Final HIPAA Rules Issued

February 27, 2013

The U.S. Department of Health & Human Services (HHS) has issued the final rule [PDF] for the Health Insurance Portability and Accountability Act (HIPAA) regulations that will expand the requirements regarding the handling of patients' protected health information.

Major Areas of Change

The final rule addresses regulations in four areas:

  1. Privacy and security
    • Holds business associates liable for compliance-this includes billing services, subcontractors, and vendors to whom you provide information
    • Strengthens limitations on use and disclosure of protected health information
    • Expands individuals' rights to receive information
    • Adds requirements to privacy notices
    • Adds a category of "willful neglect," a provider is cavalier about compliance to enhance the enforcement rule
  2. Enforcement – increases the civil monetary penalties for non-compliance
  3. Breach notification – more fully describes what constitutes harm in terms of notifying authorities of breach of privacy
  4. Genetic information – prohibits use of genetic information for health plan underwriting


HIPAA was originally written to address an individual's ability to maintain health insurance coverage when changing employers and health plans, and establishes rules for providers (covered entities) who transmit protected health information (PHI) electronically. The final rule extends responsibility to business associates, that is, persons or entities that perform administration and operation functions and may receive PHI. The final rule takes effect March 26, although some requirements may be phased in over defined periods of time.

ASHA Resources

More details will be included on ASHA's HIPAA website and in The ASHA Leader, April 13, 2013. For more information or questions, contact the ASHA's Health Care Economics and Advocacy Team at

ASHA Corporate Partners