On January 17, the Department of Health and Human Services (HHS) issued a new rule under the Health Insurance Portability and Accountability Act (HIPAA). The omnibus rule is intended to enhance patient privacy protections, provide new rights with regard to patient health information, and strengthen the government’s enforcement abilities. For example, the new rights allow patients to (i) request a copy of their electronic medical record in an electronic form and (ii) instruct their provider not to share information about their treatment with their health plan when the patient pays by cash. The rule also sets limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of individuals’ health information without their permission. While the rules are of general interest as an important development regarding privacy rights, HIPAA protections can, in some circumstances, apply to financial service providers. Not only may financial services firms need to take note as a provider of health care benefits to their employees, but also because the rule expands applicability of HIPAA requirements to “business associates” of health care providers, health plans, and other entities that process health insurance claims and receive protected health information.