When the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule took effect in 2003, physicians worried about the financial costs of implementing it, the risks of disobeying it, and the nuisance of new paperwork that it would create. The Privacy Rule, issued by the U.S. Department of Health and Human Services (HHS) to implement HIPAA, was designed to protect the privacy and security of patients' medical information and to standardize electronic health care transactions. The rule requires all “covered entities,” including health plans, hospitals, clinics, and health care providers, to implement policies safeguarding all protected health information. Protected health information is individually identifiable health information that contains at least 1 of 18 identifiers, including names, telephone numbers, and Social Security numbers. Failing to comply with the Privacy Rule carries the risk for penalties and fines from the Office of Civil Rights (OCR), the body charged with enforcing the Privacy Rule for the HHS (see sidebar).