HIPAA Privacy Rule vs Security Rule
The Privacy Rule governs uses and disclosures of all PHI in any form. The Security Rule governs the safeguards required specifically for electronic PHI (ePHI).
Last reviewed May 24, 2026
Side by side
HIPAA Privacy Rule
Standards for Privacy of Individually Identifiable Health Information — governs the permitted uses and disclosures of PHI in any form (paper, oral, electronic) and patient rights of access, amendment, and accounting.
45 CFR Part 164 Subpart E- Covers PHI in any medium.
- Patient rights: access, amendment, accounting of disclosures, restriction, confidential communications.
- Minimum necessary standard applies to most disclosures.
HIPAA Security Rule
Security Standards for the Protection of Electronic Protected Health Information — administrative, physical, and technical safeguards specifically for ePHI.
45 CFR Part 164 Subpart C- Covers ePHI only.
- Three safeguard categories: administrative, physical, technical.
- Risk Analysis is the first standard under administrative safeguards.
When to use HIPAA Privacy Rule
- A patient requests a copy of their record — Privacy Rule (Right of Access).
- Marketing or fundraising uses of PHI — Privacy Rule authorization rules.
- A subpoena requests records — Privacy Rule § 164.512(e) applies.
When to use HIPAA Security Rule
- Setting up encryption on the EHR — Security Rule technical safeguards.
- Conducting the annual Security Risk Analysis — Security Rule administrative safeguards.
- Establishing workstation access controls — Security Rule physical safeguards.
Common mistakes
- Assuming the Security Rule covers paper records (it does not — Privacy Rule does).
- Treating the Security Risk Analysis as a Privacy Rule requirement (it is Security Rule, 45 CFR 164.308(a)(1)(ii)(A)).
- Designating one person as Privacy/Security Officer without documentation — both roles are required.
Sources
- 45 CFR Part 164 Subpart E (Privacy)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E
- 45 CFR Part 164 Subpart C (Security)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- HHS OCR — HIPAA Rules Summaryhttps://www.hhs.gov/hipaa/for-professionals/index.html
Related
Track both rules in the SRA readiness check
Open sra studio →D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.