Which U.S. federal law establishes national standards to protect sensitive patient health information and controls access to protected health information?

HIPAA sets the national standards for protecting sensitive patient health information and governs who may access that information. It creates the framework of privacy and security rules that apply to health plans, healthcare providers, and their business associates, defining what can be disclosed, what protections are required, and what rights patients have over their own records. The Privacy Rule limits how PHI can be used and shared, while the Security Rule mandates safeguards like identity verification, access controls, and encryption to protect data electronically; there’s also a Breach Notification Rule that requires informing individuals and authorities if a breach occurs. The HITECH Act later strengthened and expanded HIPAA’s enforcement and promoted electronic health records, but it does not establish the baseline standards itself. FERPA protects student education records, not general health information, and GDPR is European Union privacy law, not a U.S. statute.