Match the Two HIPAA Standards: Privacy Rule vs. Security Rule (With Examples)

Scope of Application of HIPAA Standards

Who must comply

• Covered entities: health plans, health care clearinghouses, and health care providers that transmit health information electronically for standard transactions.
• Business associates: vendors and subcontractors that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of covered entities.

Information and media covered

The Privacy Rule protects PHI in any form or medium—paper, verbal, or electronic. The Security Rule protects electronic Protected Health Information (ePHI) specifically, focusing on the systems and processes that store, access, or transmit it.

De‑identified information falls outside both rules, while re‑identifiable “limited data sets” remain regulated through data use agreements and minimum necessary controls.

Operational boundaries

• Privacy Rule: governs people, policies, and permissible uses/disclosures across all media.
• Security Rule: governs the confidentiality, integrity, and availability of ePHI within information systems and connected devices.

Focus and Purpose of Privacy and Security Rules

Privacy Rule objectives

• Define when PHI may be used or disclosed without authorization (e.g., treatment, payment, and health care operations) and when patient authorization is required.
• Establish organizational responsibilities: designate a privacy official, train the workforce, apply the minimum necessary standard, and publish a Notice of Privacy Practices.

Security Rule objectives

• Require risk analysis and risk management to safeguard ePHI.
• Implement ongoing measures that ensure only authorized users access ePHI, that data remain accurate, and that systems are available when needed.

Together, the rules set complementary guardrails: the Privacy Rule answers “should we use or disclose this PHI, and under what conditions?” while the Security Rule answers “how do we protect the ePHI we hold from threats and improper access?”

Safeguard Requirements Comparison

Security Rule safeguards (required and addressable)

• Administrative safeguards: risk analysis, risk management, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, evaluation, and business associate agreements.
• Physical safeguards: facility access controls, workstation use and security, and device/media controls including secure disposal and media re‑use.
• Technical safeguards: access controls (unique IDs, emergency access), audit controls, integrity controls, person or entity authentication, and transmission security (e.g., encryption in transit).

Privacy Rule organizational controls

• Policies for permissible uses/disclosures, minimum necessary, and authorization management.
• Designation of a privacy official, workforce training, and sanction policies for violations.
• Procedures for receiving complaints, mitigating known harms, and maintaining documentation and retention schedules.

In practice, the Privacy Rule sets policy boundaries and accountability, while the Security Rule operationalizes protection through administrative, physical, and technical safeguards tailored to risk.

Patient Rights Under HIPAA

• Right of access: obtain and direct copies of PHI—including an electronic copy of ePHI in a designated record set—within a reasonable timeframe (generally 30 days, with one permissible extension).
• Right to request amendments: ask that inaccurate or incomplete PHI be corrected; denials require written rationale and appeal information.
• Right to an accounting of disclosures: receive a list of certain non‑routine disclosures made over a defined period.
• Right to request restrictions: seek limits on use/disclosure; certain restrictions (e.g., out‑of‑pocket payments to non‑plan disclosures) must be honored.
• Right to confidential communications: request alternative addresses or contact methods.
• Right to receive a Notice of Privacy Practices explaining how PHI is used and your options.

Enforcement and Penalties Framework

The Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), enforces both the Privacy Rule and the Security Rule. OCR investigates complaints, conducts compliance reviews, and may require corrective action plans, monitoring, and civil monetary penalties scaled by the nature and extent of the violation and the level of culpability.

The Department of Justice handles criminal HIPAA violations (e.g., knowingly obtaining or disclosing PHI in violation of the statute). State Attorneys General may also bring civil actions on behalf of residents. The Centers for Medicare & Medicaid Services (CMS) administers other HIPAA Administrative Simplification standards (such as transactions, code sets, and identifiers) and supports broader compliance across the health care ecosystem.

Interdependence of Privacy and Security Rules

Privacy and Security are mutually reinforcing: privacy policies define lawful use and disclosure of PHI, while security safeguards keep ePHI protected so those policies can be honored in daily operations. A lapse in security (e.g., unauthorized access) can lead to impermissible disclosures under the Privacy Rule and trigger breach investigation and notification duties.

Effective programs align both rules through governance (privacy and security officials), coordinated risk analysis, role‑based access, sanction policies, and continuous monitoring that ties audit findings to policy updates and workforce training.

Practical Examples of Compliance

Example 1: Secure messaging of lab results

• Privacy: verify the recipient, apply minimum necessary, and document the disclosure when required.
• Security: use encrypted messaging, unique user IDs, and automatic logoff on mobile devices; manage lost‑device risk with remote wipe.

Example 2: Telehealth video visits

• Privacy: provide an updated Notice of Privacy Practices and ensure a business associate agreement with the platform provider if applicable.
• Security: implement access controls, multifactor authentication, and transmission security for ePHI shared during sessions.

Example 3: Patient requests an electronic copy of records

• Privacy: honor the access right promptly; provide the format requested if readily producible; apply reasonable, cost‑based fees only.
• Security: authenticate the requestor, use secure transfer (portal or encrypted email per patient preference), and log the disclosure.

Example 4: Lost laptop containing ePHI

• Privacy: assess whether an impermissible disclosure occurred and follow breach procedures if risk is not low.
• Security: rely on full‑disk encryption, device inventory, and media control procedures; conduct incident response and update risk analysis.

Example 5: Workforce role changes

• Privacy: update role‑based minimum necessary policies and re‑train staff on permissible uses.
• Security: adjust access rights promptly, enforce unique credentials, and review audit logs for appropriateness.

Conclusion

The Privacy Rule tells you when and why PHI may be used or shared and grants patients enforceable rights. The Security Rule tells you how to protect ePHI through administrative, physical, and technical safeguards. Aligning policy with protection—supported by risk analysis, training, and monitoring—keeps compliance effective and patient trust intact.

FAQs

What is the main difference between the Privacy Rule and Security Rule?

The Privacy Rule governs when PHI can be used or disclosed and sets patient rights and organizational policies. The Security Rule governs how ePHI must be protected through administrative, physical, and technical safeguards.

How do the Privacy and Security Rules protect patient information?

The Privacy Rule limits and conditions the use and disclosure of PHI and requires notices, authorizations, training, and accountability. The Security Rule requires risk‑based safeguards—such as access controls, audit logs, encryption, and contingency plans—to protect ePHI within information systems.

Which HIPAA rule applies to electronic health records?

Both apply: the Privacy Rule governs permissible uses and disclosures of information in the EHR, while the Security Rule sets the safeguards for protecting the ePHI stored and transmitted by that EHR.

What are the enforcement agencies for each HIPAA standard?

HHS’s Office for Civil Rights enforces both the Privacy Rule and the Security Rule. The Department of Justice handles criminal violations, State Attorneys General may bring civil actions, and CMS administers other HIPAA Administrative Simplification standards that complement privacy and security compliance.