security Rule? It’s Both—Here’s the Difference

Overview of HIPAA

HIPAA sets national standards for how health information is used, shared, and protected. If you’ve wondered whether HIPAA is a privacy rule or a security rule, the answer is both—and understanding each one is essential to running a compliant, trusted healthcare operation.

The HIPAA Privacy Rule governs when protected health information (PHI) may be used or disclosed. The HIPAA Security Rule, in turn, requires safeguards that protect electronic protected health information (ePHI) from threats and unauthorized access. Together, they define what you may do with PHI and how you must secure it.

Viewed as a unified program, the two rules help you preserve patient trust, reduce breach risk, and meet regulatory expectations through clear policies, training, and technical controls.

HIPAA Privacy Rule Explained

The HIPAA Privacy Rule applies to PHI in any form—paper, verbal, or electronic. PHI includes individually identifiable data related to a person’s past, present, or future health, care, or payment for care. Your policies should define what counts as PHI, where it lives, and who may access it.

Uses and disclosures are permitted without individual authorization for treatment, payment, and healthcare operations, as well as for certain public interest activities. Outside those purposes, you generally need explicit, written individual authorization, and you must follow the minimum necessary standard to limit the information used or disclosed.

Core Privacy Rule requirements include a Notice of Privacy Practices, role-based access, workforce training, and documentation of policies and procedures. De-identification and limited data sets enable data sharing with reduced privacy risk when full identifiers aren’t needed.

HIPAA Security Rule Explained

The HIPAA Security Rule focuses only on ePHI and requires a risk-based approach. You must assess reasonably anticipated threats and vulnerabilities, implement appropriate controls, and update them as technology and risks evolve.

Safeguard Categories

• Administrative safeguards: risk analysis, risk management, workforce security, security awareness training, incident response, contingency planning, and vendor oversight.
• Physical safeguards: facility access controls, workstation security, device and media controls, and secure disposal of hardware containing ePHI.
• Technical safeguards: unique user IDs, access control, multi-factor authentication, audit controls and logs, integrity checks, and transmission security such as encryption in transit.

Some implementation specifications are “required” while others are “addressable.” Addressable does not mean optional; you must implement them if reasonable and appropriate or document why an alternative or omission adequately reduces risk.

Differences Between Privacy and Security Rules

• Scope: The Privacy Rule covers PHI in any format; the Security Rule covers only ePHI.
• Focus: Privacy answers “when and why may PHI be used or disclosed?” Security answers “how is ePHI safeguarded?”
• Individual rights: Privacy creates access, amendment, and other patient rights; Security establishes protective controls but does not create new patient rights.
• Mechanisms: Privacy relies on policies, notices, and permissible disclosure rules; Security relies on administrative, physical, and technical safeguards.
• Interdependence: Strong security controls enable compliance with privacy requirements by preventing unauthorized access and use.

Covered Entities and Compliance

Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions. Business associates—vendors that create, receive, maintain, or transmit PHI on your behalf—must also comply with applicable HIPAA requirements through business associate agreements.

Compliance hinges on governance: designate privacy and security officers, perform regular risk analyses, maintain policies and procedures, train your workforce, manage vendors, and monitor activity with audits and sanctions when needed. Where state law is more protective of privacy, you follow the more stringent standard.

Rights of Individuals Under HIPAA

The Privacy Rule grants people meaningful control over their PHI. Individuals have the right to:

• Access and receive copies of their records, including electronic copies of ePHI when feasible.
• Request amendments to correct or complete PHI.
• Receive an accounting of certain disclosures made without authorization.
• Request restrictions on disclosures, including restricting disclosure to a health plan for services paid in full out-of-pocket.
• Request confidential communications (for example, to an alternative address or phone number).
• Receive a clear Notice of Privacy Practices and file complaints about privacy practices.

Implementing Safeguards and Protections

Build an Integrated Program

• Map PHI and ePHI: identify systems, workflows, and vendors that touch protected health information (PHI).
• Conduct a security risk analysis, document risks, and implement a risk management plan tied to business priorities.
• Publish clear privacy policies, the Notice of Privacy Practices, and procedures for uses, disclosures, and individual authorization.
• Execute business associate agreements and perform due diligence on vendors’ controls.
• Train your workforce on minimum necessary, secure handling, and incident reporting; document completion and comprehension.

Apply Safeguards by Category

• Administrative safeguards: role-based access, background checks as appropriate, security awareness, phishing simulations, incident response runbooks, and contingency plans with backups and disaster recovery testing.
• Physical safeguards: badge-based facility access, visitor logs, workstation placement to prevent shoulder surfing, device and media inventory, and secure destruction.
• Technical safeguards: least-privilege access, MFA, unique IDs, automatic logoff, encryption for data in transit and at rest when reasonable and appropriate, endpoint protection, patching, and centralized audit logging with alerting.

Daily Operations and Continuous Improvement

• Enforce the minimum necessary standard in workflows and templates; verify individual authorization before non-routine disclosures.
• Monitor logs, review alerts, and investigate anomalies; document security incidents and outcomes.
• Test backups and restore procedures; rehearse downtime operations and emergency mode plans.
• Reassess risks when systems, vendors, or regulations change; update safeguards and training accordingly.

Conclusion

HIPAA is both a Privacy Rule and a Security Rule: one defines when PHI may be used or disclosed, the other mandates how ePHI is protected. By aligning policies with privacy requirements and enforcing administrative, physical, and technical safeguards, covered entities can honor individual rights, reduce risk, and sustain compliance over time.

FAQs.

What is the main purpose of the HIPAA Privacy Rule?

Its purpose is to set national standards for when PHI may be used or disclosed and to give individuals rights over their information, including access, amendment, and restrictions, while requiring the minimum necessary use of PHI.

How does the HIPAA Security Rule protect electronic health information?

It requires a risk-based program of administrative, physical, and technical safeguards for ePHI—such as access controls, audit logging, integrity protections, and transmission security—so only authorized users can access electronic protected health information.

Who must comply with HIPAA Privacy and Security Rules?

Covered entities—health plans, healthcare clearinghouses, and qualifying providers—and their business associates must comply. Vendors that create, receive, maintain, or transmit PHI for these entities are also responsible under HIPAA.

What rights do individuals have under the HIPAA Privacy Rule?

Individuals can access and obtain copies of their records, request corrections, receive an accounting of certain disclosures, request restrictions and confidential communications, and receive a Notice of Privacy Practices, with many disclosures outside core purposes requiring individual authorization.