Within certain guidelines found in the regulation, covered entities may disclose information for:

  • Oversight of the health care system, including quality assurance activities
  • Public health
  • Research, generally limited to when a waiver of authorization is independently approved by a privacy board or Institutional Review Board
  • Judicial and administrative proceedings
  • Limited law enforcement activities
  • Emergency circumstances
  • For identification of the body of a deceased person, or the cause of death
  • For facility patient directories
  • For activities related to national defense and security

Consumer Control - the regulation provides consumers with critical new rights to control the release of their medical information.

Boundaries - with few exceptions, an individual's health care information should be used for health purposes only, including treatment and payment.

Accountability - Under HIPAA, for the first time, there will be specific federal penalties if a patient's right to privacy is violated.

Public Responsibility - the new standards reflect the need to balance privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse.

Security - it is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure.


  • Final HIPAA regulations cover health plans, health care clearing houses, and health care providers. RowanSOM are "covered entities" under HIPAA.
  • All medical records and other individually identifiable health information held or disclosed by a covered entity in any form whether communicated electronically, on paper, or orally is covered by the final regulation.
  • The Notice of Proposed Rule Making for security, a national employer identifier, and a national provider identifier have been published.

How does it Concern Me?

  • Establish Accountability for Medical Records Use and Release - penalties for covered entities that misuse personal health information are provided in HIPAA
  • Civil penalties - Health plans, providers and clearinghouses that violate these standards would be subject to civil liability. Civil money penalties are $200 per incident, up to $25,000 per person, per year, per standard.
  • Federal criminal penalties - there would be federal criminal penalties for health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses. Penalties would be higher for actions designed to generate monetary gain. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $200,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.