What Is the HIPAA Privacy Rule and Who Must Follow It?

Q: What Are Examples of HIPAA Violations?

Common HIPAA violations include accessing a patient&#39;s record without a treatment relationship, emailing PHI to an incorrect address, leaving paper records visible in a public-facing area, operating without a signed Business Associate Agreement with a vendor handling PHI, storing patient data on an unencrypted personal device, and posting identifiable patient information on social media. At the organizational level, violations include failing to complete a required risk analysis, missing the 60-day breach notification deadline, and not conducting role-specific staff training on current HIPAA policies and procedures.

The HIPAA Privacy Rule is a federal regulation under the Health Insurance Portability and Accountability Act of 1996 that sets national standards for how Protected Health Information — any data that identifies a patient and relates to their health condition, treatment, or payment — can be used, disclosed, or shared. It applies to covered entities (such as hospitals, health insurers, and pharmacies) as well as their business associates and subcontractors who contractually handle patient data. For anyone working in U.S. healthcare, this is not background knowledge. It shapes decisions made across every department, every day.

Mar 27, 2026 17 mins read

What Is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is a federal regulation established under the Health Insurance Portability and Accountability Act of 1996. Its core purpose is to set a national standard for how Protected Health Information (PHI) — any data that can identify a patient and relates to their health — can be used, disclosed, or shared across the U.S. healthcare system.

In simple terms, the HIPAA Privacy Rule gives patients control over their own health data and places strict legal obligations on every organization that handles it. In 2026, with healthcare data breaches at record levels and HHS Office for Civil Rights enforcement activity intensifying, this regulation is foundational knowledge for every U.S. healthcare professional.

What Does the HIPAA Privacy Rule Actually Protect?

The rule covers all forms of Protected Health Information, known as PHI — whether stored on paper, spoken aloud in a clinical setting, or held digitally as electronic PHI. If information can identify a patient and relates to their care or payment for care, the HIPAA Privacy Rule controls how it moves and who can access it.

Specifically, the rule protects 18 categories of patient identifiers. These include full names, Social Security numbers, dates of birth, medical record numbers, IP addresses, biometric identifiers, telephone numbers, email addresses, and geographic data including ZIP codes.

While removing all 18 identifiers satisfies the widely used "Safe Harbor" method of de-identification, HIPAA also permits data to be treated as de-identified via the "Expert Determination" method, which requires a qualified statistical expert to scientifically verify that the risk of re-identification is minimal.

Beyond data protection, the Privacy Rule gives patients legally enforceable rights: the right to access their own records, the right to request corrections, and the right to receive a written Notice of Privacy Practices. These are not optional courtesies — they are legally required disclosures.

The scale of what is at stake has never been more concrete. In 2023, the HHS Office for Civil Rights received reports of 725 large healthcare data breaches — the highest annual total recorded at that point.

Who Does the HIPAA Privacy Rule Apply To?

Three categories of organizations carry direct obligations under the HIPAA Privacy Rule.

Covered entities are healthcare providers — hospitals, physicians, clinics, and pharmacies — as well as health plans, insurance companies, HMOs, and healthcare clearinghouses that process billing and claims data. If your organization provides, pays for, or processes healthcare in the United States, this category almost certainly applies.

Business associates are third parties that access or handle PHI on behalf of a covered entity. This includes cloud storage vendors, IT security firms, legal consultants, billing services, and EHR platform providers. Business associates must sign a Business Associate Agreement and are directly liable under HIPAA — not simply the covered entity that hired them.

Subcontractors of business associates carry the same obligations if they access PHI in any form.

One significant 2024 development: following the Change Healthcare breach, the HHS Office for Civil Rights issued updated guidance emphasizing that Business Associate Agreements must reflect current security obligations. Assuming an existing BAA provides sufficient protection — without reviewing it against updated requirements — is no longer an acceptable compliance position.

What Is the Difference Between the HIPAA Privacy Rule and the Security Rule?

These two regulations are related but govern different things. Treating them as interchangeable is one of the most common knowledge gaps among healthcare professionals, and it creates real compliance exposure.

