HITECH Act and HIPAA Omnibus Rule Update

HITECH Act and HIPAA Omnibus Rule

HIPAA was enacted in 1996, the ARRA HITECH Act in 2009, the HIPAA Omnibus Rule in 2013.  In January 2020, a Federal Court ruled that a portion of the Omnibus Rule was invalid, but only with respect to fees that may be charged to individuals who request a copy of their medical records.  This ruling does not impact privacy, security, or the right of individuals to receive their health care records. Below is a recap of important privacy Standards of each Rule and update on the determination of the United States District Court for the District of Columbia

HITECH Act Enforcement Interim Final Rule

The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, Subtitle D addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Section 13410(d) of the HITECH Act revised section 1176(a) of the Social Security Act (the Act) by setting forth:

  • Four (4) categories of violations with increasing levels of liability;
  • Four (4) corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation;
  • A maximum penalty amount of $1.5 million for all violations of an identical provision.
  • The enforcement final rule also amended section 1176(b) of the Act, which now prohibits penalties for violations that are corrected within a 30-day period, provided there was no willful neglect.

Four Tiers of Culpability

(1) The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;

(2) the violation was due to reasonable cause, and not willful neglect;

(3) the violation was due to willful neglect that is timely corrected; and

(4) the violation was due to willful neglect that is not timely corrected.

One result of this final rule is that it aligns HIPAA enforcement to revisions under section 13410(d) of the HITECH Act.

HIPAA Omnibus Rule

The 2013 Omnibus Rule to the Health Insurance Portability and Accountability Act (“HIPAA”) commonly called the HIPAA Omnibus Rule, required compliance by September 23, 2013.[1]  The HIPAA Omnibus Rule instantiated the modifications to the HIPAA Privacy, Security, and Enforcement Rules in compliance with the HITECH Act, including tiered civil money penalty structure provided by the HITECH Act.

Importantly, the Omnibus rule requires that the Breach Notification for unsecured PHI under the HITECH Act no longer requires proof that there was a breach. Instead, it is now a presumptive Standard, where a Covered Entity or Business Associate must presume that there is a breach and must rebut this presumption with proof that the data was not breached.[2]

The Omnibus Rule also provided modifications to the HIPAA Privacy Rule addressing the GINA (Genetic Information Nondiscrimination Act) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.[3]

The Omnibus Rule also enables patients may pay out of pocket in full and instruct their provider to refrain from sharing information about their treatment with their health plan, (i.e., not provide consent to disclose) [4]

Federal Common Law of Agency Standard means that Business Associates and Subcontractors are held to the same standards and fines as Covered Entities.[5]

Healthcare providers can share vaccination records (immunizations) with schools directly with a written or verbal release from the student’s parent or guardian [6]

The Omnibus Rule adopted the same ARRA HITECH Act prohibition against the marketing, fundraising, and sale of PHI without authorization.[7]

January 23, 2020 Ruling by Federal Court Regarding HIPAA Omnibus Rule

Federal Court of Appeals in the District of Columbia found that the HIPAA Omnibus Rule regarding 2016 guidance issued by United States Department of Health and Human Services Office (“HHS”) on the fees that may be assessed to patients for copies of medical records. [8]


[1] 2013. Beckers Hospital Review. 15 Things to Know About the HIPAA Omnibus Final Rule Before Sept. 23.

[2] The breach notification final rule amended the Standard and now requires a determination of the breach’s “risk of compromise” rather than harm. Therefore, a breach notification is always necessary except those in which the covered entity or business associate via its own breach investigation documents and demonstrates a low probability that the PHI was compromised.

[3] As provided in the Federal Register, “…modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy.” https://www.federalregister.gov/d/2013-01073/p-3

[4] The breach notification final rule amended the Standard and now requires a determination of the breach’s “risk of compromise” rather than harm. Therefore, a breach notification is always necessary except those in which the covered entity or business associate via its own breach investigation documents and demonstrates a low probability that the PHI was compromised.

[5] Agency liability – The Omnibus Rule not only reiterates that Covered Entities are liable, are also liable for the acts of their Business Associate that are agents, in accordance with the federal common law of agency. This requires greater vigilance by Covered Entities when the Business Associate is an agent. “Use and disclose on behalf of” would generally be considered ‘agency’ like language which is the fundamental definition of a Business Associate.  The Omnibus Rule removes the exception for vicarious liability for agents that are business associates when a valid business associate contract is in place.  See ‘New Omnibus Rule Released: HIPAA Puts on More Weight’ By Rebecca L. Williams, Adam H. Greene, Louisa Barash, Jane Eckels, Edwin D. Rauzi, Kent B. (Bernie) Thurber, and Kristen R. Blanchette 01.23.13 https://www.dwt.com/insights/2013/01/new-omnibus-rule-released-hipaa-puts-on-more-weight

[6] According to U.S. Health and Human Services (HHS), “Student Immunizations 45 CFR 164.512(b)(1)(vi) – Background : The HIPAA Privacy Rule strikes an important balance between protecting the privacy of individuals’ protected health information (PHI) and allowing the disclosure of PHI in a number of circumstances to those responsible for ensuring public health and safety.  One circumstance involves the disclosure of student immunization information to schools.  Schools play an important role in preventing the spread of communicable diseases among students by ensuring that students entering classes have received various immunizations.  Most States have “school entry” laws, which prohibit a child from attending school unless the school has proof that the child has been appropriately immunized.  Some States allow a child to begin school provisionally for a certain period of time while the school waits for the necessary immunization information.  Typically, schools ensure compliance with State requirements by requesting immunization records from parents, who then request them from their child’s health care provider.  To ensure schools are able to receive the necessary documentation of immunization in a timely manner and admit children without undue delay, the HIPAA Privacy Rule permits a covered health care provider to disclose proof of immunization directly to a school that is required by law to have such proof prior to admitting a student, with the oral or written agreement of a parent or guardian.”  See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/student-immunizations/index.html

