HIPAA Security Rule vs Privacy Rule: A Plain-English Map
5 min read · Last reviewed May 22, 2026
The two rules sit in different subparts of the same Part
Both rules live inside 45 CFR Part 164:
- Subpart C — Security Rule at 164.302 through 164.318. Governs electronic protected health information (ePHI). Sets administrative, physical, and technical safeguards plus policies, procedures, and documentation.
- Subpart E — Privacy Rule at 164.500 through 164.534. Governs all PHI in any form — paper, electronic, oral. Sets the rules for use, disclosure, patient rights, notice, and administrative requirements.
Subpart D is the Breach Notification Rule. Subpart A defines terms. Subpart B is preemption.
Different scopes of PHI
- The Privacy Rule applies to PHI in any medium.
- The Security Rule applies only to ePHI — PHI created, received, maintained, or transmitted in electronic form.
A paper chart misplaced on a counter is a Privacy Rule issue. A USB drive of patient records lost in the parking lot is both: a Privacy Rule disclosure and a Security Rule failure of the device and media controls at 164.310(d)).
What the Privacy Rule actually controls
Use and disclosure rules at 164.502 and following. The headline provisions:
- Treatment, payment, and operations uses without authorization
- Public-interest exceptions (public health, abuse reporting, law enforcement, judicial proceedings, etc.)
- Authorization-required disclosures (most marketing, sale of PHI, most psychotherapy notes)
- Minimum-necessary standard
- Notice of Privacy Practices at 164.520
- Patient rights: access (164.524), amendment (164.526), accounting of disclosures (164.528), request for restrictions (164.522), confidential communications
- Administrative requirements at 164.530: Privacy Official, training, complaint process, sanctions, mitigation, documentation
What the Security Rule actually controls
Safeguard standards at three layers:
- Administrative safeguards at 164.308: security management process (risk analysis, risk management, sanction policy, information system activity review), Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency Plan, Evaluation, Business Associate Contracts.
- Physical safeguards at 164.310: facility access controls, workstation use and security, device and media controls.
- Technical safeguards at 164.312: access control, audit controls, integrity, person or entity authentication, transmission security.
Plus organizational requirements at 164.314 (BACs and group health plan documents) and policies, procedures, and documentation at 164.316.
Which rule does the SRA satisfy
The Security Risk Analysis at 164.308(a)(1)(ii)(A)(1)(ii)(A)) is a Security Rule requirement. It governs ePHI specifically.
The Privacy Rule does not require a parallel "Privacy Risk Analysis." It does require:
- Designation of a Privacy Official (164.530(a)))
- A complaint process (164.530(d)))
- Training of workforce (164.530(b)))
- Sanctions (164.530(e)))
- Mitigation (164.530(f)))
- Reasonable safeguards on PHI (164.530(c)))
- Notice of Privacy Practices and policies and procedures
A well-built compliance binder addresses both. The SRA proper is the Security Rule artifact; the broader binder also captures the Privacy Rule administrative pieces.
Where they overlap operationally
- Training. Privacy Rule training and Security Rule training are separate requirements, typically delivered together.
- Sanctions. Both rules require a sanction policy.
- Workforce changes. Privacy Rule training on policy updates and Security Rule access termination procedures both trigger on the same employee event.
- Breach response. The Breach Notification Rule cross-references both rules' violations.
- Documentation retention. Both require six-year retention of policies, procedures, and the records of compliance work — 164.316(b)) and 164.530(j)).
Two officials, not one
The Security Rule requires an Assigned Security Responsibility at 164.308(a)(2)(2)). The Privacy Rule requires a Privacy Official at 164.530(a)). In a small practice the same person can hold both, but the appointments are separate and both should be in writing.
What about the proposed Security Rule update
HHS published a notice of proposed rulemaking to update the Security Rule, available through the OCR HIPAA Rulemaking page. The proposed rule would tighten several specifications (including making certain currently-addressable controls required and adding new technology-specific obligations). As of the last review date on this article it is in proposed status, not final. The current Security Rule still controls.
Restraint about claims
The two rules are technical regulations administered by HHS Office for Civil Rights. No tool or trainer "completes" either rule. The practice's program is a continuing obligation.
How D3rx fits
D3rx SRA Binder Studio is structured around the Security Rule specification tree but also collects the Privacy Rule administrative pieces (Privacy Official designation, complaint procedure log, sanction policy, training records). It is a point-in-time administrative documentation aid; the practice remains responsible for the substance.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR Part 164https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
- 164.302 through 164.318https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- 164.500 through 164.534https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E
- 164.310(d)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310#p-164.310(d
- 164.502https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
- 164.520https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
- 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- 164.526https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.526
- 164.528https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.528
- 164.522https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.522
- 164.530https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
- 164.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- 164.310https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
- 164.312https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
- 164.314https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.314
- 164.316https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
- 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- 164.530(a)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(a
- 164.530(d)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(d
- 164.530(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(b
- 164.530(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(e
- 164.530(f)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(f
- 164.530(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(c
- 164.316(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b
- 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
- OCR HIPAA Rulemaking pagehttps://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
HIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min readTechnical SafeguardsHIPAA Encryption Requirements for ePHI
5 min readAudits and EnforcementThe HIPAA Breach Notification Rule, Explained
6 min readWorkforce and TrainingHIPAA Training Requirements for a Small Practice
5 min readRelated across the archive
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRAHIPAA Encryption Requirements for ePHIWhat the Security Rule actually says about encryption at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), the safe harbor under the Breach Notification Rule, and what 'addressable' means in practice.
- SRAHIPAA Training Requirements for a Small PracticeWhat 45 CFR 164.530(b) and 164.308(a)(5) require for HIPAA workforce training, plus a realistic cadence and documentation approach for a small practice.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- ComplianceBusiness Associate Agreement Template (2026) + Counterparty TrackerA 2026 HIPAA Business Associate Agreement template with every 45 CFR 164.504(e) required clause, plus the vendor tracker auditors expect alongside it.
- GlossaryHIPAA Privacy RuleThe federal regulation at 45 CFR Part 164 Subpart E that governs the use and disclosure of PHI.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.