HIPAA Compliance Guide: HITECH Act and Omnibus Rule Requirements

This HIPAA Compliance Guide: HITECH Act and Omnibus Rule Requirements explains how the HITECH Act and the HIPAA Omnibus Rule reshape obligations under the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. You will learn what changed, who is liable, how to handle incidents, and how to build a risk management program that protects Electronic Protected Health Information.

Overview of the HITECH Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act accelerated the adoption of electronic health records and strengthened HIPAA. It extended compliance expectations beyond covered entities to business associates, expanded enforcement, and required breach notifications for unsecured protected health information (PHI), including Electronic Protected Health Information (ePHI).

HITECH raised the stakes by increasing Civil Monetary Penalties and authorizing state attorneys general to bring HIPAA actions. It also emphasized encryption, audit capabilities, and user access logging to safeguard ePHI across increasingly digital ecosystems.

Practically, HITECH requires you to reassess where PHI resides, how it flows among vendors, and whether your safeguards meet the HIPAA Security Rule’s standards. It also compels formal vendor governance through Business Associate Agreements that specify privacy and security expectations, incident reporting, and subcontractor obligations.

Key Provisions of the HIPAA Omnibus Rule

The HIPAA Omnibus Rule finalized major updates across the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. It made business associates and their subcontractors directly liable for compliance, tightened breach analysis, expanded patient rights, and clarified marketing, sale of PHI, and fundraising limits.

• Direct liability: Business associates and downstream subcontractors must implement Security Rule safeguards and comply with specified Privacy Rule provisions.
• Breach standard: A potential breach is presumed unless you can demonstrate a low probability that PHI was compromised after a structured risk assessment.
• Patient rights: Individuals can receive electronic copies of their records and, when they pay in full out of pocket, can restrict disclosures to health plans for those services.
• Sale of PHI and marketing: Prohibitions and authorization requirements apply when financial remuneration is involved, subject to limited exceptions.
• GINA alignment: The Genetic Information Non-Discrimination Act is incorporated so health plans cannot use genetic information for underwriting.
• Notice updates: Your Notice of Privacy Practices must reflect new rights and uses, including breach notification duties and marketing/sale restrictions.

Business Associate Liability and Responsibilities

A business associate (BA) is any vendor or partner that creates, receives, maintains, or transmits PHI on your behalf. Under the Omnibus Rule and HITECH, BAs and their subcontractors face direct enforcement for Security Rule requirements and key Privacy Rule obligations, not just contractual consequences.

Core responsibilities for business associates

• Conduct and document a comprehensive risk analysis for ePHI, then implement administrative, physical, and technical safeguards under the HIPAA Security Rule.
• Limit uses and disclosures to what the Business Associate Agreement permits; apply the minimum necessary standard.
• Report security incidents and suspected breaches to the covered entity without unreasonable delay and support breach investigations.
• Flow down equivalent obligations to subcontractors that touch PHI, enforcing them via written agreements.
• Maintain audit logs, access controls, encryption where appropriate, and workforce training aligned to assigned roles.

Business Associate Agreements (BAAs): what to include

• Permitted uses/disclosures, minimum necessary, and prohibition on unauthorized uses, including sale of PHI.
• Security Rule compliance, incident reporting timelines, breach notification cooperation, and evidence preservation.
• Subcontractor flow-down, right to audit, assistance with access/amendment/accounting requests, and return or destruction of PHI at contract end.
• Allocation of responsibilities, performance metrics, and remedies, including indemnification tied to Civil Monetary Penalties exposure.

Breach Notification Requirements

The Breach Notification Rule requires notifying individuals, regulators, and sometimes the media following a breach of unsecured PHI. “Unsecured” generally means PHI not rendered unusable, unreadable, or indecipherable (for example, not encrypted per recognized guidance). If PHI is properly encrypted, notification may not be required.

Assessing whether a breach occurred

• Nature and extent of PHI involved, including identifiers and likelihood of re-identification.
• The unauthorized person who used or received the PHI and whether they are bound to confidentiality.
• Whether the PHI was actually acquired or viewed.
• The extent to which risks were mitigated (for example, prompt retrieval, forensic confirmation, or verified deletion).

Who to notify and when

• Affected individuals: Without unreasonable delay and no later than 60 calendar days after discovery. Notices must describe what happened, what information was involved, steps individuals should take, what you are doing, and contact information.
• U.S. Department of Health and Human Services (HHS): For breaches affecting 500 or more individuals, notify contemporaneously with individual notice; for fewer than 500, maintain a log and report annually.
• Media: If a breach involves more than 500 residents of a state or jurisdiction, provide media notice in addition to individual notice.
• Business associates: Must notify the covered entity without unreasonable delay and provide information needed for individual notice.

Document every decision. If you determine an incident is not a breach, retain your risk assessment and rationale. Strong encryption, access controls, and prompt containment often reduce both risk and obligations.

Penalties and Enforcement for Non-Compliance

HIPAA uses a four-tier Civil Monetary Penalties structure ranging from violations where the entity did not know and, by reasonable diligence, could not have known, to willful neglect not corrected within the required period. Penalty amounts are indexed annually for inflation and can include per-violation and annual caps.

