HIPAA (Public Law 104-191) was enacted on August 21, 1996. The purpose of this act was to help reform the health insurance industry and to streamline health-care administrative processes. This act authorized the secretary of Health and Human Services to inform the public about the standards for privacy, electronic exchange, and security of patient health information. After a lengthy public debate and much controversy, the Standards for Privacy of Individually Identifiable Health Information (known as the Privacy Rule) became effective in April 2003. Goals of the Privacy Rule were twofold: (1) to allow for the electronic flow of health information between covered entities (health plans, health-care providers, health-care facilities, health-care clearinghouses) with the purpose of promoting high-quality health care; and (2) to protect the public’s health and well-being and the privacy of patient health information (see http://www.hhs.gov/ocr/hipaa). The Standards for the Protection of Electronic Protected Health Information (also known as the Security Rule) became effective in 2005 to further operationalize the mandates in the Privacy Rule pertaining to the security of electronic health information.1 The Security Rule requires that covered entities take appropriate steps to protect the confidentiality, integrity, and availability of all electronic protected health information (PHI) that they create, receive, maintain, or transmit; protect against reasonable breaches or disclosure of PHI; and train their workforce in data security compliance. Such appropriate steps include the technical (eg, user password procedures, auditing of data access), the physical (eg, deletion of PHI, disposal of data stored electronically, personal computer security), and the administrative (eg, risk-management processes and sanctions) security of electronic data. Today, the federal Office of Civil Rights is responsible for enforcing the HIPAA Privacy Rule and the HIPAA Security Rule.