Short answer: HIPAA’s Privacy and Security Rules limit how a health plan and its vendors can use or share protected health information, require safeguards, and give individuals rights to access their own records.
Under HIPAA’s Privacy and Security Rules, group health plans and their ‘business associates’ may use protected health information (PHI) only for permitted purposes like treatment, payment, and operations, and must put administrative, physical, and technical safeguards in place. Individuals have the right to see and request corrections to their records and to receive a Notice of Privacy Practices. Breaches must be reported, and violations can bring civil, and sometimes criminal; penalties enforced by HHS.