The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a federal law that regulates the disclosure or distribution of patient information by health care providers to others. May it be personal information acquired by them or medical information that was created by them from the diagnosis upon a patient's consultation or transferred to them.
This information is called "Protected Health Information" (PHI) and this cannot be transferred or used by health care professionals without prior written consent from the patients. In order for a PHI to be considered as such, it must be informed that they have received or they have created through the course of the practice of business by a health care provider, health care plan, or healthcare clearinghouse; it must be information relating to medical or mental health or condition, payments, or diagnosis or provision of a health care service provider or professional whether it be related to past, present, or future event or information relating to the individual; and lastly, it must identify the patient or individual.
In case the information of a patient is going to be used for research, they must inform the Institutional Review Boards (IRB), as well as the patient who owns the information.
You can know more about HIPAA at http://www.hhs.gov/ocr/hipaa