Privacy Rule or Security Rule? A HIPAA Compliance Guide to What’s Different

Privacy Rule Scope and Coverage

The HIPAA Privacy Rule governs how covered entities and their business associates use and disclose Protected Health Information (PHI) in any form—paper, oral, or electronic. It sets the baseline for when PHI can be shared, with or without an individual’s authorization, and embeds the “minimum necessary” standard.

Who must comply

• Covered entities: health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions.
• Business associates: vendors and subcontractors that create, receive, maintain, or transmit PHI on behalf of covered entities.

What information is covered

PHI is individually identifiable health information related to health status, care, or payment that is linked to a person. It includes diagnoses, claims data, lab results, and billing records—regardless of whether the record is paper, oral, or digital.

Security Rule Scope and Coverage

The HIPAA Security Rule protects electronic Protected Health Information (ePHI) only. Its aim is to ensure the confidentiality, integrity, and availability of ePHI through a risk-based approach that is scalable to the size and complexity of your environment.

Where it applies

• Systems that create, receive, maintain, or transmit ePHI: EHRs, patient portals, e-prescribing, claims systems, mobile devices, and cloud services.
• Covered entities and business associates, including downstream subcontractors that handle ePHI.

What it does not cover

• Paper and oral PHI (still governed by the Privacy Rule).
• Data that has been properly de-identified and no longer meets the definition of PHI.

Privacy Rule Standards and Rights

The Privacy Rule defines permissible uses and disclosures, such as treatment, payment, and health care operations, and those allowed for public interest and benefit. Uses beyond these bases generally require a valid, written authorization.

Individual rights

• Right of access: obtain and direct copies of PHI, typically within set timelines and in the form and format requested when readily producible.
• Right to amend: request corrections to records that are inaccurate or incomplete.
• Right to an accounting of certain disclosures: understand when PHI was shared outside routine operations.
• Right to request restrictions and confidential communications: limit certain sharing and request alternate contact methods or addresses.
• Notice of Privacy Practices: receive clear notice describing uses, rights, and complaint options.

Operational expectations

• Apply the minimum necessary standard to routine uses and disclosures.
• Execute business associate agreements to extend Privacy Rule obligations to vendors.
• Train workforce members and enforce sanctions for violations.

Security Rule Safeguards Framework

The Security Rule organizes protections into administrative, physical, and technical safeguards. Together, these controls translate risk analysis into practical measures that reduce the likelihood and impact of security incidents affecting electronic Protected Health Information (ePHI).

Administrative safeguards

• Risk analysis and risk management with ongoing reassessment.
• Assign a security official; define policies, procedures, and workforce training.
• Contingency planning: data backup, disaster recovery, and emergency operations.
• Vendor oversight: due diligence, business associate agreements, and monitoring.

Physical safeguards

• Facility access controls and visitor management.
• Workstation use and security standards for fixed and mobile endpoints.
• Device and media controls: secure disposal, reuse, and movement tracking.

Technical safeguards

• Access controls: unique user IDs, session management, and emergency access.
• Audit controls: log collection, monitoring, and review.
• Integrity protections: change controls and anti-tampering measures.
• Person or entity authentication: strong authentication, often multi-factor.
• Transmission security: encryption and protections against interception and alteration.

“Required” vs. “addressable” specifications

Required controls must be implemented as written. Addressable controls are not optional—you must implement them as reasonable and appropriate, or document why an alternative provides equivalent protection for ePHI.

Enforcement and Compliance Requirements

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules through investigations, compliance reviews, audits, and settlements that may include corrective action plans and civil monetary penalties.

The Centers for Medicare & Medicaid Services (CMS) administers other HIPAA Administrative Simplification standards (such as transactions and code sets) and historically had Security Rule enforcement duties before they were consolidated under OCR. State attorneys general may also bring HIPAA-related actions under certain circumstances.

Core compliance program elements

• Current, documented risk analysis and risk management plan tied to administrative, physical, and technical safeguards.
• Business associate lifecycle management: screening, contracting, oversight, and termination procedures.
• Policies, workforce training, sanctions, and periodic evaluations.
• Incident response, breach assessment, and timely notifications when required.
• Ongoing monitoring, auditing, and documentation to demonstrate diligence.

Overlap and Integration of Rules

The Privacy Rule tells you when PHI may be used or disclosed; the Security Rule dictates how you protect ePHI while it is created, stored, used, or transmitted. In practice, both must operate together across your data lifecycle.

Practical integration tips

• Map minimum necessary policies to role-based access and least-privilege configurations.
• Align right-of-access workflows with secure patient portals, identity verification, and logging.
• Embed privacy by design into security architecture and change management.
• Coordinate incident response so breach risk assessments reflect both privacy impact and security root cause.

Exceptions and Exemptions in HIPAA

The Privacy Rule permits certain disclosures without authorization, including treatment, payment, and health care operations; public health activities; health oversight; law enforcement and judicial proceedings; to avert serious threats; and for specialized government functions. Research disclosures may proceed with an authorization or appropriate waiver and safeguards.

What is not PHI or is treated differently

• De-identified information that meets HIPAA standards.
• Employment records held by a covered entity in its role as employer.
• Education records covered by FERPA and certain student treatment records.
• Psychotherapy notes, which generally require a separate authorization for most uses.

Conclusion

The Privacy Rule sets the “when and why” of PHI use and disclosure, while the Security Rule delivers the “how” for safeguarding ePHI via administrative, physical, and technical safeguards. Building a unified, risk-based program that honors individual rights and operational security is the most reliable path to HIPAA compliance.

FAQs

What are the main differences between the HIPAA Privacy Rule and Security Rule?

The Privacy Rule governs permissible uses and disclosures of PHI in any form and grants individuals specific rights over their information. The Security Rule applies only to ePHI and requires safeguards that maintain its confidentiality, integrity, and availability through a risk-based framework.

How does the Security Rule protect electronic health information?

It requires administrative, physical, and technical safeguards—such as risk analysis, role-based access, audit logging, encryption in transit, and contingency planning—to reduce risks to ePHI to a reasonable and appropriate level for your organization.

Who enforces compliance for the HIPAA Privacy and Security Rules?

The Office for Civil Rights (OCR) at HHS enforces both Rules through investigations, audits, and resolution agreements. CMS administers other Administrative Simplification standards and historically had Security Rule enforcement before it was consolidated under OCR.

Are there any exceptions to the HIPAA Privacy Rule?

Yes. Disclosures for treatment, payment, and health care operations are allowed without authorization, as are certain public interest disclosures (for example, public health, health oversight, and law enforcement). De-identified data, employment records, and FERPA-covered education records fall outside HIPAA’s PHI scope.