On January 17, 2013, the Department of Health and Human Services ("HHS") released its longawaited
final HIPAA rule, which significantly expands certain obligations for healthcare providers and their business associates (the "Final Rule"). The Final Rule, which was published in the Federal Register on January 25, 2013, has been described as "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented." In general, the Final Rule expands HIPAA obligations for business associates and their subcontractors, revises the requirements regarding the use and disclosure of patient information, expands patient rights, clarifies the content of Notice of Privacy Practices to be provided by healthcare providers, modifies the breach notification requirements, and expands enforcement provisions and penalties. The Final Rule is effective March 26, 2013. However, healthcare providers and business associates will have until September 23, 2013 (and in limited circumstances with respect to amending business associate agreements, until September 23, 2014) to achieve compliance with many of the new provisions.