The Privacy Rule's concept of a Legal Health Record (LHR), all individually-identifiable data, in any medium, collected and directly used in and/or documenting healthcare or health status, can be used to define the security responsibilities of a CE. The information that is included in the LHR is the data that must be appropriately protected by policies, procedures, and security technology. This means that some organizations will be able to save time and money by focusing efforts on their LHR rather than on all of the organization's data.