On January 25, 2013, the Secretary for the United States Department of Health and Human Services, Office for Civil Rights (the “Department”) officially published the long-awaited final regulations (the “Final Rule”) implementing extensive and sweeping changes to the regulations for the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Final Rule increases compliance obligations for covered entities and business associates regarding when, how, why, and in some cases “if” they may receive, maintain, transmit, create, use or disclose the health information HIPAA protects (“protected health information”). Quite simply, the Final Rule significantly affects all covered entities and business associates.

This is the first Alert in a series that discusses significant changes to HIPAA compliance obligations. In addition to providing key compliance dates and a brief background about the Final Rule, this alert also offers insight into the expanded definition of “business associate” and the new requirements for business associate agreements.

Future alerts in this series will address:

- the modified requirements for analyzing potential breaches of unsecured protected health information;

- new requirements for notices of privacy practices;

- stricter requirements for marketing and sale of protected health information;

- modifications to access rights to information by individuals;

- enforcement; and

- implications for research.

Covered entities and business associates should consult with their legal counsel to determine the extent of the impact the Final Rule has with respect to them.