HIPAA foundations

The Three Rules of HIPAA: Privacy, Security, and Breach Notification Explained

Ask what HIPAA actually requires and the honest answer comes down to three regulations: the Privacy Rule, the Security Rule, and the Breach Notification Rule. This guide explains what each rule covers, who must follow them, how they fit together, and what they mean for your training and certification.

July 16, 2026

The three rules of HIPAA at a glance

Ask a room of healthcare workers what HIPAA says and you will get a dozen answers, most of them some version of do not talk about patients. The law itself is more organized than that. Nearly everything HIPAA requires of a clinic, hospital, health plan, or vendor traces back to three regulations: the Privacy Rule, which governs who can see and share protected health information; the Security Rule, which sets the safeguards that protect electronic health data; and the Breach Notification Rule, which dictates exactly what must happen when protection fails. If you are studying for a HIPAA exam, onboarding at a new employer, or trying to understand a compliance obligation, these three rules of HIPAA are the map. Everything else, from business associate agreements to penalty tiers, hangs off one of them.

A little history explains why HIPAA works this way. The Health Insurance Portability and Accountability Act of 1996 is a statute, and Congress wrote it mostly about insurance portability and administrative simplification, not privacy. The privacy and security detail arrived later as regulations issued by the Department of Health and Human Services under the statute's authority, codified at 45 CFR Parts 160 and 164. The Privacy Rule took effect for most organizations in April 2003. The Security Rule followed with a compliance date of April 2005. The Breach Notification Rule is the youngest of the three, created by the HITECH Act of 2009 and finalized in the 2013 Omnibus Rule, which also extended direct liability to business associates. The Office for Civil Rights, or OCR, enforces all three, which is why enforcement actions cite specific sections of these rules rather than the statute itself.

Before walking through each rule, be clear about who has to follow them. The rules bind covered entities, meaning healthcare providers who transmit health information electronically for claims and related transactions, health plans, and healthcare clearinghouses. They also bind business associates, the vendors and contractors that create, receive, maintain, or transmit protected health information for a covered entity, from billing companies to cloud hosts. You will sometimes see references to five HIPAA rules rather than three; that count adds the Enforcement Rule, which sets investigation procedures and civil penalty amounts, and the Omnibus or Transactions provisions depending on who is counting. Those additions matter to lawyers and compliance officers, but the day-to-day obligations that reach every workforce member, and the content that dominates every HIPAA training course and exam, come from the big three covered here.

Here is the one-breath summary worth memorizing before the detail. The Privacy Rule says PHI in any form may only be used or disclosed as the rule permits or the patient authorizes, and it gives patients enforceable rights over their own records. The Security Rule says electronic PHI must be protected by administrative, physical, and technical safeguards chosen through a documented risk analysis. The Breach Notification Rule says that when unsecured PHI is compromised, individuals, HHS, and sometimes the media must be told on a fixed timeline. One common misconception is that HIPAA is only about secrecy; the Privacy Rule actually requires sharing in several situations, most importantly with the patient themselves. Another is that the rules only apply to doctors and nurses; the receptionist, the billing contractor, the IT vendor, and the practice owner all carry obligations, and the janitor who cannot access records at all is precisely the point of the access controls. Keep those corrections in mind and the rest of this guide will feel less like law and more like common sense written down.

The Privacy Rule: who can see and share PHI

The Privacy Rule, at 45 CFR Part 164 Subpart E, is the broadest of the three. It protects protected health information, or PHI, in every form: spoken conversations, paper charts, faxes, and electronic records alike. PHI is any individually identifiable health information held or transmitted by a covered entity or business associate, and identifiability is judged against 18 identifiers that include names, dates, addresses, phone numbers, medical record numbers, and even full-face photos. The rule's core mechanic is simple to state: PHI may not be used or disclosed except as the rule permits or as the patient authorizes in writing. The largest permission is treatment, payment, and healthcare operations, usually shortened to TPO, which is what lets a nurse hand off to the next shift and a biller submit a claim without collecting a signature each time.

The Privacy Rule is also where patient rights live, and those rights generate more enforcement than almost anything else in HIPAA. Patients have the right to access their own records, generally within 30 days of asking, and OCR has run a dedicated Right of Access Initiative that has produced dozens of settlements against providers who stalled or ignored requests. Patients can request amendments to incorrect records, receive an accounting of certain disclosures, and ask for restrictions on sharing, including a mandatory restriction when they pay for a service fully out of pocket. Covered entities must publish a Notice of Privacy Practices describing all of this. Layered over every permitted use is the minimum necessary standard at 45 CFR 164.502(b): even when a disclosure is allowed, you may only use or share the least information needed for the task at hand.

In practice, Privacy Rule compliance is decided in hallways and inboxes, not in policy binders. The classic violations are mundane: discussing a patient by name at the front desk within earshot of the waiting room, looking up a neighbor or celebrity in the EHR out of curiosity, faxing records to the wrong number, or posting about a memorable case on social media with enough detail to identify the person. Curiosity-driven record snooping is among the most common causes of employee termination and sanction in healthcare, and it is a pure Privacy Rule problem, because the access was not for treatment, payment, or operations. This is why workforce training spends so much time on the Privacy Rule: it is the rule that every receptionist, aide, biller, and clinician touches every single day, whether or not they ever log a support ticket or configure a server.

The Security Rule: how ePHI must be protected

The Security Rule, at 45 CFR Part 164 Subpart C, narrows the focus to electronic protected health information, or ePHI, and answers a different question: not who may see the data, but how the systems holding it must be protected. It organizes its requirements into three categories of safeguards. Administrative safeguards cover the human and process side, including a designated security official, workforce training, access management, and contingency planning. Physical safeguards cover facility access, workstation placement, and the handling of devices and media that store ePHI. Technical safeguards cover the controls inside the systems themselves: unique user IDs, automatic logoff, audit controls, integrity protections, and encryption of data in transit and at rest. The rule was written to be technology-neutral and scalable, so a two-chair dental office and a hospital network face the same standards but can meet them in proportion to their size and risk.

