2013 Final HIPAA Rule Summary


  • The final rule was released January 17, 2013.

  • Changes are effective on March 23, 2013, and covered entities must comply by September 23, 2013.

  • The final rule is available here.


The final rule modifies the requirements under the 1996 Health Insurance Portability and Accountability Act (HIPAA). The changes were made to comply with the 2009 statutory provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act of 2008. Additionally, HHS made changes intended to improve the operation of HIPAA.

The Rule’s Major Provisions

Enhanced Protection of Health Information
The rule finalizes the implementation of several changes, mandated by the HITECH Act, designed to enhance the protection of a patient’s protected health information and to give a patient greater control over his or her information. For example, providers are restricted from disclosing information about treatments for which a patient has paid out-of-pocket in full. And the rule expands a patient’s ability to request an electronic copy of their health information.

Increased Enforcement
The rule expands enforcement of HIPPA by increasing the liability of certain business partners of ASCs and other HIPAA covered entities. Additionally, the rule provides more information regarding the circumstances for which the government will impose the significantly increased penalty provisions of the HITECH Act.

Updated Breach Notification Requirements
The rule provides clarification on when disclosure of protected health information must be reported to the government.

Genetic Non-Discrimination
The rule prohibits health plans from using genetic information for under writing purposes.