The second category of requirements is related to privacy of protected health information (PHI). It affects information that is maintained or transmitted via paper, electronic means and verbally. PHI is specifically defined to protect information that relates to a health condition or payment of health care services and clearly or reasonably could identify the patient. The privacy regulations outline the proper use and disclosure of PHI and generally expect that PHI will be used only where necessary to conduct business and service customers. Additionally, consumers are given certain rights such as the right to a notice regarding the Company's privacy policy and a right of access to PHI about them. The privacy regulations also establish the safeguard standards that must be met, but it gives companies the flexibility to design their own policies and procedures to meet those standards. The requirements are flexible and scalable to account or the nature of a company's business, size and resources.