The HIPAA Privacy Rule, Simplified

BLOG

 5 min.

Mention “HIPAA” at a dinner party and watch the room thin out. It sounds like the kind of regulation that needs a law degree, a pot of coffee and a strong sense of duty. The good news: the HIPAA Privacy Rule is one of the more readable pieces of healthcare law out there. It tells you what counts as Protected Health Information (PHI), who’s allowed to touch it and what patients can do about it. That’s mostly it.

Here’s the catch — the rule has been quietly accumulating amendments, court rulings and adjacent rules for more than two decades and most people still talk about it like it’s frozen in 2003. So let’s catch up.

TL;DR: HIPAA’s Privacy Rule hasn’t stood still since 2003. Recent ransomware attacks, new reproductive health privacy rules, proposed Security Rule updates and increased OCR enforcement are reshaping how healthcare organizations manage PHI, cybersecurity and compliance risk. 

  • HIPAA has evolved from a portability law into a broader privacy, security and enforcement framework that now places greater responsibility on both Covered Entities and Business Associates.
  • Recent regulatory changes and major healthcare breaches are driving increased focus on third-party risk, stronger cybersecurity controls and ongoing risk analysis.
  • Organizations can no longer rely on static compliance programs and outdated policies to meet modern HIPAA privacy and security expectations.

Quick History, No Nap Required

HIPAA didn’t start out as a privacy law. When the Health Insurance Portability and Accountability Act (HIPAA) was signed into Public Law 104-191 on August 21, 1996, the “P” people cared about was portability — making sure you didn’t lose your health insurance every time you switched jobs. Privacy was a footnote. Security wasn’t really in the conversation at all.

Then:

  • December 2000 — The U.S. Department of Health and Human Services (HHS) finalized and published the original Privacy Rule. It existed. Nobody had to follow it yet.
  • August 2002 — HHS tweaked it. Still optional.
  • April 14, 2003 — Compliance became mandatory for all Covered Entities (CEs). This is the date that actually matters; before it, securing healthcare data was more of a suggestion than a job requirement.
  • 2003 (also) — The Final Security Rule arrived alongside the HIPAA Omnibus Rule. For the full backstory, see GuidePoint’s Evolution of HIPAA Part 1 and Part 2.
  • 2006 — HHS published the Enforcement Rule, which clarified how violations would be punished. “Clarified” is doing a lot of work in that sentence; the rules left enormous room for interpretation and they’re still applied that way today.
  • 2009 — The HITECH Act — Privacy and Security got married. The combined regime now applied not just to CEs s but to Business Associates too: anyone storing, processing or transmitting PHI on a CE’s behalf. Cloud vendors, billing companies, IT contractors — congratulations, you’re in scope.
  • 2013 — The Final Omnibus Rule — The last sweeping update for a long time. It firmed up the encryption guidance and a few other Security Rule details. Privacy stayed mostly the same.

For nearly a decade after that, the Privacy Rule was the quiet one in the family. But, that’s recently changed.

What’s Happened Since 2021

If your mental model of HIPAA stops around 2013, you’re missing the most eventful stretch the rule has had in years.

The Change Healthcare ransomware attack (February 2024). A single ransomware incident at Change Healthcare — a UnitedHealth Group subsidiary that processes a stunning share of U.S. medical claims — exposed PHI on roughly 192.7 million people. That’s not a typo. It’s the largest healthcare data breach in U.S. history and it gummed up billing and prescriptions across the country for weeks. The U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR)  opened a formal investigation into both Change Healthcare and UnitedHealth and the fallout is still shaping how regulators think about Business Associate accountability.

The Reproductive Health Privacy Rule rollercoaster (2024–2025). 

