Which Two HIPAA Rules Must Covered Entities Follow? Privacy and Security Explained

You often hear the question: Which Two HIPAA Rules Must Covered Entities Follow? Privacy and Security Explained. The answer is the HIPAA Privacy Rule and the HIPAA Security Rule—together they set national standards for using, disclosing, and protecting protected health information (PHI) in any form and its electronic counterpart.

Privacy Rule Overview

The Privacy Rule governs how you may use and disclose protected health information. It applies to health plans, most healthcare providers, and healthcare clearinghouses, and it establishes when PHI can be shared without authorization and when an individual’s written permission is required.

Purpose and scope

The rule’s purpose is to safeguard PHI while enabling care delivery. It defines PHI broadly and applies across paper, oral, and digital formats. It also requires you to adopt reasonable safeguards, limit uses and disclosures, and designate a privacy official responsible for program oversight.

Permitted uses and disclosures

• Treatment, payment, and healthcare operations without authorization.
• Situations required or permitted by law (for example, public health reporting or certain law enforcement purposes).
• All other purposes only with valid, written authorization revocable by the individual.

Minimum necessary and notices

You must apply the minimum necessary standard to routine uses and disclosures, sharing only what is needed. You also need to provide a Notice of Privacy Practices that explains how you use PHI, individual rights, and how to file complaints.

De-identification and business associates

Where feasible, use de-identified data. When vendors handle PHI for you, execute Business Associate Agreements that bind them to Privacy Rule requirements and extend safeguards to downstream parties.

Security Rule Requirements

The Security Rule protects electronic personal health information (often referred to as electronic protected health information, or ePHI). It focuses on confidentiality, integrity, and availability, requiring a documented risk analysis and ongoing risk management.

Risk analysis and management

Identify where ePHI resides, evaluate threats and vulnerabilities, and implement appropriate controls. Reassess when technologies, workflows, or threats change.

Administrative safeguards

• Security management processes, workforce training, and sanctions for violations.
• Assigned security responsibility and regular information system activity review.
• Contingency planning, incident response, and evaluations of your security program.

Physical safeguards

• Facility access controls, secure workstation use, and workstation security.
• Device and media controls, including secure disposal and re-use procedures.

Technical safeguards

• Access controls (unique user IDs, emergency access, automatic logoff).
• Audit controls, integrity protections, and person or entity authentication.
• Transmission security to reduce risks when ePHI moves across networks.

Policies, documentation, and evaluation

Maintain written policies and procedures, retain required documentation, and periodically evaluate effectiveness. Addressable specifications must be implemented or formally justified with equivalent alternatives.

Compliance Obligations for Covered Entities

Covered entities include health plans, healthcare clearinghouses, and providers that transmit standard transactions electronically. Your obligations span governance, people, processes, and technology.

Program governance

• Appoint privacy and security officials and establish a compliance committee or equivalent oversight.
• Adopt policies, procedures, and workforce training with clear sanction policies.
• Maintain an enterprise-wide risk register and track remediation to closure.

Third-party management

• Inventory vendors that touch PHI, perform due diligence, and execute Business Associate Agreements.
• Monitor vendors for ongoing compliance and require incident reporting and cooperation.

Incident response and breach handling

Prepare to detect, investigate, mitigate, and document incidents involving PHI. For breaches of unsecured PHI, follow breach notification duties to affected individuals and regulators consistent with HIPAA requirements.

Continuous improvement

Conduct periodic privacy and security audits, role-based access reviews, and tabletop exercises. Update controls as your operations, technologies, and threats evolve.

Safeguarding Protected Health Information

Strong safeguards align daily workflows with HIPAA’s standards while supporting patient care. Combine policy, training, and technology to reduce risk without adding friction.

Data minimization and lifecycle controls

• Apply minimum necessary access and role-based permissions.
• Encrypt data in transit and at rest where feasible and manage keys securely.
• Set retention schedules, track locations of PHI, and dispose of media safely.

Operational practices

• Use multi-factor authentication, timely patching, endpoint protection, and network segmentation.
• Log and review access to ePHI; investigate anomalies promptly.
• Secure physical spaces: screen privacy, visitor management, and locked storage.

People and process

• Provide recurring, role-specific training and phishing awareness.
• Establish clear procedures for authorizations, identity verification, and disclosures.
• Run incident simulations and update runbooks based on lessons learned.

Individual Rights under HIPAA

Individuals have meaningful control over their PHI. Your procedures must make these rights simple to exercise and timely to fulfill.

• Access and obtain copies of PHI, including electronic copies when available.
• Request amendments to inaccurate or incomplete PHI with written responses.
• Request restrictions on certain uses or disclosures and receive confidential communications.
• Receive an accounting of certain disclosures not related to treatment, payment, or operations.
• File complaints without retaliation, including with the HHS Office for Civil Rights.

Enforcement and Penalties

The HHS Office for Civil Rights enforces HIPAA through investigations, audits, and resolution agreements. Civil monetary penalties follow a tiered structure based on culpability, and criminal penalties apply for knowingly obtaining or disclosing PHI in violation of the law.

Common outcomes include corrective action plans, independent monitoring, and reporting obligations. Beyond fines, organizations face reputational damage, contract impacts, and operational costs from remediation and oversight.

Conclusion

The two HIPAA rules covered entities must follow are the Privacy Rule and the Security Rule. By honoring individual rights, applying administrative safeguards, physical safeguards, and technical safeguards, and sustaining a risk-based program, you can protect patients, meet regulatory expectations, and strengthen trust.

FAQs.

What protections does the HIPAA Privacy Rule provide?

It sets national standards for how you use and disclose PHI, applies the minimum necessary principle, requires a Notice of Privacy Practices, and grants individuals rights to access, amend, and control certain disclosures. It also obligates you to implement reasonable safeguards and to hold your business associates to comparable protections.

How does the Security Rule safeguard electronic health information?

It requires a documented risk analysis and risk management program for electronic personal health information (ePHI). You must implement administrative safeguards, physical safeguards, and technical safeguards—such as access control, audit logging, integrity protections, authentication, and transmission security—and maintain policies, training, and ongoing evaluations.

Which entities are considered covered under HIPAA?

Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions (for example, claims or eligibility checks). Business associates that handle PHI on behalf of covered entities must also comply with applicable HIPAA requirements through binding agreements.

What are the consequences of non-compliance with HIPAA rules?

Non-compliance can lead to investigations by the HHS Office for Civil Rights, corrective action plans, and tiered civil monetary penalties, with potential criminal liability for egregious violations. Organizations may also face reputational harm, contract losses, and significant remediation and monitoring costs.