Laws, Regulations and Standards

The Privacy Act The Privacy Act of 1974 provides safeguards against invasion of personal
privacy through the misuse of records by Federal Agencies. The Privacy Act guarantees three
primary rights: the right to see records about oneself, subject to Privacy Act exemptions; the
right to request the amendment of records that are not accurate, relevant, timely or complete; and
the right of individuals to be protected against unwarranted invasion of their privacy resulting
from the collection, maintenance, use, and disclosure of personal information.

HIPAA The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule
to implement the requirement of the Health Insurance Portability and Accountability Act of 1996
(HIPAA).1 The Privacy Rule standards address the use and disclosure of individuals health
informationcalled protected health information by organizations subject to the Privacy Rule
called covered entities, as well as standards for individuals' privacy rights to understand and
control how their health information is used. Within HHS, the Office for Civil Rights (OCR)
has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary
compliance activities and civil money penalties.
Security controls from HIPAA include: administrative safeguards, physical safeguards,
technical safeguards, and risk assessment.

HITECH The Health Information Technology for Economic and Clinical Health (HITECH)
Act of 2009 provides HHS with the authority to establish programs to improve health care
quality, safety, and efficiency through the promotion of health IT, including electronic health
records and private and secure electronic health information exchange.

FISMA The Federal Information Security Management Act (FISMA) of 2002, requires that all
federal agencies to adopt and to demonstrate use of NIST-specified IT security processes and
procedures that include categorizing risks associated with IT systems, developing and
maintaining minimum controls to protect information systems, verifying and monitoring that
effectiveness of their security controls via a specified certification and accreditation framework,
and taking corrective actions when necessary. FISMA requires that all Federal agencies,
including Federal healthcare entities, as well as their contractors and service providers, must
adopt and demonstrate use of NIST Special Publications (SP) 800-53, as well as other specified
NIST Federal Information Processing Standards and Special Publications.

Health and Safety Code Section 1280 Imposes reporting requirements and administrative
penalties for unauthorized disclosure of patient medical information.

California Civil Code Section 56 Requires health care providers to reasonably safeguard
confidential medical information and allows administrative fines for violations.