Within certain guidelines found in the regulation, covered entities may disclose information for:
- Oversight of the health care system, including quality assurance activities
- Public health
- Research, generally limited to when a waiver of authorization is independently approved by a privacy board or Institutional Review Board
- Judicial and administrative proceedings
- Limited law enforcement activities
- Emergency circumstances
- For identification of the body of a deceased person, or the cause of death
- For facility patient directories
- For activities related to national defense and security
Consumer Control - the regulation provides consumers with critical new rights to control the release of their medical information.
Boundaries - with few exceptions, an individual's health care information should be used for health purposes only, including treatment and payment.
Accountability - Under HIPAA, for the first time, there will be specific federal penalties if a patient's right to privacy is violated.
Public Responsibility - the new standards reflect the need to balance privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse.
Security - it is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure.
- Final HIPAA regulations cover health plans, health care clearing houses, and health care providers. University Hospital, UMG, UPA, and SOM are "covered entities" under HIPAA.
- All medical records and other individually identifiable health information held or disclosed by a covered entity in any form whether communicated electronically, on paper, or orally is covered by the final regulation.
- The Notice of Proposed Rule Making for security, a national employer identifier, and a national provider identifier have been published.