National requirements for the security of specific health information are established under the Privacy Rule.
The Privacy Rule sets forth criteria for the use and disclosure of PHI and for the privacy rights of persons to understand and control the use and distribution of personal health information, including the right to inspect and get a copy of their medical records and to request corrections.
The Privacy Rule mandates that covered entities must notify individuals of the uses of their PHI. Additionally, covered entities must record privacy policies and practices and track PHI disclosures. However, there may be some exceptions involved.
As a covered entity, you generally don’t need a patient’s written consent to use PHI for your treatment, billing, and healthcare operations activities, as well as other permitted or necessary purposes under the HIPAA Privacy Rule.