The HIPAA rules explained, one by one
The distinct HIPAA rules explained one by one: the Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule, and the 2013 Omnibus Rule. What each governs, the CFR location, and who it applies to.
The short version
What are the HIPAA rules?
HIPAA is not one rule but a family of them, each issued by HHS under the law's Administrative Simplification provisions. The Privacy Rule governs how protected health information is used and disclosed, the Security Rule requires safeguards for electronic PHI, the Breach Notification Rule requires notice after a breach, and the Enforcement Rule sets out how violations are investigated and penalized. The 2013 Omnibus Rule updated all of them to implement the HITECH Act, most notably by making business associates directly liable. Each rule is broken out below, with what it governs, where it lives in the Code of Federal Regulations, and who it applies to.
For a plain-English overview of the law as a whole, see what HIPAA is. For what happens when a rule is broken, see HIPAA violation examples.
Updated . General educational guidance, not legal advice.
Privacy Rule
45 CFR Part 164, Subpart E
The Privacy Rule is the foundational rule most people mean when they say "HIPAA." It introduces the minimum necessary standard, requires a Notice of Privacy Practices, and defines permitted uses such as treatment, payment, and health care operations. It is the "what" and "who" of health information handling.
Sets national standards for how protected health information (PHI) may be used and disclosed, and grants individuals rights over their own information, including the right to access, amend, and get an accounting of disclosures.
Covered entities, and through their agreements, business associates. It applies to PHI in any form: oral, paper, or electronic.
Security Rule
45 CFR Part 164, Subpart C
The Security Rule is the "how" for electronic health data. Some specifications are required and others are addressable, meaning you implement them or document a reasonable alternative. The risk analysis is the single artifact OCR asks for most often. People searching "who the HIPAA Security Rule applies to" are asking about exactly this scope: ePHI held by covered entities and their business associates.
Requires administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI). Its centerpiece is a documented risk analysis of threats to ePHI.
Covered entities and business associates, but only for electronic PHI. It does not reach paper or oral information, that is the Privacy Rule's domain.
Breach Notification Rule
45 CFR Part 164, Subpart D
A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. The rule includes a risk assessment to determine whether PHI has been compromised, and properly encrypted or destroyed data falls outside "unsecured" PHI. Large breaches appear on the public HHS breach portal.
Requires notification after a breach of unsecured PHI. Affected individuals and HHS must be notified, and for larger breaches the media as well. Individual notice is generally required without unreasonable delay and no later than 60 days after discovery.
Covered entities notify affected individuals and HHS. Business associates must notify the covered entity when a breach occurs on their side, so the covered entity can meet its own obligations.
Enforcement Rule
45 CFR Part 160, Subparts C, D, and E
The Enforcement Rule is where the tiers by culpability live, from a violation the entity did not know about up to willful neglect that was not corrected. It does not itself set the substantive privacy or security obligations, it sets the machinery for enforcing them. The specific penalty amounts are adjusted for inflation each year, so always confirm current HHS guidance.
Establishes how HHS investigates complaints, conducts compliance reviews, and imposes the tiered civil money penalties for violations. It sets the procedures for investigations, hearings, and the penalty determination process.
All covered entities and business associates subject to HIPAA. It is the procedural backbone that the HHS Office for Civil Rights uses to enforce the other rules.
2013 Omnibus Rule (HITECH)
Implements the HITECH Act across 45 CFR Parts 160 and 164
The Omnibus Rule is not a separate fifth rule so much as a sweeping update that amended the existing ones. The headline change practitioners care about is direct business associate liability: a vendor that mishandles PHI can now be held accountable by the regulator directly, and the chain of obligations flows down to subcontractors through business associate agreements.
Finalized a set of major modifications driven by the 2009 HITECH Act. Most significantly, it made business associates, and their subcontractors, directly liable for compliance with applicable parts of the Security Rule and the Privacy Rule, rather than only contractually bound.
It extended direct HIPAA liability to business associates and their subcontractors, broadened individual rights, and strengthened the breach-notification standard. Everyone in the PHI chain is now in scope.
How the rules fit together
The rules share the same protected health information and the same workforce, so most teams run them as one program rather than four. The Privacy Rule defines what you can do with PHI, the Security Rule defines how you protect the electronic part, the Breach Notification Rule defines what you do when protection fails, and the Enforcement Rule defines what the regulator does about it. The Omnibus Rule pulled business associates fully into that program. Managing them on one control library, with a shared risk analysis and a single evidence trail, is what keeps a HIPAA program defensible instead of scattered across binders.
HIPAA Security Checklist
The administrative, physical, and technical safeguards behind the Security Rule, in a single working checklist you can run against your own program.
- Administrative, physical, and technical safeguard checks
- Risk-analysis and documentation prompts OCR looks for
- Business associate agreement and vendor coverage
- Device encryption, access control, and disposal items
- A gap list you can hand to owners for remediation
Primary references: the official rule text and HHS summaries live on HHS HIPAA for Professionals, covering the Privacy, Security, Breach Notification, and Enforcement Rules and the HITECH Act. CFR citations on this page point to the rule structure in 45 CFR Parts 160 and 164. This page is general educational guidance, not legal advice.
Frequently asked questions
Run all the HIPAA rules as one program, not four.
RiskWatch ships pre-built Privacy and Security Rule assessments on a shared control library, runs the risk analysis, tracks business associate agreements, and keeps the evidence trail OCR asks for. Start a free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime