There are three components to HIPAA compliance: a privacy rule to protect consumers’ rights, a security rule to mandate how companies must protect consumers’ information, and enforcement rules that mandate consequences for noncompliance. To be compliant with this regulation, it’s important to get consent from the users if you are going to use their information for anything other than treatment, payment, or health care operations.
Source: A Programmer’s Guide to Compliance Regulations – Simple Programmer