ChartRequest - Logo - Color
Close this search box.

+1 (888) 895-8366

When crafting the Omnibus Final Rule, HHS wanted to incorporate provisions of the HITECH Rule into HIPAA to boost business associate accountability. Additionally, they aimed to revise inconvenient rules and close gaps left by the previous rules.

Before we dive into the Omnibus Final Rule, here’s a brief HIPAA overview.


The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to improve the safety and privacy of medical information following the advent of electronic health records (EHR). Before this, there weren’t federal laws to regulate the protection and exchange of medical records.

Instead, these were fairly lawless times in this regard. While most healthcare providers would act reasonably, there were plenty of issues. For example, patients couldn’t always get copies of their medical records. Their employers, however, could acquire them via their health insurance provider. 

This changed when The Department of Health and Human Services (HHS) intervened by creating HIPAA. This defined important terms like protected health information (PHI) and set regulatory baselines for how medical information can be disclosed.

It’s difficult to estimate the number of people impacted by medical record breaches. Without protections to safeguard medical information, personal issues could easily become public.

While HIPAA helped herald a new era of medical record exchange, it wasn’t perfect. Since passing HIPAA, HHS has worked diligently to improve and adapt it to the ever-changing nature of the healthcare industry.

To accomplish this goal, they created additional rules and regulations, which you can read more about by clicking the links below:

Privacy Rule – 2002

Security Rule – 2005

Breach Notification Rule – 2009


The Omnibus Final Rule was passed into law in 2013, shortly after the HITECH Act. This rule made several updates to existing HIPAA rules to improve the privacy of patients and the accountability of professionals who handle medical records. 

Click here to learn more about the HITECH Act.

The updates to HIPAA brought on by the Omnibus Final Rule can be separated into 3 categories:

  1. Accountability Enhancements
  2. Privacy Improvements
  3. Miscellaneous Updates


For much of HIPAA’s existence, the regulations largely only applied to covered entities. A covered entity is a professional who directly handles medical treatment, billing, or other operations. This includes healthcare providers, health plans, pharmacies, and more.

This presented a major flaw, however, as business associates were not held to the same standards. To fix this, HHS broadened the definition of business associates.

Business associates are the professionals that create, receive, maintain, and/or transmit protected health information (PHI) on behalf of a covered entity. This list includes lawyers, consultants, 3rd party professionals, and more.

This lack of cohesion across HIPAA regulations meant that records were generally less secure as soon as providers released them. Additionally, if these records were mishandled and/or breached, the covered entity was often held liable.

The HITECH Act set the foundation for business associates and their subcontractors to face the same HIPAA regulations and penalties. It wasn’t until the Omnibus Rule, however, that this update could be enforced.

Today, business associates and covered entities alike can face steep penalties for HIPAA violations. These penalties are determined by the number of individuals affected, the length of noncompliance, and the individual’s culpability.

HIPAA penalties are separated into a four-tiered penalty structure.

Tier 1 – Lack of Knowledge: The responsible party was unaware of the breach and couldn’t have detected the breach using reasonable due diligence. Penalties range from $100-$50,000 per violation with an annual limit of $25,000 for repeat violations.  Tier 2 – Reasonable Cause: The responsible party should have noticed the breach by using reasonable due diligence. Penalties range from $1,000-$50,000 per violation with an annual limit of $100,000 for repeat violations.  Tier 3 – Willful Neglect: The responsible party chose to neglect HIPAA rules and/or PHI breaches. Penalties range from $10,000-$50,000 per violation with an annual limit of $250,000 for repeat violations.  Tier 4 – Uncorrected Willful Neglect: The responsible party neglected HIPAA rules and/or PHI breaches and didn’t fix their noncompliance within 30 days of discovery. Penalties cost $50,000 per violation with an annual limit of $1,500,000 for repeat violations.
The penalties for non-compliance can be devastating if violations are handled poorly.

