Guess What You’re (Probably) Subject to HIPAA! The Health Insurance Portability and Accountability Act (“HIPAA”) is a federal law that sets minimum privacy and security standards for the use and disclosure of “protected health information” (“PHI”). Changes to HIPAA set forth in the 2013 “Final Rule” have strengthened some of these privacy and security rules and have expanded the types of entities to which these rules apply, such as subcontractors. As a result, many more survey, opinion, and marketing researchers may now be required to comply with HIPAA, and will for the first time face significant direct liability for HIPAA violations. Even for entities that are aware of HIPAA generally, there are complex legal and practical issues to consider when designing and implementing a HIPAA-compliant privacy and security program.