What Are the Three Rules of HIPAA? Privacy, Security, and Breach Notification Explained

The three core HIPAA rules work together to protect patient privacy and secure health data across your organization. The Privacy Rule controls how protected health information (PHI) is used and disclosed. The Security Rule sets standards to safeguard electronic PHI (ePHI). The Breach Notification Rule dictates what you must do if PHI is compromised.

Understanding where these rules overlap—and where they are distinct—helps you build a practical compliance program that protects patients, reduces risk, and demonstrates accountability to regulators and the communities you serve.

Overview of the HIPAA Privacy Rule

Scope and key concepts

The Privacy Rule applies to covered entities and their business associates, governing the creation, use, and disclosure of protected health information. PHI includes any individually identifiable information related to a person’s health status, care, or payment for care. De-identified data, properly stripped of identifiers, is not PHI.

Permitted uses and disclosures

You may use or disclose PHI without patient authorization for treatment, payment, and healthcare operations. Other uses—such as marketing or most research—typically require a valid authorization. The minimum necessary standard requires you to limit PHI to the least amount needed to accomplish the purpose.

Individual rights and transparency

Patients have rights to access, obtain copies of, and request amendments to their PHI, and to receive an accounting of certain disclosures. You must provide a clear Notice of Privacy Practices explaining how you use PHI, patients’ rights, and how to submit complaints.

Operational expectations

Privacy policies, workforce training, and sanction processes are essential. You must verify identities before disclosures, apply role-based access, and manage business associate agreements to ensure partners handle PHI appropriately.

Key Provisions of the HIPAA Security Rule

Security framework for ePHI

The Security Rule protects electronic PHI through administrative safeguards, physical safeguards, and technical safeguards. It emphasizes a risk-based approach that fits your size, complexity, and capabilities.

Administrative safeguards

• Security management process with documented risk analysis and ongoing risk management to meet risk assessment requirements.
• Assigned security responsibility, workforce training, and sanction policies to reinforce expected behaviors.
• Contingency planning, including data backup, disaster recovery, and emergency mode operations.
• Vendor oversight and business associate agreements addressing ePHI protection.

Physical safeguards

• Facility access controls, visitor management, and environmental protections for server rooms and clinical areas.
• Workstation security and policies for device placement, screen privacy, and session timeouts.
• Device and media controls for secure disposal, reuse, and transportation of hardware and media.

Technical safeguards

• Access controls with unique user IDs, emergency access, automatic logoff, and strong authentication.
• Audit controls to log and review access, changes, and anomalous activity across EHRs and other systems.
• Integrity protections to prevent improper alteration or destruction of ePHI.
• Transmission security that follows recognized encryption standards for data in transit and at rest.

Some implementation specifications are “required,” while others are “addressable”—the latter still must be evaluated and implemented when reasonable and appropriate, or an alternative must be documented.

Requirements of the Breach Notification Rule

When an incident is a breach

A breach is generally an impermissible use or disclosure of unsecured PHI that compromises privacy or security. There is a presumption of breach unless you document a low probability of compromise based on a risk assessment.

Risk assessment and decision-making

• Nature and extent of PHI involved (types of identifiers and sensitivity).
• Who used or received the PHI and their obligations to protect it.
• Whether the PHI was actually viewed or acquired.
• The extent to which you mitigated the risk (for example, prompt retrieval or effective destruction).

Who to notify and when

When a breach of unsecured PHI occurs, you must follow your breach notification procedures: notify affected individuals without unreasonable delay and no later than 60 days after discovery; notify the Department of Health and Human Services; and, for large breaches, notify prominent media in affected jurisdictions. Business associates must notify covered entities of breaches they discover.

What to include in notices

Notices should describe what happened, the types of information involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and how to contact your organization for help.

