Health plans are covered by the rule as well as health care providers. Protected information is data that "becomes electronic." It is protected as long as the information is being maintained in a computer system or printed out of the system. To be protected, the information must be "identifiable"; that is, it has components that could be used to identify the subject. Any provider who maintains a solely paper information system is not subject to these privacy standards and there is no statutory authority for a private right of action for individuals to enforce their privacy rights. However, HIPAA does establish monetary and criminal penalties for certain wrongful disclosure of information or noncompliance with the regulations.

The general rule is that:

• covered entities be prohibited from using or disclosing health information except as authorized by the patient, or as explicitly permitted by the regulation. The regulation would permit use and disclosure of health information without authorization for purposes of health care treatment, payment and operations, and for specified national policy activities under conditions tailored for each type of such permitted use or disclosure.

The regulations mandate the amount of information to be used or disclosed to be the minimum amount necessary to accomplish the relevant purpose. Under the principle of minimum necessary use, if an entity consists of several different components, the entity would be required to create barriers between components so that information is not used or shared inappropriately.

To encourage covered entities to strip identifiers from health information, the regulations permit the use and disclosure of such de-identified information in any way as long as it cannot be re-identified.

Entities may disclose protected health information to persons they hire to perform functions on their behalf, where such information is needed for that function; however, covered entities must enter into contracts with their business partners that include terms to ensure that the protected health information disclosed to a business partner remains confidential. Health information would remain protected for two years after the death of the subject.

Covered entities could use and disclose protected health information without authorization for treatment, payment and health care operations. This would include purposes such as quality assurance, utilization review, credentialing, and other actives that are part of ensuring appropriate treatment and payment.

Covered entities could use or disclose protected health information with the individual's authorization for almost any lawful purpose. Entities may be condition treatment or payment of the individual agreeing to disclosure information for other purposes and the authorization form must state this.

Authorization forms must specify the information to be disclosed, who would get the information and when the authorization would expire. If an authorization is sought so that a covered entity may sell or barter the information, this must be disclosed on the authorization form. Individuals may revoke an authorization.

For the following national priority activities, no authorization is required:

• oversight of the health care system, including quality assurance activities; public health, and in emergencies affecting life or safety; research; judicial and administrative proceedings; law enforcement; to provide information to next-of-kin; for identification of the body of a deceased person or the cause of death; for government health data systems; for facilities' (hospitals, etc.) directories; to financial institutions for processing payments for health care; and where the use of disclosure is mandated by other laws.

Individuals have:

• the right to receive a written notice of information practices from health plans and providers. The notice must describe the types of uses and disclosures that the plan or provider would make with health information. When plans and providers change their information practices, they would also have to update the notice. Plans and providers would be required to follow the information practices specified in their most current notice.

• the right to obtain access to protected health information about them, including a right to inspect and obtain a copy of the information.

• the right to request amendment or correction of protected health information that is inaccurate or incomplete.

• the right to receive an accounting of the instances where protected health information about them has been disclosed by a covered entity for purposes other than treatment, payment or health care operations (subject to certain exceptions for law enforcement and oversight).

The proposed rule would require providers and payers to develop and implement basic administrative procedures to protect health information and the rights of individuals with respect to that information. They would be required to maintain documentation of these policies and procedures. The documentation must include a statement of the entity's practices regarding who would have access to protected health information, how that information would be used within the entity and when that information would or would not be disclosed to other entities.

Covered entities would be required to have in place administrative systems that enable them to protect health information in accordance with this rule. Specifically this means, covered entities would be required to designate a privacy official; provide privacy training to members of its work force; implement safeguards to protect health information from intentional or accidental misuses; provide a means for individuals to lodge complaints about the entity's information practices and maintain a record of these complaints; and develop a system of sanctions for members of the work force and business partners who violate the entity's policies.