Covered Entities
"Covered entities" are required to comply with the Privacy Rule. These include:

• Health plans that provide or pay for benefits, including self-funded employer plans

• Health care providers (including physicians, emergency or ambulance personnel, and on-site facilities and clinics), if they transmit health data electronically

• Health care clearinghouses, such as billing agents and firms that process data

Applicability and Protections
The Privacy Rule is applicable to individually identifiable health information held or transmitted by covered entities and their business associates in any form of media, whether paper, electronic or oral. Under the Rule, this type of information is defined as "protected health information" (PHI), and includes information regarding health care provided to the patient. In addition, it includes a patient's past, present, or future physical or mental condition along with payment for such services.

PHI protections and rights include, but may not be limited to:

• Providing copies of medical records upon request

• Notification of how PHI may be used (by doctors and other health care providers)

• Prohibiting marketing of patients' medical information, without consent

• Providing an opportunity for the patient to object to any proposed use of PHI

• Release of only limited information about a patient when asked for by patient name

PHI may be released or disclosed to the patient himself or to others with the patient's authorization. It may also be released for treatment, payment and health care operations, along with incidental use and certain public interest purposes.

Civil and Criminal Penalties for Violating the Privacy Rule
Patients who believe that their Privacy Rule rights have been violated may file a complaint with the Federal Office for Civil Rights. The complaint must, at minimum, meet the following requirements:

1. Be filed in writing, (on paper or electronically) within 180 days of when the patient knew of the violation

2. Name the offending person or entity

3. Describe the acts or omissions believed to violate the Privacy Rule

HHS may impose civil monetary penalties on a covered entity of $100 per violation of the Privacy Rule, with a maximum of $25,000 in one year. Such penalties may not be imposed when the violation is due to reasonable cause, did not involve willful neglect and was corrected by the covered entity within 30 days of when it knew or should have known of the violation.

Conversely, a covered entity that knowingly violates the Privacy Rule faces criminal penalties, including, at minimum, a fine of $50,000 and up to one year of imprisonment. These penalties increase to $100,000 and up to five years imprisonment if the violation involves false pretenses and $250,000 and ten years in prison if it involves intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm. Criminal penalties are enforced by the Department of Justice.Rules Governing Privacy Standards Under HIPAA In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed. Among other things, HIPAA mandated the adoption of federal privacy protections for individually identifiable health information. The Federal Department of Health and Human Services (HHS) therefore published "Standards for Privacy of Individually Identifiable Information" (the Privacy Rule). The Privacy Rule became effective on April 14, 2001, with a required compliance date of April 14, 2003 (April 14, 2004 for small health plans with less than $5 million in annual receipts). The Privacy Rule is intended to provide a "floor" of protection for patient health information. In other words, federal, state and local laws that provide more stringent regulations and laws remain effective, but less stringent laws are superseded by the Privacy Rule. Covered Entities "Covered entities" are required to comply with the Privacy Rule. These include: Health plans that provide or pay for benefits, including self-funded employer plans Health care providers (including physicians, emergency or ambulance personnel, and on-site facilities and clinics), if they transmit health data electronically Health care clearinghouses, such as billing agents and firms that process data Applicability and Protections The Privacy Rule is applicable to individually identifiable health information held or transmitted by covered entities and their business associates in any form of media, whether paper, electronic or oral. Under the Rule, this type of information is defined as "protected health information" (PHI), and includes information regarding health care provided to the patient. In addition, it includes a patient's past, present, or future physical or mental condition along with payment for such services. PHI protections and rights include, but may not be limited to: Providing copies of medical records upon request Notification of how PHI may be used (by doctors and other health care providers) Prohibiting marketing of patients' medical information, without consent Providing an opportunity for the patient to object to any proposed use of PHI Release of only limited information about a patient when asked for by patient name PHI may be released or disclosed to the patient himself or to others with the patient's authorization. It may also be released for treatment, payment and health care operations, along with incidental use and certain public interest purposes. Civil and Criminal Penalties for Violating the Privacy Rule Patients who believe that their Privacy Rule rights have been violated may file a complaint with the Federal Office for Civil Rights. The complaint must, at minimum, meet the following requirements: Be filed in writing, (on paper or electronically) within 180 days of when the patient knew of the violation Name the offending person or entity Describe the acts or omissions believed to violate the Privacy Rule HHS may impose civil monetary penalties on a covered entity of $100 per violation of the Privacy Rule, with a maximum of $25,000 in one year. Such penalties may not be imposed when the violation is due to reasonable cause, did not involve willful neglect and was corrected by the covered entity within 30 days of when it knew or should have known of the violation. Conversely, a covered entity that knowingly violates the Privacy Rule faces criminal penalties, including, at minimum, a fine of $50,000 and up to one year of imprisonment. These penalties increase to $100,000 and up to five years imprisonment if the violation involves false pretenses and $250,000 and ten years in prison if it involves intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm. Criminal penalties are enforced by the Department of Justice.