The HIPAA Privacy Rule controls who can access and share a patient’s health information, in any format, including paper, verbal, and digital. The HIPAA Security Rule focuses only on electronic health data and requires specific technical, physical, and administrative safeguards to protect it.
Think of it this way: the Privacy Rule decides who can see the data. The Security Rule decides how that data is locked and protected.
5 key points for quick reference:
● The Privacy Rule covers all Protected Health Information (PHI), paper, digital, and spoken.
● The Security Rule covers only electronic PHI (ePHI).
● The Security Rule requires three categories of safeguards: administrative, physical, and technical.
● Both rules apply to covered entities, hospitals, insurers, healthcare providers.
● Violating one rule does not automatically mean violating the other.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule, established under the Health Insurance Portability and Accountability Act of 1996, sets national standards for how healthcare organizations handle patient health information. It was officially enacted in 2003 by the U.S. Department of Health and Human Services (HHS).
The Privacy Rule governs the use and disclosure of PHI, across every format that exists. A printed lab result, a conversation between a doctor and a nurse, a faxed insurance form, an email, all of it falls under the Privacy Rule.
In simple terms: If your health data exists anywhere in any form, the Privacy Rule applies.
What Does the HIPAA Privacy Rule Cover?
Protected Health Information (PHI) includes any data that can identify a patient and relates to their health condition, treatment, or payment for care. This covers:
● Name, address, date of birth, Social Security number
● Medical records and diagnoses
● Prescription history
● Insurance billing information
● Any communication that ties a person to a health condition
Patient Rights Under the Privacy Rule
The Privacy Rule gives patients real control over their own information. Under this rule, patients have the right to:
● Access and request copies of their medical records
● Request corrections to inaccurate records
● Know who has accessed their information
● Restrict how their information is used for marketing
● File a complaint if they believe their privacy was violated
Real-world example: A hospital cannot share a patient’s HIV diagnosis with their employer without written authorization. That is the Privacy Rule in action, controlling disclosure of sensitive health information.
What is the HIPAA Security Rule?
The HIPAA Security Rule was finalized in 2003 and became enforceable in 2005. Where the Privacy Rule casts a wide net, the Security Rule goes deep, specifically into electronic systems, servers, devices, and platforms that store or transmit patient data.
The Security Rule focuses entirely on electronic Protected Health Information (ePHI), health data stored or transmitted in digital form.
In simple terms: If a hospital uses an EHR system, a cloud storage platform, or a patient portal, the Security Rule governs how that data must be protected.
HIPAA Security Rule Requirements: The 3 Categories of Safeguards
This is when most compliance teams put in the major portion of their time and investment. Three categories of safeguards are required by the HIPAA Security Rule:
There are the governing policies, procedures, and training courses covering how staff should handle ePHIs.
● Conducting regular security risk assessments
● Assigning a designated Security Officer
● Training employees on data security protocols
● Creating and enforcing access management policies
● Implementing incident response and contingency planning
These control physical access to systems that store ePHI.
● Restricting server room and workstation access
● Using facility access controls (key cards, security badges)
● Implementing device and media controls
● Secure disposal of old hardware containing patient data
These are the technology controls that protect ePHI during storage and transmission.
● Encryption of stored and transmitted data
● Unique user IDs and password controls
● Automatic logoff from inactive sessions
● Audit logs that track who accessed what data and when
● Firewalls and intrusion detection systems
Real-world example: The SaaS health platform needs to establish three security controls to meet Security Rule requirements, which include encrypting all patient data stored on AWS and during transmission, using multi-factor authentication for staff login access, and conducting yearly security risk evaluations.
HIPAA Security Rule vs Privacy Rule: Key Differences
This is where the confusion usually starts. Here is a direct side-by-side comparison:
| Feature | Privacy Rule | Security Rule |
| What it covers | All PHI (paper, verbal, digital) | Only ePHI (electronic data) |
| Primary focus | Use and disclosure of patient data | Protection and security of electronic data |
| Safeguards required | Administrative policies and procedures | Administrative, physical, and technical safeguards |
| Who must comply | Covered entities and business associates | Covered entities and business associates |
| Patient rights | Yes – access, correction, restriction | No direct patient rights provisions |
| Enacted | 2003 | 2005 |
| Applies to paper records | Yes | No |
| Applies to spoken information | Yes | No |
| Regulated by | HHS Office for Civil Rights (OCR) | HHS Office for Civil Rights (OCR) |
How is the HIPAA Security Rule different from the HIPAA Privacy Rule?The Privacy Rule is broader, it governs all health information regardless of format. The Security Rule is more specific, it only applies to health data stored or transmitted electronically, and it requires far more detailed technical controls.
Why Both Rules Must Work Together
Treating these two rules as separate compliance boxes to check is one of the most common mistakes healthcare organizations make.
The Privacy Rule tells you what data is protected and who can access it. The Security Rule tells you how to actually protect it when it lives on a screen, a server, or a mobile device. One without the other creates gaps.
A hospital may have perfect privacy policies on paper, patients sign consent forms, staff understand disclosure rules, but if their EHR system has no encryption, no access logs, and no firewall, they are still exposed.
The HIPAA Omnibus Rule of 2013 tightened this relationship further by extending compliance obligations to business associates, vendors, IT providers, billing companies, anyone who touches PHI or ePHI on behalf of a covered entity.
In short: The Privacy Rule sets the rules of the road. The Security Rule builds the guardrails.
