HIPAA requires covered entities to take steps to limit the use and disclosure of PHI, which means that healthcare entities are required to develop policies and procedures that address protecting the privacy and security of patient information. Civil and criminal penalties have been established if covered entities violate patients’ rights. The Office of Civil Rights is
the oversight agency responsible for HIPAA compliance.
