In 1996, Congress passed the Health Insurance Portability and Accountability Act. This act set in places certain rules regarding the disclosure of medical privacy policies.
"For the average health care provider or health plan, the Privacy Rule [of this Act] requires activities, such as: Notifying patients about their privacy rights and how their information can be used; Adopting and implementing privacy procedures for its practice, hospital, or plan; Training employees so that they understand the privacy procedures; Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed; and Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them." [Source: Department of Health and Human Services]
For answers to Frequently Asked Questions about HIPAA, see the
U. S. Dept. of Health and Human Services Office for Civil Rights - HIPAA page