HIPAA Privacy Rule vs Security Rule: Complete 2026 Comparison
HIPAA has three main rules, but the Privacy Rule and Security Rule are the most operationally significant. They overlap but cover different aspects of PHI protection. Both apply to covered entities and their business associates.
Key Differences
- The Privacy Rule governs WHO can access PHI and WHAT can be done with it. The Security Rule governs HOW ePHI is protected. Every covered entity and business associate must comply with both. The Security Rule's risk analysis requirement is one of the most commonly cited violations in OCR audits.
Who Must Comply with Both
- All covered entities: health plans, healthcare clearinghouses, most healthcare providers
- Business associates: EHR vendors, billing companies, cloud storage providers, transcription services
Common Questions
Do both rules apply to business associates?
Yes. Business associates must comply with the Security Rule directly and with applicable portions of the Privacy Rule. The Omnibus Rule (2013) made this explicit.
Which rule covers paper records?
The Privacy Rule covers all forms of PHI including paper. The Security Rule only applies to ePHI (electronic records).
What's the most commonly violated rule?
Both rules are commonly violated, but Security Rule violations (especially missing risk analysis and missing access controls) dominate OCR enforcement actions by volume.
More Framework Comparisons
- HIPAA vs GDPR: What US Companies Need to Know
- HIPAA vs HITRUST: Key Differences for Healthcare Organizations
- SOX vs SOC 2: Key Differences Every Finance and Tech Leader Should Know
- GDPR vs CCPA: Side-by-Side Comparison for 2026
- Best Free HIPAA Risk Assessment Tools in 2026
- ComplianceStack vs Vanta: Which Compliance Tool Is Right for You?
- View all comparisons →