On January 17, 2013 the federal Department of Health & Human Services (“HHS”) announced a final omnibus rule that details amendments to the privacy, security, data breach and enforcement rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The 2013 HIPAA Amendments (which, with commentary from HHS, weighs in at 563 pages) are closely based on statutory changes under the HITECH Act of 2009, and were previewed in proposed and interim rules issued by HHS several years ago. They involve a number of sweeping expansions to the existing HIPAA Rules including: (1) a broader definition of “business associates” (“BAs”) to include downstream subcontractors that handle protected health information (“PHI”) on behalf of BAs; (2) increased penalties for noncompliance, with a maximum penalty of $1.5 million per violation; (3) expanded individual rights, including the right to request electronic medical records; and (4) new limitations on the use of PHI for marketing and fundraising, or the sale of PHI; among other broad changes.   Read the full text here