On January 17, the Department of Health and Human Services (HHS) released a 563-page rule that represents the most significant changes made to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) since the rule was first implemented. The HIPAA Security and Privacy rules include several provisions aimed at securing patients’ health information and preventing unwanted disclosures. This latest update contains a lengthy list of new requirements, but the most significant include an expansion of privacy and security rules to apply to contractors and subcontractors who access patient information through their business relationships with healthcare providers. This includes data management companies and electronic health record providers, who, in the past, have been involved in some of the largest data breaches. The rule also gives patients greater access to and control over their medical record. Patients can now request a copy of their EHR using an electronic form, and when they pay cash for treatments, they can prevent disclosures about it to their health plan. The rule also includes new limitations on what information hospitals and healthcare providers can disclose for marketing and fundraising purposes. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates,” said HHS Office for Civil Rights Director Leon Rodriguez in a statement. Of course, these provisions only scratches the surface of the many updates included in the massive final rule. If you have a few hours to kill, you can read the display copy at the Federal Register website. The final version is scheduled to be published in the January 25 issue of the Federal Register.