Effective March 26, 2013, updates to the Health Insurance Portability and Accountability Act (HIPAA) regulations may impact certain employers. These regulations are based on changes under the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) and the Genetic Information Nondiscrimination Act of 2008 (GINA). Although comprehensive, some key updates expand HIPAA security and privacy standards to business associates, shift the default format for patients to receive requested records from paper to electronic, reduce the paperwork necessary for patients to release health information to third parties, decrease the threshold for security breach notification, increase penalties for noncompliance, and prohibit the sale of protected health information for fundraising and marketing purposes. Note: Covered entities and business associates must generally comply with the applicable requirements of the final regulations by September 23, 2013.