Two Security Rule concepts are worth knowing by name because they decide most real-world outcomes. The first is the risk analysis required at 45 CFR 164.308(a)(1)(ii)(A), an accurate and thorough assessment of the risks to all ePHI an organization holds. A missing or stale risk analysis is the single most cited failure in OCR breach investigations, because it is the foundation every other safeguard is supposed to be built on. The second is the distinction between required and addressable implementation specifications. Required items must be implemented, full stop. Addressable items, encryption among them, must be implemented if reasonable and appropriate, and if not, the organization must document why and implement an equivalent alternative. Addressable has never meant optional, and organizations that treated it that way have paid settlements to learn the difference after losing an unencrypted laptop.

People often ask for the difference between the Privacy Rule and the Security Rule, and the cleanest version is this: the Privacy Rule governs all PHI in any form and controls uses and disclosures, while the Security Rule governs only electronic PHI and mandates safeguards. A conversation overheard in an elevator is a Privacy Rule issue and the Security Rule has nothing to say about it. A database left exposed to the internet is a Security Rule failure even if no one ever views a record. The rules meet in the middle constantly, because most PHI now lives in electronic systems, so a single incident like a phished email account often implicates both: the Security Rule for the weak access controls that let the attacker in, and the Privacy Rule for the impermissible disclosure of the messages inside.

The Breach Notification Rule: what happens after an incident

The Breach Notification Rule, at 45 CFR Part 164 Subpart D, governs the aftermath. A breach, defined at 45 CFR 164.402, is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. The rule's most important structural feature is a presumption: an impermissible use or disclosure is presumed to be a reportable breach unless the organization can demonstrate a low probability of compromise through a documented risk assessment weighing four factors. Those factors are the nature and extent of the PHI involved, the unauthorized person who received or used it, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. Unsecured is a defined term too: PHI that is encrypted to federal standards falls outside the rule entirely, which is the strongest practical argument for encrypting everything that moves.

Once an incident qualifies as a breach, the clock starts and the deadlines are unforgiving. Affected individuals must be notified without unreasonable delay and no later than 60 calendar days after discovery under 45 CFR 164.404. If the breach affects 500 or more residents of a state or jurisdiction, prominent media outlets must be notified within the same 60 days under 164.406, and HHS must be notified concurrently under 164.408, which is how breaches end up on the public HHS portal. Smaller breaches go to HHS in an annual log due within 60 days of year end. Business associates have their own deadline: they must report breaches to the covered entity without unreasonable delay and within 60 days under 164.410, though most business associate agreements contract that window down sharply. Our free breach notification deadline calculator turns a discovery date into the exact dates for each of these obligations.

Failing the Breach Notification Rule compounds the original incident. Notifying late, or deciding an incident was not a breach without a documented four-factor assessment, is itself a violation that OCR penalizes on top of whatever Privacy or Security Rule failures caused the exposure. The civil penalty structure runs in culpability tiers from unknowing violations up to willful neglect that goes uncorrected, with the top tier reaching into seven figures per violation category per year, and state attorneys general hold parallel authority to sue under HIPAA and under state breach laws with their own, often shorter, deadlines. The pattern in enforcement announcements is consistent: organizations rarely get punished simply for being breached, and frequently get punished for what they failed to do before the breach and how they responded after it.

How the three rules work together

Seen together, the three rules of HIPAA form a single loop rather than three separate checklists. The Privacy Rule decides who may see and share PHI and what rights patients hold over it. The Security Rule decides how the electronic systems holding that PHI must be defended so the Privacy Rule's limits actually hold. The Breach Notification Rule decides what honesty requires when the first two layers fail. The Enforcement Rule, the usual fourth wheel in the five-rule count, supplies the consequences that make the loop binding. This is why real compliance programs never treat the rules in isolation: a risk analysis under the Security Rule catalogs the systems where Privacy Rule disclosures could go wrong, and an incident response plan rehearses the Breach Notification Rule steps before anyone needs them under pressure.

For an individual worker, the three rules translate into concrete expectations. Employers must train every workforce member on the policies and procedures that implement these rules, and most ask for proof, which is why HIPAA certification questions appear in job postings for medical assistants, billers, IT staff, and front desk teams alike. If you are preparing for a HIPAA test, expect the three rules to dominate it: what counts as PHI and the 18 identifiers, when a disclosure needs an authorization versus when TPO covers it, the three safeguard categories and the difference between required and addressable specifications, the four-factor breach assessment, and the 60-day notification deadlines. If a quiz asks what the three rules of HIPAA are, the answer it wants is the Privacy Rule, the Security Rule, and the Breach Notification Rule, and now you know what sits behind each name.

The fastest way to make this knowledge stick is to use it. Take our free HIPAA practice test to see how the three rules show up as real exam questions and where your gaps are. If you need documented proof of training for an employer or a client, the HIPAA certification course covers all three rules in depth and issues a verifiable certificate when you pass. For deeper reading on each rule individually, our pillar guides on the Privacy Rule, the Security Rule, and what counts as PHI expand every section of this overview, and the breach notification deadline calculator, risk assessment tool, and penalty calculator turn the rules into working answers for your own organization. Three rules, one loop: learn them once and every HIPAA question you meet afterward gets easier.


Recommended resources

Keep exploring the topic.

Use the related training, compliance, and documentation pages when you need the next practical step after this guide.

Related HIPAA guides

Related guides

Other HIPAA guides worth reading.

Stay on the same workflow thread with adjacent articles from the resource library.