Real-World Examples: HIPAA Security Rule vs Privacy Rule in Action
Example 1: Hospital Data Sharing
A patient at a large hospital system is treated for a chronic condition. Their records are shared with a specialist that is permitted under the Privacy Rule’s Treatment exception. When those records are transmitted digitally to the specialist’s office, the Security Rule requires that transmission to be encrypted end to end.
Both rules are active in the same interaction.
Example 2: SaaS Health Platform
A digital health startup builds a patient engagement app that stores appointment history, medication reminders, and lab results. The Privacy Rule governs what data they can collect and with whom they can share it. The Security Rule governs how their database is secured, how employees access it, and what happens if there is a breach.
HIPAA Security Rule requirements apply to them even if they never see a patient face-to-face.
Example 3: Data Breach Scenario
A hospital employee accidentally emails a spreadsheet containing 2,000 patient records to the wrong address. This triggers both rules simultaneously. The Privacy Rule was violated because PHI was disclosed improperly. The Security Rule was potentially violated because adequate technical safeguards, like email encryption or data loss prevention tools, were not in place.
One incident. Two violations. One enforcement investigation.
Common Mistakes Organizations Make
Many organizations assume the Security Rule covers all patient data. It does not. It only covers ePHI. A paper chart sitting in a filing cabinet is protected by the Privacy Rule, not the Security Rule. Confusing the two leads to compliance gaps in both directions.
The most frequently cited HIPAA Security Rule violations involve failures in technical safeguards, specifically encryption, access controls, and audit logs. Many smaller healthcare organizations still store ePHI on unencrypted laptops or shared drives without any audit trail.
The administrative safeguard requirement includes ongoing, documented staff training. HHS expects it to reflect current threats and updated policies. Most enforcement actions begin with a human error that proper training could have prevented.
Forgetting Business Associates
Under the HIPAA Omnibus Rule, business associates are directly liable. A healthcare organization cannot outsource its compliance risk to a vendor without a signed Business Associate Agreement (BAA) and documented assurance of the vendor’s security posture.
Healthcare data security laws continue to evolve. Here is what compliance teams should prioritize:
1. Conduct Annual Risk Assessments The Security Rule requires a documented, organization-wide risk analysis. This is the starting point for every compliance program and is not optional.
2. Update Your Privacy Policies Review all Notice of Privacy Practices documents. Ensure they reflect current data practices, especially if you have added digital health tools or third-party vendors since your last update.
3. Audit Business Associate Agreements Every vendor with access to PHI or ePHI needs a current, signed BAA. Review all agreements annually.
4. Invest in Technical Safeguards At minimum: end-to-end encryption, multi-factor authentication, role-based access controls, and automated audit logs. These are baseline requirements in 2026.
5. Train Staff Regularly Run phishing simulations. Conduct quarterly refreshers. Document all training. The human element remains the single largest vulnerability in healthcare data security.
6. Create an Incident Response Plan The Security Rule requires contingency planning. A documented response protocol needs to exist before a breach occurs, not after.
● The HIPAA Security Rule vs Privacy Rule distinction comes down to scope and format, Privacy covers all PHI, Security covers only ePHI.
● The Security Rule requires three categories of safeguards: administrative, physical, and technical.
● Both rules apply to covered entities and their business associates.
● The HIPAA Omnibus Rule extended direct liability to vendors and third-party partners.
● Violating one rule does not automatically mean you violated the other, but many breaches trigger both.
● PHI vs ePHI is the core technical distinction that drives different compliance obligations.
● Annual risk assessments, staff training, and technical safeguards are non-negotiable in 2026.
FAQ: HIPAA Security Rule vs Privacy Rule
What is the main difference between HIPAA Privacy and Security Rule?The Privacy Rule covers all protected health information regardless of format, paper, verbal, or electronic. The Security Rule applies only to electronic PHI and requires specific administrative, physical, and technical safeguards to protect it.
Does the Security Rule apply to paper records? No. The HIPAA Security Rule applies strictly to electronic protected health information (ePHI). Paper records fall under the Privacy Rule only.
Who must comply with the HIPAA Security Rule? Covered entities, hospitals, health insurers, and healthcare providers, must comply, along with their business associates. This includes vendors, IT providers, billing companies, and any third party that handles ePHI on their behalf.
Can you violate one rule without violating the other? Yes. A hospital could violate the Privacy Rule by improperly disclosing patient information verbally without any electronic data involved. A company could fail to encrypt ePHI in violation of the Security Rule without any improper disclosure occurring. They are separate obligations, though many incidents trigger both.
What are the 3 categories of HIPAA Security Rule safeguards? The HIPAA Security Rule requires three categories of safeguards: administrative safeguards (policies, training, risk assessments), physical safeguards (facility access controls, device security), and technical safeguards (encryption, access controls, audit logs).
What is the difference between HIPAA compliance and security? HIPAA compliance is the broader umbrella covering all HIPAA rules, Privacy, Security, Breach Notification, and Enforcement. The Security Rule is one specific component focused on protecting electronic patient data. An organization can meet Security Rule requirements while still violating other parts of HIPAA.
What is the HIPAA Omnibus Rule and how does it relate? The HIPAA Omnibus Rule, finalized in 2013, updated and strengthened both the Privacy and Security Rules. Most significantly, it made business associates directly liable for HIPAA violations, meaning vendors and service providers can now be fined and investigated by HHS independently of the covered entity they work for.
HIPAA security rules and privacy rules are similar yet different, how?Both rules exist to protect patient health information and both apply to the same covered entities and business associates. The difference is in scope and mechanism. The Privacy Rule is about rights, permissions, and disclosure. The Security Rule is about technology, infrastructure, and operational controls. They are similar in purpose but very different in how they are implemented.
