On January 25, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) published a final rule (Final Rule) containing modifications to the privacy standards (Privacy Rule), security standards (Security Rule), interim final security breach notification standards (Breach Notification Rule) and enforcement regulations (Enforcement Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The final modifications include changes required by the HITECH Act and other changes deemed appropriate by OCR in order to strengthen the privacy and security of health information.

The Final Rule contains a number of provisions that will affect a broad range of HIPAA covered entities (which include certain health care providers, health plans and health care clearinghouses) and the vendors that provide services to them involving protected health information (PHI) (i.e., generally, individually identifiable health information other than employment records and certain education records)...