The HIPAA Security Rule does not apply to paper records. That surprises people, and it is worth stating plainly because the confusion causes real gaps: the Security Rule — 45 CFR 164.302 through 164.318, the one with the risk analysis, the safeguards, and the encryption debate — governs electronic protected health information and nothing else. Paper charts, printed schedules, fax cover sheets, and the sign-in sheet on the counter are governed by a different rule, the Privacy Rule, whose Safeguards standard at 164.530(c) is short, general, and easy to overlook. Both are HIPAA. They have different scopes, different citations, and often different owners inside the practice — and the seam between them is where paper quietly ends up belonging to nobody.
The short answer
| Paper PHI | Electronic PHI | |
|---|---|---|
| Governing rule | Privacy Rule (subpart E) | Security Rule (subpart C) — and the Privacy Rule too |
| Safeguards citation | 164.530(c) | 164.308 / 164.310 / 164.312 |
| Risk analysis required? | Not by the Security Rule | Yes — 164.308(a)(1)(ii)(A), Required |
| Designated official | Privacy official — 164.530(a)(1)(i) | Security official — 164.308(a)(2) |
| Breach rule applies? | Yes | Yes |
| Documentation retention | Six years — 164.530(j)(2) | Six years — 164.316(b)(2)(i) |
Read the last three rows together and the practical point emerges. Paper has no risk analysis requirement, a different designated owner, and full exposure to the Breach Notification Rule. It is the combination of "no mandated assessment" and "full breach liability" that makes paper worth deliberate attention rather than assumed coverage.
Two rules, two scopes
The Security Rule's own text draws the line. The risk analysis specification at 164.308(a)(1)(ii)(A) requires "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by" the organization. HHS guidance on that requirement reinforces it: "All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule." E-PHI. The word is doing deliberate work.
The Privacy Rule uses a broader term. Protected health information is not limited to electronic form, and 164.530(c) applies to all of it.
So the answer to "does HIPAA cover our paper charts" is unambiguously yes. The answer to "does the Security Rule cover our paper charts" is no. Those are different questions, and conflating them is how a practice ends up with a thorough, well-documented risk analysis of its network and no written policy at all about the records room.
What the Privacy Rule safeguards standard requires
The standard is deliberately general, and its two implementation specifications set the bar:
- 164.530(c)(2)(i) — reasonably safeguard PHI "from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart."
- 164.530(c)(2)(ii) — reasonably safeguard PHI "to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure."
That second specification is the one front offices live inside. An incidental disclosure is the overheard, the glimpsed, the briefly visible — a conversation at a check-in desk that carries, a chart on a counter facing the waiting room. HIPAA does not demand these be impossible. It demands you have reasonably safeguarded against them.
Several neighboring provisions in 164.530 apply to paper practice too, and they are all mandatory standards: training all workforce members on the subpart's policies and procedures (164.530(b)(1)), sanctions against workforce members who fail to comply (164.530(e)), mitigation of known harmful effects (164.530(f)), and documentation retained for six years from creation or last effective date (164.530(j)(2)).
A paper breach is still a breach
This is the part that catches practices out, so it is worth being direct: the Breach Notification Rule does not care what the record is made of.
It turns on unsecured protected health information. Under 45 CFR 164.402, an impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised, based on a risk assessment of at least four factors. Nothing in that presumption or those factors asks whether the information was digital.
So the misdirected mailing, the chart left in an exam room seen by the next patient, the records that went to a recycling bin instead of a shredder, and the box left on a loading dock are all events that enter the same analysis as a ransomware incident. The four-factor assessment may well conclude low probability of compromise — but the analysis has to be run, and it has to be documented, and the burden runs against you.
Where the gap opens in practice
The seam is structural, not careless. A practice buys or runs a risk analysis. That analysis is scoped, correctly, to ePHI, because that is what the Security Rule requires. It comes back thorough. Everybody reasonably concludes the practice has been assessed.
Nobody assessed the paper, because the assessment was never supposed to. And because the Privacy Rule requires no analysis — only "appropriate" safeguards — there is no second deliverable whose absence is conspicuous. The gap does not announce itself. It shows up when a chart goes missing and someone asks what the policy said.
