On January 17, 2013, the Department of Health and Human Services (“HHS”) released its long awaited final HIPAA rule, which significantly expands certain obligations for healthcare providers and their business associates (the “Final Rule”). The Final Rule, which was published in the Federal Register on January25, 2013, has been described as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” In general, the Final Rule expands HIPAA obligations for business associates and their subcontractors, revises the requirements regarding the use and disclosure of patient information, expands patient rights, clarifies the content of Notice of Privacy Practices to be provided by healthcare providers, modifies the breach notification requirements, and expands enforcement provisions and penalties. The Final Rule is effective March 26, 2013. However, healthcare providers and business associates will have until September 23, 2013 (and in limited circumstances with respect to amending business associate agreements, until September 23, 2014) to achieve compliance with many of the new provisions...

Under HIPAA, a covered entity (e.g., healthcare providers, health plans and health care clearinghouses) can disclose protected health information (“PHI”) to a business associate, which is generally a person or entity that performs functions, activities or services on behalf of the covered entity that involve the use and/or disclosure of PHI. For a covered entity to use the services of a business associate, the covered entity must enter into a business associate agreement with the business associate. The business associate agreement obligates the business associate to comply with the HIPAA Security Rule and certain HIPAA Privacy Rule provisions.