Which act governs the privacy and security of health information?

HIPAA sets the standard for privacy and security of health information. It establishes national rules that determine how health information can be used and disclosed, and what protections must be in place to safeguard that information. The Privacy Rule limits who can access PHI (protected health information) and under what circumstances it can be shared, while the Security Rule requires technical, physical, and administrative safeguards to protect electronic PHI. There’s also a Breach Notification Rule that requires informing individuals and authorities when a breach occurs. HIPAA applies to covered entities like healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. It also gives patients rights to access and request corrections to their health records and to be informed about how their information is used. In short, HIPAA directly governs how health information is kept private and secure, making it the correct reference for this question. Note that related laws like HITECH strengthen HIPAA’s protections, while the ACA and ARRA address broader reform and economic goals rather than privacy and security specifics.