HIPAA Privacy Rule vs Security Rule: What's the Difference?

The HIPAA Privacy Rule governs all protected health information in any form; the Security Rule governs electronic PHI specifically and prescribes the safeguards that protect it. Here is how the two rules differ, where they overlap, and why a real program needs both.

The core distinction at a glance: all PHI vs electronic PHI

People often treat "HIPAA" as a single rulebook, but it is a set of distinct rules with different scopes, and the two most important are the Privacy Rule and the Security Rule. The simplest way to keep them straight is by what they protect. The Privacy Rule governs all protected health information (PHI) in any form — spoken, written on paper, faxed, or stored electronically. The Security Rule governs a narrower slice: electronic protected health information (ePHI) specifically, and the technical and operational controls that keep it safe.

The two live in different parts of the regulation. The Privacy Rule is codified at 45 CFR Part 164, Subpart E, and it answers the question "who may see, use, and share health information, and what rights do patients have over it?" The Security Rule is at 45 CFR Part 164, Subpart C, and it answers a different question: "how do you protect that information once it is in electronic systems?" One is about permission and rights; the other is about safeguards and engineering.

A useful shorthand: the Privacy Rule is the "what and who" of health information — what may be disclosed, to whom, and under what conditions — while the Security Rule is the "how" of protecting the electronic copy of that information. They are complementary, not interchangeable, and a compliant program has to satisfy both rather than choosing between them.

This article is general information, not legal, compliance, or audit advice, and it does not create any professional relationship. HIPAA's requirements are detailed and updated over time, so confirm the current rules for your situation at hhs.gov and, where it matters, with a qualified professional.

The Privacy Rule in depth: uses, disclosures, minimum necessary, and patient rights

The Privacy Rule (Subpart E) sets the conditions under which PHI may be used or disclosed at all. Its default posture is restrictive: a covered entity may use or disclose PHI only as the Rule permits or requires, or with the individual's written authorization. The broad exception that makes care possible is treatment, payment, and health care operations (often abbreviated TPO) — providers can share information as needed to treat a patient, get paid, and run the practice without obtaining a separate authorization each time. Most other uses, such as marketing or sharing with an employer, generally require the patient's authorization.

Layered on top is the minimum necessary standard: when you use, disclose, or request PHI, you must limit it to the minimum reasonably needed for the purpose. A referral should include what the recipient actually needs, not the entire chart; front-desk staff scheduling appointments do not need full clinical histories. There is an important carve-out — minimum necessary does not apply to disclosures to or requests by a provider for treatment — but the habit of restraint is the operating norm everywhere else.

The Privacy Rule also gives patients enforceable rights over their information. Individuals generally have the right to access and obtain a copy of their records (45 CFR 164.524), to request amendments to information they believe is inaccurate, to receive an accounting of certain disclosures, and to request restrictions and confidential communications. The right of access in particular has been a sustained focus of enforcement by the HHS Office for Civil Rights, with penalties against organizations that failed to provide records promptly and at a reasonable cost.

Finally, the Privacy Rule requires a Notice of Privacy Practices (NPP) — the plain-language document that tells patients how their PHI is used and disclosed and what rights they have. Covered entities must provide it and post it, and a provider with a direct treatment relationship must also make a good-faith effort to obtain written acknowledgment of receipt.

The Security Rule in depth: three safeguard families and the required risk analysis

The Security Rule (Subpart C) takes the electronic subset of PHI and prescribes how to protect its confidentiality, integrity, and availability. It organizes its requirements into three families of safeguards, and an organization that handles ePHI has to address all three.

Administrative safeguards are the policy and people-side controls: designating a security official, managing who is granted and removed from access to ePHI, training the workforce, and maintaining procedures for security incidents and contingencies such as data backup and disaster recovery. Physical safeguards protect the places and devices where ePHI lives — facility access controls, workstation security (positioning screens away from public view, locking sessions), and controls over how laptops, phones, drives, and backups are handled and disposed of. Technical safeguards are the technology controls: unique user IDs and access controls, audit controls that log activity, integrity protections, and transmission security.

