Foundations

HIPAA Security Rule vs Privacy Rule: A Plain-English Map

5 min read · Last reviewed May 22, 2026

The two rules sit in different subparts of the same Part

Both rules live inside 45 CFR Part 164:

Subpart D is the Breach Notification Rule. Subpart A defines terms. Subpart B is preemption.

Different scopes of PHI

  • The Privacy Rule applies to PHI in any medium.
  • The Security Rule applies only to ePHI — PHI created, received, maintained, or transmitted in electronic form.

A paper chart misplaced on a counter is a Privacy Rule issue. A USB drive of patient records lost in the parking lot is both: a Privacy Rule disclosure and a Security Rule failure of the device and media controls at 164.310(d)).

What the Privacy Rule actually controls

Use and disclosure rules at 164.502 and following. The headline provisions:

What the Security Rule actually controls

Safeguard standards at three layers:

Plus organizational requirements at 164.314 (BACs and group health plan documents) and policies, procedures, and documentation at 164.316.

Which rule does the SRA satisfy

The Security Risk Analysis at 164.308(a)(1)(ii)(A)(1)(ii)(A)) is a Security Rule requirement. It governs ePHI specifically.

The Privacy Rule does not require a parallel "Privacy Risk Analysis." It does require:

A well-built compliance binder addresses both. The SRA proper is the Security Rule artifact; the broader binder also captures the Privacy Rule administrative pieces.

Where they overlap operationally

  • Training. Privacy Rule training and Security Rule training are separate requirements, typically delivered together.
  • Sanctions. Both rules require a sanction policy.
  • Workforce changes. Privacy Rule training on policy updates and Security Rule access termination procedures both trigger on the same employee event.
  • Breach response. The Breach Notification Rule cross-references both rules' violations.
  • Documentation retention. Both require six-year retention of policies, procedures, and the records of compliance work — 164.316(b)) and 164.530(j)).

Two officials, not one

The Security Rule requires an Assigned Security Responsibility at 164.308(a)(2)(2)). The Privacy Rule requires a Privacy Official at 164.530(a)). In a small practice the same person can hold both, but the appointments are separate and both should be in writing.

What about the proposed Security Rule update

HHS published a notice of proposed rulemaking to update the Security Rule, available through the OCR HIPAA Rulemaking page. The proposed rule would tighten several specifications (including making certain currently-addressable controls required and adding new technology-specific obligations). As of the last review date on this article it is in proposed status, not final. The current Security Rule still controls.

Restraint about claims

The two rules are technical regulations administered by HHS Office for Civil Rights. No tool or trainer "completes" either rule. The practice's program is a continuing obligation.

How D3rx fits

D3rx SRA Binder Studio is structured around the Security Rule specification tree but also collects the Privacy Rule administrative pieces (Privacy Official designation, complaint procedure log, sanction policy, training records). It is a point-in-time administrative documentation aid; the practice remains responsible for the substance.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR Part 164https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
  2. 164.302 through 164.318https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
  3. 164.500 through 164.534https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E
  4. 164.310(d)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310#p-164.310(d
  5. 164.502https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
  6. 164.520https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
  7. 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
  8. 164.526https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.526
  9. 164.528https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.528
  10. 164.522https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.522
  11. 164.530https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
  12. 164.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
  13. 164.310https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
  14. 164.312https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
  15. 164.314https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.314
  16. 164.316https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
  17. 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
  18. 164.530(a)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(a
  19. 164.530(d)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(d
  20. 164.530(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(b
  21. 164.530(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(e
  22. 164.530(f)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(f
  23. 164.530(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(c
  24. 164.316(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b
  25. 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
  26. OCR HIPAA Rulemaking pagehttps://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides