For example, patients will now have the ability to request an electronic copy of any medical records maintained in electronic format.

In addition, under the Final Rule, business associates will now be directly liable for noncompliance and may be subject to civil, and in some cases, criminal penalties.  As a result, HHS has published updated model business associate agreement language to conform to these changes. 

Finally, HHS has updated the breach notification rule to replace the prior "harm" threshold with a more objective standard and to clarify when breaches of unsecured health information must be reported to the government.  The compliance date for all changes is September 23, 2013.

NYSPA is currently reviewing the Final Rule and will be preparing a guidance document outlining key changes as well as an updated model Business Associate Agreement.  Once finalized, these new materials will be posted on the NYSPA website ( and an E-Bulletin will be sent at that time.