The single most important Security Rule obligation is the risk analysis at 45 CFR 164.308(a)(1) — the security management process standard. It requires an accurate and thorough assessment of the potential risks and vulnerabilities to the ePHI you hold, followed by security measures sufficient to reduce those risks to a reasonable and appropriate level. This is not a one-time form; it inventories where ePHI is created, received, stored, and transmitted, identifies the threats to each location, and drives a remediation plan. Failing to conduct a proper risk analysis is one of the most commonly cited deficiencies in OCR enforcement.

The Security Rule is deliberately flexible and scalable: it expects safeguards reasonable and appropriate for an organization's size and resources. Some specifications, including encryption, are "addressable" rather than flat mandates — you implement them where reasonable and appropriate, or document a justified equivalent — though in practice encrypting devices and PHI in transit is the expected default. HHS periodically updates the Security Rule, including the treatment of encryption, so confirm the current requirements at hhs.gov.

How they overlap and how they differ

The cleanest way to see the relationship is by scope. The Privacy Rule's domain is every form of PHI — a conversation at the front desk, a paper chart, a fax, an email, a database record. The Security Rule's domain is only the electronic copy. That means ePHI sits under both rules at once: the Privacy Rule governs who may use or disclose it and the patient's rights over it, while the Security Rule governs the technical and operational safeguards that protect it from unauthorized access or loss.

There is also a direct structural link between the two that is worth understanding. The Privacy Rule contains its own safeguards standard at 45 CFR 164.530(c), which requires administrative, technical, and physical safeguards to protect the privacy of all PHI. The Security Rule is essentially the detailed, electronic-specific elaboration of that duty — it takes the general "protect the information" obligation and spells out, for ePHI, exactly what those administrative, physical, and technical safeguards must look like. Read this way, the Security Rule is not a separate idea bolted on; it is the engineering specification for one slice of a broader privacy obligation.

Where they differ is in purpose and mechanism. A practice can comply with the Security Rule's technical controls and still violate the Privacy Rule — for example, by encrypting its database perfectly but disclosing PHI to a party with no permission to receive it. Conversely, you can have airtight permission rules and still violate the Security Rule by leaving ePHI unencrypted on a stolen laptop. Because the failure modes are different, the two rules require different documentation and different day-to-day disciplines, which is why a real program treats them as two coordinated workstreams rather than one.

The third pillar — and who has to comply

Privacy and Security are usually described alongside a third rule that completes the picture: the Breach Notification Rule (45 CFR Part 164, Subpart D). It governs what happens after a breach of unsecured PHI — requiring notification to affected individuals without unreasonable delay and generally no later than 60 calendar days after discovery, with separate tracks for notifying HHS depending on the number of individuals affected, and media notification for larger breaches. The exact thresholds and timing are detailed, so confirm the current specifics at hhs.gov, and have a written incident-response and breach-notification procedure ready before you need it.

On the question of who must comply, both covered entities and business associates are bound by HIPAA, but the obligations are not identical across the two rules. Covered entities — health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with covered transactions (most providers who bill electronically) — carry the full weight of all three rules. Business associates, the vendors that handle PHI on a covered entity's behalf, are directly liable for the full Security Rule and the Breach Notification Rule.

For the Privacy Rule, a business associate's obligations are narrower and largely flow through its Business Associate Agreement (BAA) plus a defined set of direct duties — chiefly limiting uses and disclosures to what the BAA and the Rule permit, applying minimum necessary, and supporting individual-access requests for records it maintains. A business associate does not issue its own Notice of Privacy Practices and does not carry the Privacy Rule the way a covered entity does. The practical takeaway is unchanged, though: if your organization is either a covered entity or a business associate, you have HIPAA obligations under more than one rule, and a signed BAA is the contract that allocates them.

Where documentation fits — for both rules

Because the Privacy Rule and the Security Rule require different things, a credible HIPAA program needs documentation that covers both: Privacy Rule policies for permitted uses and disclosures, minimum necessary, patient rights and the access process, and the Notice of Privacy Practices; and Security Rule policies for the administrative, physical, and technical safeguards, plus the risk-analysis methodology that 164.308(a)(1) requires. Many small organizations stall precisely here — not because the rules are unknowable, but because drafting two coordinated policy sets from a blank page is slow.

