HITECH Act vs HIPAA: Key Requirements, Omnibus Rule Changes, and Examples

HITECH Act Overview

Understanding HITECH Act vs HIPAA starts with scope. HIPAA established baseline privacy and security rules for Protected Health Information (PHI) held by covered entities. The HITECH Act strengthened those rules by expanding direct obligations to certain vendors, creating Breach Notification Standards, increasing penalties, and accelerating Electronic Health Records Adoption through incentive programs.

HITECH also required Business Associate Agreements to flow down HIPAA security and certain privacy duties to business associates and their subcontractors. It introduced mandatory breach notifications for unsecured PHI and directed regulators to enforce compliance more aggressively, including Civil Monetary Penalties for willful neglect.

Example: A hospital deploying a new EHR must execute Business Associate Agreements with its cloud hosting provider and e-prescribing vendor, ensure encryption of stored PHI, and prepare incident response procedures that meet HITECH’s breach rules.

Omnibus Rule Changes

The HIPAA Omnibus Rule finalized how HITECH and the Genetic Information Non-Discrimination Act integrate into HIPAA. It made business associates directly liable, required BAAs with subcontractors, and tightened limits on marketing, fundraising, and the sale of PHI. It also updated Notices of Privacy Practices and clarified rights such as restricting disclosures to health plans when you pay in full out of pocket.

Critically, the Omnibus Rule replaced the old “harm” test with a presumption of breach unless a documented risk assessment shows a low probability that PHI was compromised. It also confirmed that vendors that maintain PHI—like cloud services—even without viewing it, are business associates subject to the Security Rule.

Example: After a stolen, unencrypted laptop incident, a clinic must perform the Omnibus 4-factor risk assessment. If risk remains more than low, notifications are required within HIPAA’s time frames.

Business Associate Liability

Under HITECH and the Omnibus Rule, business associates (and their subcontractors) are directly liable for compliance failures. They must implement administrative, physical, and technical safeguards, conduct risk analyses, and ensure downstream partners sign Business Associate Agreements with comparable protections.

BAAs must specify permitted uses/disclosures, safeguard obligations, breach reporting timelines, and termination rights. Business associates can face Civil Monetary Penalties for violations, independent of the covered entity.

Examples: A cloud storage company that hosts encrypted PHI, an analytics firm receiving limited datasets, and a billing company processing claims are all business associates. If a billing vendor emails PHI without encryption and exposes it, both the vendor and the covered entity may be accountable.

Breach Notification Requirements

HITECH created national Breach Notification Standards for unsecured PHI. Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery. For breaches affecting 500 or more residents of a state or jurisdiction, notification to prominent media and prompt reporting to regulators are also required; smaller breaches are reported annually.

The Omnibus Rule requires a written, documented risk assessment using these four factors:

• Nature and extent of PHI involved (identifiers and likelihood of re-identification).
• The unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, rapid retrieval, confidentiality assurances).

Exceptions apply to certain unintentional access by authorized workforce, inadvertent disclosures within a covered entity or business associate, and disclosures where the recipient could not reasonably retain the information. Encryption provides strong safe harbor because properly encrypted PHI is not “unsecured.”

Example: Ransomware encrypts a clinic’s server. Unless the clinic’s assessment shows a low probability of compromise (for instance, due to effective containment and forensics), it must notify patients and meet reporting deadlines.

Marketing and Fundraising Restrictions

The Omnibus Rule narrows when you can use PHI for marketing. If a third party provides financial remuneration for a message promoting its product or service, you generally need the patient’s prior authorization. Limited treatment communications (such as refill reminders) are allowed if any payment is reasonably related to the cost of the communication and clear opt-out information is included.

Fundraising rules permit the use of limited PHI—like demographics, dates of service, department of service, treating clinician, and outcome—but every message must include a clear, easy opt-out. You may not condition treatment on a donation, and you must honor opt-outs. Business Associate Agreements do not replace the need for patient authorization when a communication counts as marketing.

Example: A hospital may send a fundraising letter referencing the department that treated you, but it must provide a no-cost, simple opt-out and stop sending such appeals if you opt out.

Genetic Information Non-Discrimination Protections

HIPAA now treats genetic information as Protected Health Information (PHI), and the Genetic Information Non-Discrimination Act prohibits group health plans and health insurers from using or disclosing genetic information for underwriting purposes. The Omnibus Rule implemented these protections within HIPAA, reinforcing that genetic test results and family history receive heightened safeguards.

Example: A health plan cannot use your family cancer history to set premiums or coverage terms. A provider’s research team handling genomic data must apply HIPAA security controls and privacy limits to that genetic information.

Increased Penalties for Non-Compliance

HITECH introduced tiered Civil Monetary Penalties ranging from lower amounts for violations a covered entity or business associate did not know about, up to the highest tier for uncorrected willful neglect. Per-violation penalties can reach tens of thousands of dollars, with annual caps per violation type historically reaching seven figures, subject to periodic inflation adjustments.

Enforcement emphasizes risk analysis, access controls, workforce training, and timely breach response. Patterns of disregard, failure to execute required Business Associate Agreements, or repeated lapses after notice can escalate penalties and corrective action requirements.

Example: A practice that never conducts a security risk analysis, lacks encryption, and ignores repeated warnings about improper access could face substantial penalties and a multi-year corrective action plan.

Bottom line: HIPAA sets the baseline; HITECH and the HIPAA Omnibus Rule sharpened it—expanding business associate duties, formalizing breach response, tightening marketing and genetic privacy limits, and raising the stakes for non-compliance.

FAQs

What are the main differences between the HITECH Act and HIPAA?

HIPAA created the foundational privacy and security framework for PHI. The HITECH Act enhanced it by incentivizing Electronic Health Records Adoption, extending direct obligations and liability to business associates, mandating breach notifications for unsecured PHI, and increasing Civil Monetary Penalties. In practice, HIPAA defines the rules; HITECH makes them broader, stricter, and more enforceable.

How did the Omnibus Rule change HIPAA compliance?

The HIPAA Omnibus Rule finalized HITECH and GINA changes, making business associates directly liable, requiring BAAs with subcontractors, tightening marketing and fundraising limits, and instituting a presumption of breach unless a documented 4-factor assessment shows low probability of compromise. It also updated Notices of Privacy Practices and certain individual rights.

Who is liable as a business associate under the HITECH Act?

Any vendor that creates, receives, maintains, or transmits PHI for a covered entity—such as cloud hosts, billing companies, analytics firms, and e-prescribing gateways—is a business associate. They are directly liable for Security Rule compliance, certain Privacy Rule provisions, breach reporting, and ensuring subcontractors sign Business Associate Agreements with equivalent safeguards.

What are the notification requirements after a data breach?

You must notify affected individuals without unreasonable delay and no later than 60 days after discovery. Breaches involving 500 or more residents of a state or jurisdiction require media notice and prompt reporting to regulators; smaller events are logged for annual reporting. A documented 4-factor risk assessment determines whether an incident is a reportable breach, with encryption often providing safe harbor.