HIPAA Privacy Rule vs Security Rule: Complete 2026 Comparison
Last updated: 2026-04-05 — ComplianceStack Editorial Team
HIPAA has three main rules, but the Privacy Rule and Security Rule are the most operationally significant. They overlap but cover different aspects of PHI protection. Both apply to covered entities and their business associates.
HIPAA Privacy Rule vs HIPAA Security Rule: Side-by-Side
| Dimension | HIPAA Privacy Rule | HIPAA Security Rule |
|---|---|---|
| What it covers | All forms of PHI (paper, electronic, verbal) | Electronic PHI (ePHI) only |
| Core requirement | Limit use/disclosure of PHI to minimum necessary | Administrative, physical, and technical safeguards for ePHI |
| Patient rights | Access, amendment, accounting of disclosures, restrictions | Does not create individual rights — operational focus |
| Notice requirement | Notice of Privacy Practices required | No notice requirement |
| Safeguard types | Policies, procedures, training, workforce sanctions | Admin (risk analysis), physical (facility access), technical (encryption, access controls) |
| Risk assessment | Not explicitly required (but good practice) | Required — risk analysis is a Security Rule pillar |
| BAA requirements | Required with business associates | BAA must also address security responsibilities |
| Minimum necessary | Core principle — only use/share what's needed | Applies to ePHI access controls |
| Effective date | April 2003 | April 2005 |
| Upcoming changes | HIPAA Privacy Rule updates (2026) | HIPAA Security Rule NPRM — major update proposed |
Who Needs Both?
- All covered entities: health plans, healthcare clearinghouses, most healthcare providers
- Business associates: EHR vendors, billing companies, cloud storage providers, transcription services
Key Differences Summarized
The Privacy Rule governs WHO can access PHI and WHAT can be done with it. The Security Rule governs HOW ePHI is protected. Every covered entity and business associate must comply with both. The Security Rule's risk analysis requirement is one of the most commonly cited violations in OCR audits.
Frequently Asked Questions
Do both rules apply to business associates?
Yes. Business associates must comply with the Security Rule directly and with applicable portions of the Privacy Rule. The Omnibus Rule (2013) made this explicit.
Which rule covers paper records?
The Privacy Rule covers all forms of PHI including paper. The Security Rule only applies to ePHI (electronic records).
What's the most commonly violated rule?
Both rules are commonly violated, but Security Rule violations (especially missing risk analysis and missing access controls) dominate OCR enforcement actions by volume.
Try ComplianceStack Free
Free risk calculator, compliance quiz, and deadline tracker. No credit card required.
Start Free Assessment →