HIPAA Privacy Rule vs. Security Rule
Two complementary HIPAA rules that are frequently confused. The Privacy Rule governs who can access PHI and under what circumstances. The Security Rule governs how to protect ePHI from a technical and operational standpoint.
Privacy Rule
Establishes national standards for the protection of individually identifiable health information. Governs the use and disclosure of protected health information (PHI) in all forms: oral, written, and electronic.
Security Rule
Establishes national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). Requires administrative, physical, and technical safeguards.
Side-by-Side Comparison
| Element | Privacy Rule | Security Rule |
|---|---|---|
| Scope of Information | All protected health information (PHI) in any form: paper, oral, and electronic | Only electronic PHI (ePHI). Does not cover paper records or oral communications. |
| Core Question | WHO can access PHI, WHEN, and for WHAT PURPOSE? | HOW do you protect ePHI from unauthorized access, alteration, or destruction? |
| Applies To | Covered entities and business associates | Covered entities and business associates |
| Key Requirements | Notice of Privacy Practices, minimum necessary standard, individual rights (access, amendment, accounting of disclosures), authorization requirements, permitted uses and disclosures (TPO) | Risk analysis, risk management, sanction policy, information system activity review, access management, security awareness training, contingency planning, evaluation |
| Safeguard Types | Administrative safeguards (policies on use and disclosure, training, Privacy Officer designation, complaint process) | Three categories: administrative safeguards (§ 164.308), physical safeguards (§ 164.310), and technical safeguards (§ 164.312) |
| Required Officer | Privacy Officer (§ 164.530(a)(1)) | Security Officer (§ 164.308(a)(2)). May be the same person as Privacy Officer in smaller organizations. |
| Patient Rights | Right to access PHI, request amendments, request restrictions, receive accounting of disclosures, request confidential communications, file complaints | No direct patient rights provisions. Security Rule protects ePHI operationally so privacy rights can be exercised. |
| Flexibility | Prescriptive in many areas: specific content required in Notice of Privacy Practices, specific individual rights with defined timelines | Scalable and flexible: 'required' vs 'addressable' implementation specifications. Organizations assess what is reasonable and appropriate for their size and complexity. |
| Enforcement | OCR (Office for Civil Rights) within HHS. Civil money penalties up to $2.13M per violation category per year. State attorneys general can also enforce. | OCR within HHS. Same penalty structure. Security Rule violations are also frequently cited in state AG actions and False Claims Act cases. |
| Common Violations | Impermissible disclosures, failure to provide access to records within 30 days, no Notice of Privacy Practices, insufficient minimum necessary policies, lack of valid authorizations | No risk analysis (the #1 finding), insufficient access controls, lack of encryption, no audit logging, missing or inadequate contingency plans, failure to manage business associate security |
| Documentation Retention | 6 years from date of creation or last effective date (§ 164.530(j)) | 6 years from date of creation or last effective date (§ 164.316(b)(2)) |
How They Work Together
The Privacy Rule and Security Rule are not alternatives. They are complementary requirements that work together to protect patient information.
Privacy Rule Sets the Boundaries
The Privacy Rule defines what uses and disclosures of PHI are permitted. It tells your organization who can see what, under what circumstances, and with what patient rights. Without the Privacy Rule, you would not know what you are protecting or why.
Security Rule Enforces the Boundaries
The Security Rule provides the operational and technical framework to enforce those privacy boundaries for ePHI. It ensures that access controls, encryption, audit trails, and disaster recovery are in place to make the Privacy Rule effective.
Common Points of Confusion
'We're HIPAA compliant because we encrypt everything'
Reality: Encryption is a Security Rule requirement. But HIPAA compliance also requires Privacy Rule compliance: Notice of Privacy Practices, individual access rights, minimum necessary policies, authorization procedures, and workforce training on permitted uses. Technical security alone does not equal HIPAA compliance.
'Paper records aren't covered by HIPAA'
Reality: The Security Rule only covers ePHI. But the Privacy Rule covers ALL PHI, including paper and oral. A misfiled paper chart, a conversation in an elevator, or a fax sent to the wrong number can all be Privacy Rule violations.
'Addressable means optional'
Reality: Under the Security Rule, 'addressable' does NOT mean optional. It means you must assess whether the implementation specification is reasonable and appropriate. If it is, you implement it. If not, you must document why and implement an equivalent alternative measure. Ignoring an addressable specification without documentation is a violation.
'We only need one compliance officer'
Reality: The Privacy Rule requires a designated Privacy Officer (§ 164.530(a)(1)). The Security Rule requires a designated Security Officer (§ 164.308(a)(2)). These can be the same person, but both roles must be formally assigned and documented. Many small practices overlook the Security Officer designation.