Aspect	Privacy Rule	Security Rule
Scope	All PHI — paper, verbal, and digital	Electronic PHI (ePHI) only
Focus	Patient rights and permissible data uses	Technical, physical, and administrative safeguards
Key Requirement	Minimum necessary standard	Risk analysis and access controls
Enforced By	HHS Office for Civil Rights	HHS Office for Civil Rights

The HIPAA Security Rule has undergone its most significant update since 2005. The modernized requirements — driven directly by the surge in healthcare cyberattacks — introduce enforceable expectations around multi-factor authentication, written technology asset inventories, vulnerability scanning on defined schedules, network segmentation, and annual compliance reviews. For any organization operating on pre-2024 Security Rule assumptions, this is not an optional update to note. It is an active compliance gap.

What Are the HIPAA Breach Notification Rule Requirements?

Introduced under the HITECH Act of 2009, the Breach Notification Rule sets out a specific response protocol when PHI is exposed. Compliance officers and healthcare administrators need to know this sequence before a breach occurs — not while one is unfolding.

Notify affected individuals in writing within 60 days of discovering the breach. The notification must describe what happened, what PHI was involved, the steps affected individuals should take to protect themselves, and what the organization is doing in response.

Report to the HHS Secretary. Every breach must be reported. Those affecting 500 or more individuals are posted publicly on the HHS breach portal — widely known in the industry as the Wall of Shame — and remain searchable indefinitely.

Notify local media for any breach affecting 500 or more residents within a single state or jurisdiction.

Document all breach incidents for a minimum of six years. This obligation includes incidents that did not meet the threshold for formal notification.

Not every PHI exposure is automatically a reportable breach. Regulated organizations must conduct a specific four-factor risk assessment to determine the probability that the PHI has been compromised. This assessment evaluates the nature and extent of the PHI involved, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated.

Unless this assessment proves there is a low probability of data compromise, breach notification is legally mandated. Organizations that skip this structured risk assessment — even when they believe the incident was minor — are creating a documentation gap that OCR will flag in any subsequent investigation.

What Are the Most Common HIPAA Violations — and What Do They Look Like at Work?

The HHS Office for Civil Rights publishes enforcement data annually. The same failure patterns appear in audit after audit. Recognizing them in your own organization is the most practical compliance skill you can develop.

Impermissible disclosures. Sharing PHI with someone who has no authorized need to receive it. This includes sending a patient's records to the wrong provider, discussing a case in an area where non-treatment staff can overhear, or providing information to a family member without documented patient authorization. This is the single most frequently cited violation in OCR complaint investigations.

Missing or inadequate risk analysis. Organizations that have not formally assessed where PHI flows, who can access it, and where technical vulnerabilities exist. OCR enforcement actions throughout 2023 and 2024 repeatedly cited the absence of a completed risk analysis as the central violation — not the breach itself. The breach was the consequence. The missing documentation was the violation.

Outdated or absent Business Associate Agreements. Using a vendor that handles PHI without a current, signed BAA. Following the Change Healthcare breach, OCR signaled clearly that BAA adequacy will be scrutinized in any investigation involving a third party.

Excessive access rights. Granting staff access to more PHI than their role requires. This most commonly appears in EHR systems where access levels were configured during initial implementation and never reviewed as staffing changed.

Delayed breach notification. Identifying a potential breach but exceeding the 60-day notification window. OCR treats late notification as a separate violation from the breach event itself — meaning an organization can face penalties twice over the same incident.

If any of these patterns exist in your organization, they represent live compliance exposure. Not theoretical risk.

Understanding the HIPAA Privacy Rule in a training module and applying it correctly under real operational pressure are two different competencies. Our Executive Certificate in HIPAA Privacy, Security and Breach Response (U.S.) gives healthcare professionals and compliance officers a structured framework for both — built around the situations that actually arise in U.S. healthcare settings.

What Did the HIPAA Security Rule Modernization Change for U.S. Healthcare Organizations?

