Rulemaking by the U.S. Department of Health & Human Services in 2013 extended HIPAA responsibilities to those who create, receive, transmit, or maintain individually identifiable health information on behalf of health care providers, health plans and other HIPAA-covered entities. These obligations include compliance with the HIPAA data breach notification rule, as well as portions of the HIPAA Privacy Rule and most of the HIPAA Security Rule. It also exposes these entities to audits by the U.S. Department of Health & Human Services. Vendors to HIPAA-covered entities that may receive protected health information need to develop and implement compliance programs and appropriate contractual relationships to avoid potentially costly HIPAA violations.