Requires patient authorization for most uses of PHI - Grants patients access to their medical records - Requires breach notification - Imposes significant civil and criminal penalties for violations