HIPAA

HITECH Act and the HIPAA Omnibus Rule

The 2009 HITECH Act and the 2013 HIPAA Omnibus Rule reshaped HIPAA - extending it to business associates, creating breach notification, and raising penalties. Here is what changed.
Browse HIPAA topics
Business Associate Agreements (BAA)HIPAA Breach Notification RuleHIPAA Compliance ChecklistHIPAA Contingency PlanningHIPAA Facility Access ControlsHIPAA Minimum Necessary RuleHIPAA Privacy RuleHIPAA Risk AnalysisHIPAA Sanctions PolicyHIPAA Security RuleHIPAA Workforce Training RequirementsHIPAA Workstation and Device ControlsHITECH Act and the HIPAA Omnibus Rule

Why HITECH and the Omnibus Rule matter

Original HIPAA — the 1996 law and its initial Privacy and Security Rules — created the framework for protecting patient health information in the United States. But by the mid-2000s, two realities had outgrown that framework. First, business associates handled a huge and growing share of PHI, yet their only legal obligation was through contract, not regulation. Second, electronic health records were about to be adopted at unprecedented scale, dramatically expanding the volume and mobility of ePHI.

HITECH and the Omnibus Rule addressed both realities. HITECH — the Health Information Technology for Economic and Clinical Health Act, enacted February 17, 2009 as Title XIII of the American Recovery and Reinvestment Act — statutorily extended HIPAA obligations to business associates, created a federal Breach Notification Rule, increased civil penalties, and funded EHR adoption through the Meaningful Use program. The 2013 HIPAA Omnibus Rule then translated HITECH into binding regulation and layered on additional changes, producing the modern HIPAA framework that every covered entity and business associate operates under today.

For the broader HIPAA framework context, see the HIPAA hub page. For related detail, see the HIPAA Privacy Rule, the HIPAA Security Rule, and the Breach Notification Rule.

What HITECH changed

HITECH is the larger of the two shifts in substance, even though the Omnibus Rule is where most of the regulatory text actually lives.

Direct liability for business associates

Before HITECH, the Security Rule and most of the Privacy Rule applied only to covered entities. Business associates were bound to HIPAA only through their BAAs — contractual, not regulatory. HITECH changed that at §13401, making the Security Rule and specified Privacy Rule obligations directly applicable to business associates. OCR can now enforce HIPAA against a business associate directly, without the covered entity in the middle.

In practice, this is the change that pulled every healthcare-facing SaaS company directly into the HIPAA enforcement orbit.

Federal breach notification requirements

HITECH §13402 created the first federal Breach Notification Rule. Before HITECH, breach notification was governed by a patchwork of state laws with inconsistent definitions and timelines. HITECH established a uniform federal floor for unsecured PHI: notify affected individuals without unreasonable delay and no later than 60 days, notify HHS (annually for smaller breaches, within 60 days for breaches of 500 or more), and notify the media for breaches of 500 or more in a state or jurisdiction.

Business associates must notify the covered entity, who in turn notifies the individuals. The four-factor risk assessment that determines whether a violation constitutes a reportable breach originates here, though the Omnibus Rule tightened it.

Increased civil penalties

HITECH §13410(d) restructured HIPAA civil monetary penalties into the four-tier scheme that remains in effect: unknowing violations, reasonable cause, willful neglect corrected, and willful neglect uncorrected. Maximum annual penalties reached $1.5 million per violation category, adjusted annually for inflation. State attorneys general gained authority to bring enforcement actions.

Meaningful Use and the EHR buildout

HITECH also funded the nationwide rollout of electronic health records through Medicare and Medicaid incentive payments, later restructured as the Promoting Interoperability programs. The effect was to multiply the volume of electronic PHI subject to HIPAA protections — and to multiply the number of SaaS vendors building in the healthcare space.

Patient access to electronic records

HITECH §13405(e) strengthened individual access rights for ePHI held in EHRs. Individuals could request an electronic copy and direct that copy to a third party. Fees for electronic copies were limited to labor costs, eliminating the markup that some providers had applied to paper copies.

What the 2013 Omnibus Rule changed

The HIPAA Omnibus Rule — published January 25, 2013, effective March 26, 2013, with compliance required by September 23, 2013 — implemented HITECH and added further changes across all four HIPAA rules. Seven changes stand out.

BAA obligations extended to subcontractors

Before Omnibus, BAAs flowed one hop: covered entity to business associate. Omnibus required business associates to execute BAAs with any subcontractor that creates, receives, maintains, or transmits PHI on their behalf, and made those subcontractors business associates in their own right. The effect was to close the pass-through loophole and align the chain of PHI custody with the chain of legal responsibility.

See the business associate agreements guide for the full BAA content requirements.

Breach definition tightened

Omnibus replaced the HITECH "significant risk of harm" test with a presumption of breach and a four-factor risk assessment. Under the revised rule, any impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates through the four factors that there is a low probability the PHI has been compromised. The shift favored notification over non-notification and made marginal cases more likely to be reported.

