Early last year, the Department of Health and Human Services issued final privacy and security regulations (Final Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Final Rule, effective March 26, 2013, imposes significant responsibilities on covered entities and their business associates, which include subcontractors of such business associates. A “covered entity” is a health care provider, health plan, or health care clearinghouse that transmits certain information electronically, such as claims or payment information. A “business associate” is any party that creates, receives, maintains, or transmits protected health information (PHI) (as defined by HIPAA) in connection with providing services to a covered entity. A business associate also includes any party that provides consulting, management, administrative, or other services to a covered entity that involve the disclosure of PHI from the covered entity. A covered entity typically has multiple business associates, which can include professional advisors, medical directors, and cloud storage providers.