HIPAA privacy and security rules now cover business associates of HIPAA-covered entities, including insurers, claims clearinghouses, software contractors and vendors, office-based health care providers, and analytics firms. Covered entities and their business associates that did not have compliant agreements in place before Jan. 25 must have contracts in place by Sept. 23; others are granted a one-year grace period. New rules also allow patients who pay out-of-pocket for treatment to forbid providers from sharing records of that treatment with insurers.

Related Summaries