The HIPAA Omnibus Rule, in addition to the Health Information Technology from Economic and Clinical Health (HITECH) Act, enables the Department of Health and Human Services to regulate business’ compliance with HIPAA  legislation.

Complying with the many complex and ambiguous provisions of the HIPPA Security Rule could be a daunting task for companies providing outsourced e-mail services, billing, backup or virtual database warehousing.


Are you a Business Associate who’s required to comply with regulations?

Business associates include legal, accounting, consulting, data aggregation, accreditation, or financial services that perform a function for a covered entity requiring the use of protected health information (PHI). This also applies to any subcontractors that have access to PHI.  If you do business or provide services in Texas, California, or Florida – the definition of BAA or BAs is much broader.  Please visit:

  • Florida FIPA Security
  • Texas Medical Privacy Law

What does this mean for HIPAA Business Associates - BAAs?

The Office for Civil Rights, which enforces HIPAA, said,

“We will begin looking at investigations in a post-Omnibus era with a new lens with respect to compliance responsibilities of covered entities and now business associate (BAA) liability.”

This means that if your organization experiences a breach, you are subject to the same fines as a covered entity, up to $1.5 million per breach.  This could also include criminal penalties that could result in additional fines and imprisonment.  

Don’t get lulled into a false sense of security when you hear someone say “No BAAs have actually been fined as a covered entity”. While technically true, HHS frequently settles with violators who  “compensate HHS and affected entities” without actually admitting guilt.

The HIPAA Omnibus Rule and Breach Notification for BAAs

Breach notifications and requirements for covered entities and BAAs remain the same with the Omnibus Rule.

However, prior to the rule, you only reported if you could prove that the “eliminated harm of the breach posed a significant risk of harm to affected individuals”. Now if the PHI disclosure violates the HIPAA Privacy Rule, the CE or BAA must follow mandatory breach notification steps and timelines unless they can prove that there is no risk of harm to the affected individuals or report the breach.

Failure to report a breach will result in both civil and criminal fines or penalties in addition to those levied by the state in which the breach occurred. Under Florida FIPA, these penalties could be $500K, in Texas $1500, and California and New York have similar laws.

Do you have questions about the HIPAA Omnibus Rule?

Get Answers