The intent of the HIPAA Privacy Rule is to permit important uses of health information while, at the same time, protecting the privacy of individuals who are seeking health care.
The Privacy Rule limits the use and disclosure of PHI and establishes individual rights, which are detailed on the following page.
The HIPAA Privacy Rule allows covered entities to analyze their own needs and implement programs based on their environment. However, it requires that all privacy policies and procedures that are developed comply with the Privacy Rule and be monitored at least annually.
The Privacy Rule also requires covered entities to develop processes to handle complaints. Among other things, the covered entity must identify where individuals can submit complaints at the facility and advise that complaints also can be submitted to the Secretary of Health and Human Services (HHS) without fear of retaliation for submitting the complaint.