Driven by a surge in cyberattacks, the updated Security Rule introduces several newly enforceable technical obligations:

Written technology asset inventories are now required. Covered entities must maintain a current, documented record of every system that creates, receives, maintains, or transmits ePHI. For large health systems with hundreds of integrated platforms, this is a significant operational undertaking.

Multi-factor authentication is required for access to systems containing ePHI. The limited exceptions are narrow. Organizations that have not yet implemented MFA across their clinical and administrative systems are out of alignment with current federal requirements.

Vulnerability scanning and penetration testing must be conducted on a defined, documented schedule — not reactively, and not at the discretion of individual IT teams. The schedule itself must be documented and reviewed.

Network segmentation is required to contain the spread of a breach from one system to others. The Change Healthcare incident demonstrated precisely what happens when segmentation is absent — a single point of compromise reached systems across an entire national network.

Annual compliance reviews are now formally required rather than recommended best practice. A compliance program built before these updates took effect needs to be reviewed. Staff awareness training alone does not satisfy these obligations. Technical controls, documentation, and testing schedules all need to be current.

If you are responsible for HIPAA compliance in your organization — or building toward a compliance role in U.S. healthcare — the regulatory landscape has shifted. Our Executive Certificate in HIPAA Privacy, Security and Breach Response (U.S.) covers the full framework: the Privacy Rule, the updated Security Rule, and breach notification protocols, in a format built for working professionals.

Frequently Asked Questions

01 Which Best Describes the HIPAA Rule? +

The HIPAA rule is a federal law that establishes national standards for protecting patient health information across the U.S. healthcare system. It is built around three core components: the Privacy Rule, which governs how Protected Health Information can be used and disclosed; the Security Rule, which requires technical, physical, and administrative safeguards for electronic PHI; and the Breach Notification Rule, which defines what organizations must do when PHI is exposed. Together, these components set the compliance obligations of every covered entity and business associate operating in U.S. healthcare.

02 What Is the Most Common HIPAA Privacy Violation? +

The most frequently identified HIPAA privacy violation is impermissible disclosure — sharing Protected Health Information with someone who has no authorized reason to receive it. This includes sending records to the wrong recipient, discussing patient details in a non-private setting, or sharing information with a family member without documented patient authorization. HHS Office for Civil Rights enforcement data consistently shows impermissible disclosures account for the highest volume of investigated complaints each year, and most traced incidents involve staff error rather than deliberate misconduct.

03 What Are Examples of HIPAA Violations? +

Common HIPAA violations include accessing a patient's record without a treatment relationship, emailing PHI to an incorrect address, leaving paper records visible in a public-facing area, operating without a signed Business Associate Agreement with a vendor handling PHI, storing patient data on an unencrypted personal device, and posting identifiable patient information on social media. At the organizational level, violations include failing to complete a required risk analysis, missing the 60-day breach notification deadline, and not conducting role-specific staff training on current HIPAA policies and procedures.

04 What Are the Three Main Components of the HIPAA Security Rule? +

The HIPAA Security Rule is built around three categories of safeguards that must all be implemented simultaneously. Administrative safeguards cover policies, procedures, workforce training, risk analysis, and access management. Physical safeguards govern the security of facilities and devices — including workstation controls, device disposal procedures, and building access protocols. Technical safeguards address how ePHI is protected within electronic systems — including access controls, audit logs, transmission encryption, and, under recent modernization requirements, multi-factor authentication and network segmentation. No single category is sufficient without the other two.

05 What Are the 7 Types of Security in Healthcare? +

Healthcare information security is organized across seven recognized domains: physical security (controlling access to facilities and hardware), network security (protecting data as it moves between systems), endpoint security (securing workstations, laptops, and mobile devices), application security (protecting EHR and clinical platforms from exploitation), data security (encryption and access controls for stored PHI), identity and access management (verifying and controlling who reaches which systems), and operational security (policies, workforce training, and incident response procedures). The HIPAA Security Rule's administrative, physical, and technical safeguard structure maps directly across all seven domains, making it the foundational compliance framework for U.S. healthcare cybersecurity.