The privacy provisions of the federal law apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. The Department of Health and Human Services (HHS) has issued the regulation, “Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA include therapy/counseling providers. The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation. Privacy is defined as the right of a patient to control the disclosure of personal information.
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. Security is "the means to control access and protect information from disclosure to unauthorized persons and from unauthorized alteration, destruction, or loss." In other words, it is the physical protection an organization employs to protect information.
The U.S. Department of Health & Human Services provides comprehensive information, frequently asked questions and guidance materials for covered entities on their Health Information Privacy page. Additionally, they provide a summary of key elements of the Privacy Rule in PDF format, available for download here.