The HIPAA privacy regulation is based on four key concepts:
the covered entity;
protected health information (PHI);
the patient's control over the release of PHI; and
minimal necessary disclosure.
HIPAA preempts many state law governing access to medical records unless
these laws provide more protection for the patient's medical information than
HIPAA. As discussed later, HIPAA does not preempt state laws that require the
release of information for legal and public health and safety purposes.