Rules & Requirements —

Understanding HIPAA Rules & Requirements

HIPAA includes rules for privacy, security, breaches, requiring policies, training, and vendor oversight.

Share this article

Contents

No headings found on page

Understanding HIPAA Rules & Requirements

HIPAA isn't one law to comply with — it's four distinct rules, each governing something different, plus the Omnibus Rule that consolidated and updated all four at once in 2013. Treating them as interchangeable is a common source of compliance gaps: an organization can be diligent about one rule's requirements while missing another's entirely, because they don't overlap as much as their shared name suggests.

The Four Rules, and What Each Actually Governs

The Privacy Rule governs when and how PHI can be used and disclosed, in any form — paper, electronic, or verbal — and gives patients seven specific, enforceable rights over their own health information, including access, amendment, and accounting of disclosures, each with its own statutory deadline. How the HIPAA Privacy Rule Protects PHI covers the full rights structure and the permitted-use categories that determine when authorization is and isn't required.

The Security Rule applies specifically to electronic PHI, requiring administrative, physical, and technical safeguards built around an ongoing risk analysis. This is the rule behind OCR's current top enforcement priority — the 2024 Risk Analysis Initiative — since inadequate risk analysis is the single most frequently cited finding across recent settlements. Conducting a HIPAA Risk Assessment covers the methodology in depth.

The Breach Notification Rule requires notification to affected individuals, HHS, and in larger cases the media, within specific timeframes after discovering a breach. Since 2013, every impermissible use or disclosure of unsecured PHI is presumed to be a reportable breach — the burden is on the organization to prove otherwise through a documented four-factor risk assessment, not on OCR to prove notification was required. Complying with the HIPAA Breach Notification Rule covers the four-factor test and the narrow exceptions that apply before it.

The Enforcement Rule (45 CFR Part 160, Subparts C-E) defines how OCR investigates complaints, conducts compliance reviews, and imposes civil penalties across four culpability tiers. This rule defines consequences, not a separate compliance obligation in itself — but understanding its tiered structure matters directly, since how quickly an organization corrects a violation after discovery genuinely changes which penalty tier applies. Who Enforces HIPAA and How to Stay Compliant covers the current penalty figures and OCR's enforcement priorities.

The Omnibus Rule's Role

The Omnibus Rule isn't a fifth rule alongside these four — it's the 2013 consolidation that finalized HITECH Act provisions and GINA requirements into the existing four-rule structure at once. Its most consequential change was extending direct liability to business associates and their subcontractors, who previously were only the covered entity's contractual responsibility, and replacing the old "harm threshold" for breach notification with the presumption-of-breach standard the Breach Notification Rule now operates under. Exploring the HIPAA Omnibus Rule covers what changed and why those changes still shape how compliance programs are built today.

A Closely Related Standard Worth Naming Separately

The Minimum Necessary standard sits inside the Privacy Rule rather than standing as its own numbered rule, but it's significant enough — and misunderstood often enough — to warrant its own dedicated treatment. It requires limiting PHI use and disclosure to what's actually needed for a given purpose, but it has specific statutory exceptions (most notably, disclosures between providers for treatment purposes) that are easy to apply incorrectly in either direction. Understanding the HIPAA Minimum Necessary Rule covers exactly where it applies and where it doesn't.

Why the Rules Don't Operate Independently

In practice, these rules interact constantly. A Security Rule risk analysis failure often surfaces during a Breach Notification Rule investigation. A Privacy Rule access-request failure gets evaluated under the Enforcement Rule's penalty tiers. A business associate's Security Rule violation, since the Omnibus Rule, creates direct liability that didn't exist before 2013. Building separate, disconnected compliance efforts for each rule — a security checklist here, a privacy policy there — tends to miss exactly these interaction points, which is where OCR's more serious enforcement actions tend to originate.

Building This Alongside Other Frameworks

The overall structure — defined rules governing different aspects of data protection, enforced through risk-tiered penalties, with ongoing risk assessment as the connective tissue — mirrors how ISO 27001 and SOC 2 are built, even though the specific named rules and statutory mechanics here are unique to HIPAA. Organizations managing more than one framework typically find the underlying risk assessment and access governance work transfers substantially, while the rule-specific mechanics — deadlines, exceptions, named rights — still need to be handled on their own terms.

In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.

HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.

Read more about HIPAA compliance with DSALTA.

Stop losing deals to compliance.

Get compliant. Keep building.

Join 100s of startups who got audit-ready in days, not months.