This is where an editable toolkit helps as the documentation layer. The ComplianceDocs HIPAA toolkits — the medical-practices and dental-practices editions at $79 each (current list price; a launch discount may apply at checkout) — include both Privacy Rule and Security Rule policies, written so the two rules are addressed together, along with a Security Risk Assessment workbook and an audit evidence checklist. Starting from a structured, practice-specific set turns weeks of drafting into hours of tailoring, and it makes sure you are not missing a required policy on either the privacy or the security side.

Be clear about the honest division of labor, though. Documentation is the readiness layer, not compliance itself, and there is no "HIPAA certification" to buy. The toolkit gives you the written program HIPAA expects; you still have to operate it — designate your security official, run your own risk analysis against your real systems, implement the safeguards it calls for, train your workforce, sign BAAs with vendors, and follow your breach-notification procedure if something goes wrong. OCR enforces based on whether the program is genuinely in place, especially whether a real risk analysis was done. The documents speed the part that stalls people; the operating part is yours, and because the rules are detailed and change over time, confirm the current requirements at hhs.gov and consult a qualified professional for your situation.

Frequently asked questions

What is the main difference between the HIPAA Privacy Rule and the Security Rule?

The difference is scope. The Privacy Rule (45 CFR Part 164, Subpart E) governs all protected health information in any form — spoken, paper, faxed, or electronic — and sets the rules for who may use and disclose it and what rights patients have over it. The Security Rule (Subpart C) governs only electronic PHI (ePHI) and prescribes the administrative, physical, and technical safeguards that protect it. In short, the Privacy Rule is about permission and patient rights, while the Security Rule is about safeguarding the electronic copy. A compliant program has to satisfy both.

Does electronic PHI fall under both rules?

Yes. Electronic PHI sits under both the Privacy Rule and the Security Rule at the same time. The Privacy Rule governs who may use or disclose that electronic information and the patient's rights over it, while the Security Rule governs the technical and operational safeguards that protect it from unauthorized access, alteration, or loss. The two are complementary: you can comply with the Security Rule's controls and still violate the Privacy Rule by disclosing PHI improperly, or have airtight disclosure rules and still violate the Security Rule by leaving ePHI unencrypted on a lost device.

What is the Breach Notification Rule, and is it separate from Privacy and Security?

The Breach Notification Rule (45 CFR Part 164, Subpart D) is the third HIPAA rule that sits alongside Privacy and Security. It governs what an organization must do after a breach of unsecured PHI — notify affected individuals without unreasonable delay and generally within 60 calendar days of discovery, with separate notification tracks to HHS based on how many individuals are affected, and media notification for larger breaches. It is distinct from the Privacy and Security Rules but closely related, and the exact thresholds and timing are detailed, so confirm the current specifics at hhs.gov and keep a written breach-notification procedure ready before an incident occurs.

Do business associates have to comply with both rules, just like covered entities?

Business associates are bound by HIPAA, but their obligations are not identical to a covered entity's. Business associates are directly liable for the full Security Rule and the Breach Notification Rule. For the Privacy Rule, their duties are narrower and flow largely through the Business Associate Agreement plus a defined set of direct obligations — limiting uses and disclosures, applying minimum necessary, and supporting access requests for records they hold. A business associate does not issue its own Notice of Privacy Practices and does not carry the full Privacy Rule the way a covered entity does. A signed BAA is the contract that allocates these responsibilities.

Will a HIPAA toolkit make my practice compliant with the Privacy and Security Rules?

No. There is no HIPAA certification to buy, and no toolkit makes an organization compliant on its own. A toolkit gives you the documentation layer — Privacy Rule policies, Security Rule safeguard policies, a risk-assessment workbook, and supporting materials — so you tailor a structured set rather than drafting two coordinated policy sets from scratch. But compliance is the program operating, not the documents existing. You still have to designate a security official, run your own risk analysis under 164.308(a)(1), implement the safeguards, train staff, sign BAAs, and follow your breach procedure. OCR enforces based on whether the program is genuinely in place.

Related guides: HIPAA

Toolkits that help

← All articles