Which law primarily governs the privacy and confidentiality of patient health information?

HIPAA governs privacy and confidentiality of patient health information. It creates standards that apply to covered entities—health plans, healthcare providers, and healthcare clearinghouses—and their business associates. The Privacy Rule limits how protected health information (PHI) can be used or disclosed and gives patients rights to access their records, request amendments, and receive an accounting of disclosures. The Security Rule requires safeguards to protect electronic PHI, and the Breach Notification Rule requires prompt notification if there is an unsecured PHI breach. Other laws don’t regulate patient data privacy in health care to the same extent: Good Samaritan laws protect people who assist in emergencies, not how patient data are shared; the Freedom of Information Act governs public access to government records with some medical exemptions, not the framework for health data privacy; Sarbanes-Oxley centers on corporate financial reporting and internal controls, not patient health information privacy.