As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. The provisions of the final rule generally apply equally to private sector and public sector entities.

As required by the HIPAA law, most covered entities have two full years - until April 14, 2003 - to comply with the privacy rule's provisions. The law gives HHS the authority to make appropriate changes to the rule prior to the compliance date. Small health plans have until April 14, 2004 (small health plans are defined as having less than $5 million in annual receipts).

All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the rule.

The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of protected health information (PHI) to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately will limit access to personal health information without sacrificing the quality of healthcare.

The Department of Health and Human Services will be responsible for determining if institutions are HIPAA compliant as well as assessing penalties and fines for violations.

Civil penalties: Health Plans, providers and clearinghouses that violate these standards will be subject to civil liability. Civil money penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated. Federal criminal penalties: Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.