However, HIPAA requires Covered Entities (Hospitals, Doctors Offices, etc) to implement "appropriate safeguards for the protection of PHI". In practice, this means every CE writes a blanket policy along the lines of "you can only access PHI of patients you are in active care of"..