Proposed Standards for Privacy of Individually Identifiable Health Information. What this proposed rule does not do


  • The HIPAA limits the application of our proposed rule to the covered entities. It does not provide the authority for the rule to reach many entities that receive health information from these covered entities, so the rule cannot put in place appropriate restrictions on how such recipients of protected health information may use and re-disclose such information.
  • Any provider who maintains a solely paper information system cannot be subject to these privacy standards.
  • There is no statutory authority for a private right of action for individuals to enforce their privacy rights.