Compliance Strategies for HIPAA Rules

Build a practical, risk-based program

• Governance: designate privacy and security officers; define roles, responsibilities, and escalation paths.
• Policies and training: maintain clear policies, provide role-based training, and document completion and effectiveness.
• Risk analysis: perform and update enterprise-wide risk assessments to meet risk assessment requirements, then prioritize remediation.
• Technical controls: implement access management, multi-factor authentication, endpoint protection, audit logging, and data loss prevention aligned to technical safeguards.
• Data protection: apply current encryption standards to ePHI in transit and at rest; verify key management and backup integrity.
• Incident response: test breach notification procedures, maintain contact templates, and rehearse decision-making under pressure.
• Vendor management: execute business associate agreements and monitor vendor security regularly.
• Verification and improvement: conduct internal reviews and readiness checks for HIPAA compliance audits; track corrective actions to closure.

Enforcement and Penalties Under HIPAA

How enforcement works

The Department of Health and Human Services’ Office for Civil Rights enforces HIPAA, investigating complaints and reported breaches, and initiating compliance reviews. State attorneys general can also bring actions on behalf of residents.

Consequences of noncompliance

Outcomes range from technical assistance and voluntary corrective action to resolution agreements with multi-year corrective action plans and civil monetary penalties. Penalty tiers reflect the organization’s level of culpability, with higher penalties for uncorrected willful neglect. Serious cases may be referred for criminal prosecution.

Business associates can be directly liable. While HIPAA does not create a private right of action, violations may still trigger liability under other federal or state laws.

Impact of HIPAA Rules on Healthcare Providers

Operational, clinical, and financial effects

Compliance influences daily workflows—from identity verification at check-in to role-based access in the EHR and secure information exchange with payers and partners. Strong privacy practices build patient trust and support care coordination.

Investments in technology, training, and process design are required to meet administrative safeguards and technical safeguards. Thoughtful implementation reduces security incidents, avoids downtime, and streamlines audits and investigations.

Telehealth, remote work, and mobile devices expand your attack surface. Clear policies for device security, secure messaging, and minimum necessary access help balance care quality with risk reduction.

Protecting Patient Information Under HIPAA

Practical safeguards you can apply now

• Limit PHI access to the minimum necessary and use smart defaults in your EHR to enforce role-based permissions.
• Encrypt laptops, servers, backups, and data in transit; verify your configurations meet current encryption standards.
• Harden endpoints and networks; patch promptly; monitor logs and alerts; and investigate anomalies quickly.
• Secure paper PHI with locked storage and clean-desk practices; use approved shredding or secure destruction for disposal.
• Validate patient identity before disclosures; use secure patient portals instead of email or fax when possible.
• Test your incident response plan and breach notification procedures with tabletop exercises and after-action reviews.
• Schedule periodic risk analyses and internal HIPAA compliance audits to verify controls are working and documented.

Conclusion

The three rules of HIPAA work in concert: the Privacy Rule governs how you use and share PHI, the Security Rule protects ePHI with layered safeguards, and the Breach Notification Rule ensures accountability when incidents occur. By following a risk-based approach, enforcing strong safeguards, and rehearsing response plans, you can protect patient information and sustain compliance over time.

FAQs

What information is protected under the HIPAA Privacy Rule?

The Privacy Rule protects PHI—any individually identifiable information related to a person’s health, care provided, or payment for care. PHI can exist in any form (verbal, paper, or electronic). Properly de-identified data, stripped of specified identifiers, is not considered PHI.

How does the HIPAA Security Rule safeguard electronic health records?

It requires administrative, physical, and technical safeguards tailored by risk analysis. Examples include access controls, audit logging, integrity controls, and transmission security aligned to recognized encryption standards, plus workforce training, contingency planning, and vendor oversight.

What are the notification requirements after a breach under HIPAA?

You must assess the incident for the probability of compromise. If it’s a breach of unsecured PHI, notify affected individuals without unreasonable delay (no later than 60 days), report to HHS, and notify media for large breaches. Notices must explain what happened, what information was involved, actions taken, and how individuals can protect themselves.

How can healthcare organizations ensure compliance with all three HIPAA rules?

Establish governance, maintain clear policies, train your workforce, and perform periodic risk assessments. Implement layered technical and physical controls, manage vendors with business associate agreements, test incident response and breach notification procedures, and verify effectiveness through internal reviews and HIPAA compliance audits.