Two things make this concrete. First, the privacy official at 164.530(a)(1)(i) and the security official at 164.308(a)(2) are separate required designations. Practices frequently name a security official, name no privacy official, and leave paper without an owner by omission. Second, if you use an outside assessor, ask the scope question in one sentence: does this cover paper, or only ePHI? Both answers are legitimate. Only one of them is what you assumed.
A front-office walkthrough
Fifteen minutes, a notepad, during clinic hours — not after close, because an empty office hides the finding.
- The check-in counter. Can a waiting patient read the screen, the schedule, or the chart on the desk? Sightlines are an incidental-disclosure question.
- The sign-in sheet. Can the next person read the previous names and reasons for visit?
- The printer and fax. Shared corridor, or controlled? How long does output sit there?
- Charts in transit. Face-down in the door pocket, or face-up on the counter?
- The records room. Locked? Who has the key? Is it also the break room, the storage room, or the room the HVAC contractor walks through?
- Shredding. Locked consoles or open recycling bins? Do you have a BAA with the shredding vendor, and a certificate of destruction?
- Conversations. Where does check-in happen relative to the seats? Where do phone calls about balances happen?
- Desks at close. Clean-desk practice, or overnight piles?
- Off-site storage. Who holds the key, what is the inventory, and when was it last reconciled?
- The scanner backlog. The tray of paper waiting to be digitized is paper. It is also usually the largest single pile of PHI in the building.
The hybrid reality
Almost no practice is purely one or the other, and most paper is in motion between states. A form is filled in on a clipboard, scanned into the EHR, and then sits in a tray for three weeks before shredding. During those three weeks it is paper under the Privacy Rule; after the scan it is also ePHI under the Security Rule; the tray is a physical control and the EHR entry is a technical one. The same information crosses regulatory scopes several times in a single workflow, and the practical answer is not to track which rule applies moment to moment. It is to safeguard the information and document that you did.
Which is why the sensible operational stance is the opposite of the legal distinction: assess both, in one pass, and let the citations sort themselves out in the write-up. The distinction matters for knowing what a deliverable covered and who owns the remainder. It should not produce two disconnected programs.
The takeaway
The Security Rule stops at the electron. The Privacy Rule does not, the Breach Notification Rule does not, and OCR does not. Paper gets no risk analysis mandate, a different designated owner, and identical breach exposure — a combination that reliably produces a blind spot in an otherwise well-run compliance program.
So ask the two questions that close it. Who is our privacy official? And when our assessment was scoped, did it cover the records room, or only the server? Neither question takes long to answer, and not being able to answer either one is the answer.
Common questions
Does the HIPAA Security Rule apply to paper records?
No. The Security Rule at 45 CFR 164.302 through 164.318 applies to electronic protected health information. Its risk analysis requirement at 164.308(a)(1)(ii)(A) is expressly an assessment of risks to the confidentiality, integrity, and availability of electronic protected health information. Paper records are covered instead by the Privacy Rule, whose Safeguards standard at 164.530(c)(1) requires a covered entity to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in any form. So paper is regulated, just not by the rule most people cite.
Is a paper record breach reportable under HIPAA?
Yes. The Breach Notification Rule turns on unsecured protected health information, not on electronic media. A chart left in a waiting room, records in an unsecured dumpster, or a misdirected paper mailing can all be impermissible disclosures that trigger the breach analysis under 45 CFR 164.402. An impermissible use or disclosure of PHI is presumed to be a breach unless the entity demonstrates a low probability that the PHI has been compromised, based on a risk assessment of at least four factors. Nothing in that analysis asks whether the record was digital.
Does a HIPAA risk analysis need to cover paper charts?
The risk analysis required by the Security Rule covers electronic PHI, so strictly it does not reach paper. But the Privacy Rule still requires appropriate administrative, technical, and physical safeguards for PHI in every form, and the Breach Notification Rule still applies to paper. Most organizations therefore assess both together, because the alternative is a compliance file that is complete for one rule and silent on the other. If your assessment stops at ePHI, someone still needs to own the paper, and you should know who.
Who is responsible for paper record safeguards in a practice?
The Privacy Rule requires a covered entity to designate a privacy official responsible for developing and implementing its policies and procedures, at 45 CFR 164.530(a)(1)(i). That is a distinct requirement from the Security Rule's security official at 164.308(a)(2). Some organizations combine the roles in one person and some do not, but both designations are required and both must be documented. If nobody in your practice can name the privacy official, that is itself a finding.