[7] See Modifications to the HIPAA Privacy, Security Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules https://www.federalregister.gov/d/2013-01073/p-14

[8] When guidance was issued regarding fees that can be charged by Business Associates for producing patient records, HHS subsequently began investigating entities that charged higher fees. “…The U.S. District Court for the District of Columbia found that the Omnibus Rule’s The Court held that the guidance was issued without a public rulemaking process and therefore, the expansion of the third-party directives to electronic and paper records, to be arbitrary and capricious.  Also, the court held that HHS’s 2016 Guidance that applying the “reasonable, cost-based” fee to third-party directives violated the Administrative Procedure Act (“APA”). The court did not, invalidate the 2016 HHS Guidance on what labor costs can be recovered under the “reasonable, cost-based fee.”   See xx https://www.bakerdatacounsel.com/hipaahitech/federal-court-invalidates-2013-hipaa-omnibus-rule-regulations-and-hhs-guidance-on-fees-for-copies-of-medical-records/ By Sara Goldstein, Aleksandra Vold and Alexandra Royal

Related Posts

What is the HITECH Act

HIPAA Expert Witness

Electronic Health Records Forensic Expert

Michael F. Arrigo

Michael Arrigo, an expert witness, and healthcare executive, brings four decades of experience in the software, financial services, and healthcare industries. In 2000, Mr. Arrigo founded No World Borders, a healthcare data, regulations, and economics firm with clients in the pharmaceutical, medical device, hospital, surgical center, physician group, diagnostic imaging, genetic testing, health I.T., and health insurance markets. His expertise spans the federal health programs Medicare and Medicaid and private insurance. He advises Medicare Advantage Organizations that provide health insurance under Part C of the Medicare Act. Mr. Arrigo serves as an expert witness regarding medical coding and billing, fraud damages, and electronic health record software for the U.S. Department of Justice. He has valued well over $1 billion in medical billings in personal injury liens, malpractice, and insurance fraud cases. The U.S. Court of Appeals considered Mr. Arrigo's opinion regarding loss amounts, vacating, and remanding sentencing in a fraud case. Mr. Arrigo provides expertise in the Medicare Secondary Payer Act, Medicare LCDs, anti-trust litigation, medical intellectual property and trade secrets, HIPAA privacy, health care electronic claim data Standards, physician compensation, Anti-Kickback Statute, Stark law, the Affordable Care Act, False Claims Act, and the ARRA HITECH Act. Arrigo advises investors on merger and acquisition (M&A) diligence in the healthcare industry on transactions cumulatively valued at over $1 billion. Mr. Arrigo spent over ten years in Silicon Valley software firms in roles from Product Manager to CEO. He was product manager for a leading-edge database technology joint venture that became commercialized as Microsoft SQL Server, Vice President of Marketing for a software company when it grew from under $2 million in revenue to a $50 million acquisition by a company now merged into Cincom Systems, hired by private equity investors to serve as Vice President of Marketing for a secure email software company until its acquisition and multi $million investor exit by a company now merged into Axway Software S.A. (Euronext: AXW.PA), and CEO of one of the first cloud-based billing software companies, licensing its technology to Citrix Systems (NASDAQ: CTXS). Later, before entering the healthcare industry, he joined Fortune 500 company Fidelity National Financial (NYSE: FNF) as a Vice President, overseeing eCommerce solutions for the mortgage banking industry. While serving as a Vice President at Fortune 500 company First American Financial (NYSE: FAF), he oversaw eCommerce and regulatory compliance technology initiatives for the top ten mortgage banks and led the Sarbanes Oxley Act Section 302 internal controls I.T. audit for the company, supporting Section 404 of the Sarbanes Oxley Act. Mr. Arrigo earned his Bachelor of Science in Business Administration from the University of Southern California. Before that, he studied computer science, statistics, and economics at the University of California, Irvine. His post-graduate studies include biomedical ethics at Harvard Medical School, biomedical informatics at Stanford Medical School, blockchain and crypto-economics at the Massachusetts Institute of Technology, and training as a Certified Professional Medical Auditor (CPMA). Mr. Arrigo is qualified to serve as a director due to his experience in healthcare data, regulations, and economics, his leadership roles in software and financial services public companies, and his healthcare M&A diligence and public company regulatory experience. Mr. Arrigo is quoted in The Wall Street Journal, Fortune Magazine, Kaiser Health News, Consumer Affairs, National Public Radio (NPR), NBC News Houston, USA Today / Milwaukee Journal Sentinel, Medical Economics, Capitol ForumThe Daily Beast, the Lund Report, Inside Higher Ed, New England Psychologist, and other press and media outlets. He authored a peer-reviewed article regarding clinical documentation quality to support accurate medical coding, billing, and good patient care, published by Healthcare Financial Management Association (HFMA) and published in Healthcare I.T. News. Mr. Arrigo serves as a member of the board of directors of a publicly traded company in the healthcare and data analytics industry, where his duties include: member, audit committee; chair, compensation committee; member, special committee.

Leave a Reply