Genetic information protections

Omnibus incorporated the Genetic Information Nondiscrimination Act (GINA) into HIPAA, clarifying that genetic information is PHI and prohibiting the use or disclosure of genetic information by health plans for underwriting purposes.

Stronger patient rights

Patients gained the right to restrict disclosures to health plans when they pay out of pocket in full for a service, the right to receive electronic copies of their ePHI in EHR systems within 30 days, and stronger authorization requirements for the sale of PHI and for marketing communications.

Updated Notice of Privacy Practices

Every covered entity had to update its Notice of Privacy Practices to reflect the new rules, including the breach notification obligation, the expanded patient rights, and the uses of PHI for marketing and fundraising that now required authorization.

Enforcement teeth

Omnibus codified the HITECH penalty tiers, required HHS to conduct periodic audits, and clarified that willful neglect findings require formal investigation and penalty. The era of informal OCR letters closing investigations without consequence ended.

Liability for agents

Omnibus made clear that covered entities are liable for the acts of their business associates that are agents under federal common law — a narrow but meaningful exposure that forced sharper scrutiny of control over business associate operations.

Original HIPAA vs post-Omnibus HIPAA at a glance

TopicOriginal HIPAA (pre-2009)Post-HITECH / Omnibus
Business associate liabilityContractual only (via BAA)Direct regulatory liability
SubcontractorsNot explicitly coveredCovered as business associates
Breach notificationState-law patchworkFederal rule, 60-day deadline
Civil penaltiesUp to $25,000 per year, per violation categoryFour-tier structure, up to $1.5M per year, per category
State attorney general enforcementNot authorizedAuthorized by HITECH
Electronic access to PHIPaper-orientedElectronic copy within 30 days
Genetic informationCovered in partCovered explicitly, underwriting prohibited

How HITECH and Omnibus changed operational practice

For covered entities, the biggest operational change was BAA renegotiation — every BAA in force had to be updated to meet the Omnibus content requirements. For business associates, the change was existential: overnight, every vendor with PHI access was directly on the hook for the Security Rule, the Breach Notification Rule, and the relevant Privacy Rule obligations.

For modern healthcare SaaS companies, the practical implication is that "we are a business associate" is no longer a contractual fact — it is a regulatory status with its own documentation, risk analysis, breach reporting, and audit exposure. The HITECH and Omnibus changes are the reason a small SaaS vendor can now receive an OCR enforcement letter in its own right.

How this fits into your HIPAA program

HITECH and Omnibus are not separate frameworks to track — they are layered into the modern HIPAA rules. You satisfy them by complying with the HIPAA Privacy Rule, the HIPAA Security Rule, the Breach Notification Rule, and the BAA requirements at business associate agreements. The reason to understand the history is that it explains which obligations apply to which parties, and why the BAA flow-down, breach notification, and penalty structures look the way they do today.

Common pitfalls

  • Stale BAAs. Some BAAs on file still reflect pre-Omnibus templates, missing subcontractor flow-down, breach notification language, and updated permitted use categories.
  • Outdated Notice of Privacy Practices. The notice has not been refreshed since 2013, missing language required by subsequent guidance and regulatory updates.
  • Breach analyses that apply the old test. Analysts still ask whether a disclosure caused "significant risk of harm," rather than applying the four-factor test from Omnibus. The old test is defunct.
  • Undercounted subcontractors. A business associate has not papered BAAs with its subcontractors because it treats them as "just vendors." Omnibus closed that gap.
  • No risk analysis refresh after material change. HITECH and Omnibus introduced new obligations that should have triggered a risk analysis update. Many organizations never did one.
  • Confusing HITECH, HITRUST, and HIPAA. Operators sometimes use the three names interchangeably. HITECH is federal law, HIPAA is federal law and regulations, and HITRUST is a private certification.

How episki helps

episki carries the modern HIPAA regulatory structure in its bones. BAA templates reflect Omnibus Rule requirements; breach analysis workflows apply the four-factor test automatically; risk analyses incorporate HITECH-era threats like EHR interoperability and vendor sprawl; and policy libraries reference the underlying regulation so you always know which clause a control satisfies.

See the full HIPAA platform overview or start a free trial from the top of the hub page.

Related topics

breach-notificationbusiness-associate-agreementsprivacy-rulesecurity-rule

Related terms

What is a Business Associate Agreement (BAA)?What is a Business Associate?What is a Covered Entity?What is HIPAA?What is Protected Health Information (PHI)?

Frequently asked questions

Continue exploring

HIPAA Breach Notification Rule

Framework topic

Business Associate Agreements (BAA)

Framework topic

What is HIPAA?

Framework overview

What is Access Control?

Glossary definition

What is an Audit Trail?

Glossary definition

Drata vs Secureframe

Head-to-head comparison

episki vs Drata

See how we compare

Defined Roles in PCI: The Compliance Mistakes That Fly Under the Radar

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough