The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law passed to create national standards for electronic health care transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations — although there are important exceptions such as for treatment, payment and health care operations.

This guide, published by the Department of Health and Human Services, offers some tools and research to help covered entities and business associates make sense of the rules.