In April 2024, HHS finalized a Privacy Rule amendment specifically protecting reproductive healthcare information after Dobbs. It required CEs to get a signed attestation before disclosing reproductive-health PHI for certain purposes and it had a December 23, 2024 compliance deadline. Then on June 18, 2025, the U.S. District Court for the Northern District of Texas vacated most of it nationally. A few Notice of Privacy Practices tweaks survived; the rest is gone. If you spent late 2024 updating your attestation workflows, you weren’t wrong to — just keep your policies version-controlled.

The Security Rule NPRM (December 2024). 

OCR proposed the biggest overhaul of the Security Rule since 2013. The headline: the long-standing distinction between “required” and “addressable” controls would mostly disappear. Encryption at rest and in transit, MFA, anti-malware, network segmentation, vulnerability scanning every six months, annual pen tests, formal patch management — all explicitly required, with narrow exceptions. The comment period closed March 7, 2025. A final rule is tentatively expected around May 2026, though a January 2025 regulatory freeze cast doubt on the timing. Even if the final version softens, the direction of travel is clear: the days of “we considered MFA and decided it wasn’t reasonable for us” are ending.

Enforcement got teeth. 

OCR concluded 22 enforcement actions in 2024, with civil monetary penalties ranging from $25,000 to $3 million (Solara Medical Supplies, for an inadequate risk analysis followed by a phishing breach). The most-cited violation, by a wide margin, was failure to conduct a proper risk analysis — it showed up in 13 of those matters. If your last risk assessment lives in a PDF from 2019, OCR has a message for you.

So What Does the Privacy Rule Actually Say?

Strip away the drama and the HIPAA Privacy Rule is mostly about three things:

  1. Telling patients how their PHI gets used: This is the Notice of Privacy Practices — the document everyone signs at the front desk and nobody reads.
  2. Limiting how PHI can be used and disclosed: The rule defines the permitted purposes (treatment, payment, healthcare operations, a handful of public-interest exceptions) and requires authorization for almost everything else.
  3. Giving patients control over their own data: Right of access, right to amend, right to an accounting of disclosures. OCR has been particularly aggressive on right-of-access complaints — these are the easiest violations to prove and the easiest to settle.

The Privacy Rule is unusually specific by federal-regulation standards. Unlike the Security Rule — which is famously vague and asks you to make “reasonable and appropriate” decisions about controls — the Privacy Rule mostly tells you exactly what to do. Build your policies and procedures around the text of the rule, follow them and you’re in good shape.

The Bottom Line

HIPAA is no longer the static, 2003-era regulation many compliance programs treat it as. Privacy is being actively litigated. The Security Rule is on the verge of its biggest update in 13 years. And OCR is writing larger checks than it used to, mostly to organizations that skipped the boring fundamentals — risk analysis, access reviews, encryption.

The Privacy Rule itself is still the friendly half of HIPAA. Read it, write your policies to match, train your people and document what you do. That’s the playbook and it still works. Just make sure the playbook you’re running is current.

Linkedin X-twitter Facebook
Categories:

Ryan Buckley

CYBERSECURITY EXECUTIVE AND VIRTUAL CISO,
GUIDEPOINT SECURITY
Ryan is a cybersecurity executive and virtual CISO with over 25 years of experience leading security, technology, risk and compliance programs. He specializes in ISO 27001, SOC 2, HIPAA, CMMC and NIST frameworks, helping organizations build practical security programs that reduce risk while supporting business objectives. Ryan has served as CIO, CISO and security leader for healthcare, banking, software and technology organizations and is recognized for his ability to translate complex cybersecurity challenges into actionable business solutions.

Search

Categories

Recent Posts

Related Articles

View All >

Datasheet

 1 min.

Governance, Risk & Compliance Practice Overview
September 16, 2020
Read More

BLOG

 3 min.

The Evolution of HIPAA: Part 2
The Evolution of HIPAA: Part 2
May 18, 2021
Read More

BLOG

 2 min.

The Evolution of HIPAA: Part 1
The Evolution of HIPAA: Part 1
May 3, 2021
Read More