Enforcement actions typically involve investigations by the HHS Office for Civil Rights, resolution agreements, and corrective action plans with multi-year monitoring. The Department of Justice may pursue criminal penalties for knowingly obtaining or disclosing PHI in certain circumstances, and state attorneys general may bring civil actions under HITECH.

Mitigating factors include timely breach response, cooperation, corrective measures, risk analysis and management maturity, and the scale and sensitivity of PHI involved. Proactive compliance lowers exposure and can shape enforcement outcomes.

Marketing and Fundraising Restrictions

The Privacy Rule, as modified by the Omnibus Rule, restricts marketing uses of PHI. If a communication encourages purchase or use of a product or service and you receive financial remuneration from a third party, you generally need the individual’s prior authorization. Limited exceptions apply, such as certain treatment communications and refill reminders, which must be reasonably related to the cost of making the communication.

Sale of PHI is broadly prohibited without authorization. Disclosures for public health, research with limited remuneration, or as required by law are not considered “sales,” but you must meet strict conditions and document your rationale.

For fundraising, covered entities may use limited data elements (for example, demographic information, dates of service, department, treating physician, outcome, and insurance status). Each fundraising message must include a clear, easy way to opt out, and you must honor the opt-out for all future solicitations without conditioning treatment on a donation.

Implementing a Risk Management Program

Effective risk management converts legal requirements into daily practice. Start with a current, enterprise-wide risk analysis that inventories systems, vendors, data flows, and workforce roles touching ePHI. Map where PHI is created, received, maintained, or transmitted, including shadow IT and remote work scenarios.

Administrative, physical, and technical safeguards

• Administrative: Policies and procedures, role-based training, sanctions, vendor risk management, and incident response planning with tabletop exercises.
• Physical: Facility access controls, device/media controls, secure disposal, and environmental safeguards for on-premises and colocation sites.
• Technical: Least-privilege access, multi-factor authentication, encryption at rest and in transit, network segmentation, endpoint protection, and audit logging with regular review.

Operationalize privacy-by-design

• Apply the minimum necessary standard to workflows and analytics; prefer de-identified or limited data sets with Data Use Agreements when full PHI is unnecessary.
• Embed consent and authorization checks for marketing and research; track and enforce restrictions such as out-of-pocket payment nondisclosure to health plans.
• Maintain accurate Notices of Privacy Practices and procedures for individual rights: access, amendments, and accounting of disclosures.

Vendor lifecycle and Business Associate Agreements

• Perform due diligence before onboarding: security questionnaires, SOC reports, penetration testing attestations, and data flow diagrams.
• Execute robust Business Associate Agreements; verify subcontractor controls and require timely incident reporting.
• Continuously monitor vendors with risk scoring, evidence reviews, and contractual performance metrics tied to HIPAA obligations.

Response readiness and continuous improvement

• Maintain a breach playbook aligned to the Breach Notification Rule, including decision trees, counsel engagement, communications templates, and evidence handling.
• Track KPIs (for example, access request turnaround, patch timelines, training completion, privileged access reviews) and audit them regularly.
• Test backups and disaster recovery; validate that RTO/RPO objectives support clinical and business needs.

Conclusion

The HITECH Act and the HIPAA Omnibus Rule intensify accountability across the Privacy, Security, and Breach Notification Rules. By clarifying business associate liability, tightening breach analysis, and regulating marketing and fundraising, they raise expectations for how you govern PHI. A disciplined risk management program—anchored in current risk analysis, strong BAAs, robust safeguards, and practiced response—keeps your organization compliant and resilient.

FAQs.

What are the main changes introduced by the HIPAA Omnibus Rule?

The Omnibus Rule made business associates and their subcontractors directly liable for compliance, replaced the prior harm test with a structured “low probability of compromise” breach assessment, expanded patient rights to electronic copies and certain disclosure restrictions, tightened rules on marketing and sale of PHI, aligned HIPAA with the Genetic Information Non-Discrimination Act, and required updated Notices of Privacy Practices.

How does the HITECH Act affect business associate liability?

HITECH extended HIPAA’s reach so business associates must implement Security Rule safeguards and comply with specified Privacy Rule provisions. They face direct enforcement, not only contractual remedies, and must report incidents and potential breaches to covered entities. Subcontractors that handle PHI inherit these duties through flow-down agreements.

What are the notification requirements for data breaches under HIPAA?

If unsecured PHI is breached, you must notify affected individuals without unreasonable delay and no later than 60 days after discovery, include required content in the notices, notify HHS (immediately for incidents affecting 500 or more individuals; annually for smaller incidents), and notify the media when more than 500 residents of a state or jurisdiction are affected. Business associates must notify the covered entity and supply details for individual notice.

How are penalties determined for HIPAA violations?

Penalties follow a four-tier Civil Monetary Penalties structure based on culpability, from lack of knowledge to uncorrected willful neglect. OCR considers factors such as the nature and extent of the violation, the sensitivity and volume of PHI, harm caused, the entity’s compliance history, and corrective actions. Amounts are adjusted annually for inflation and may include per-violation assessments and annual caps, plus corrective action plans or, in certain cases, criminal penalties.