With the potentially devastating nature of HIPAA compliance, the Omnibus Final Rule has driven greater accountability for business associates. This not only holds these professionals to a higher standard, but it protects healthcare organizations and patients from avoidable breaches.


Before HIPAA, patients didn’t have much control over or access to their medical information. Additionally, there weren’t many provisions stopping healthcare providers from sharing it without just cause. The HIPAA Privacy Rule expanded on patient rights in regard to their medical information, but even that wasn’t perfect.

The Omnibus Final Rule expanded further upon these provisions in an effort to shore up existing gaps in protection. These privacy expansions include the following updates:

  • Covered entities need patient authorization to send patients marketing communications if they’re paid for sending them.
  • With parent/guardian authorization, covered entities can more easily share immunization records with schools.
  • The definition of “protected health information” now includes genetic information.
  • Covered entities now need patient authorization before selling PHI outside these two exceptions:
    • Research purposes that only reimburse the cost to prepare and transmit records
    • Some public health purposes
  • Expanded patients’ rights to request electronic copies of their medical records
  • Required covered entities to modify and redistribute their individual notices of privacy practices.
  • Sharing of PHI in the treatment of a patient or during payment for their care
  • Patient’s rights to restrict disclosure of their PHI to health plans 


The administrative burden of HIPAA compliance unfortunately can slow down informed patient care. That’s why one goal of the Omnibus Final Rule was to reduce the administrative burden of compliant record exchange.

One way HHS accomplished this goal was by simplifying the authorization process for research. Now, researchers only need one authorization form per study. Additionally, patients can provide “prospective consent” so researchers can use their information in future studies without additional authorization.

Omnibus also revised a HITECH Act provision that required covered entities to treat any improper PHI disclosure as a breach. Instead, a four-part risk assessment is mandatory to determine the risk of PHI breaches and the success of mitigation efforts.


ChartRequest ensures compliance with all federal and state regulations relevant to the exchange of medical, imaging, and billing records. Like HHS, we aim to mitigate exhausting administrative labor to reduce burnout and simplify the exchange of information.

We help healthcare providers, patients, legal professionals, insurance plans, government agencies, and more across the United States get records fast. Our full-service partners’ average turnaround time is just 2 business days. Compare that to the 30-60 days you could wait with traditional methods.

We accomplish this by automating as much of the process as possible and streamlining the rest. By making compliant exchange simple, healthcare providers can release records faster without the worry of unintentional breaches causing massive penalties.

Do you want to see how ChartRequest can simplify the exchange of electronic health records to guarantee Omnibus Rule compliance? Click here to create your account.

Leverage Medical Records For Mass Tort Payouts
Mass tort payouts can be massive, but they often require quick and accurate access to your clients' medical records.
Hackensack Meridian Health Penalized $100K For Medical Records Right of Access Penalty
Hackensack Meridian Health, also known as Essex Residential Care, recently faced a $100,000 penalty for Right of Access failure.
What Is the Epic Vs. Particle Health Dispute Regarding Carequality?
The dispute between Epic vs. Particle Health has healthcare professionals split, and this article provides an unbiased breakdown.
Mass Tort Litigation Guide for Personal Injury Attorneys
Mass tort litigation can be a practical way to pursue compensation for numerous personal injury and medical malpractice claimants.
What is a Combined Ratio in Risk Adjustment?
The combined ratio is a financial metric that measures insurance company revenue compared to claims payout.
10 EHR Systems for Physicians to Consider in 2024 by ChartRequest
Reviewing EHR systems can be daunting, so this article covers what you should look for and features 10 high-end systems for you to compare.

Want to Stay Updated?

Subscribe to our newsletter to learn:

  • Tips to Ensure Compliance
  • Strategies for ROI Success
  • Relevant Healthcare News

We respect your inbox, so we’ll only reach out to share high-quality content.

Sign Up for Automated Care Coordination Updates!

Our automated care coordination and referral management solution is coming soon!
If you’d like to be the first to learn new information and find out when it’s ready, please fill out this form:
This field is for validation purposes and should be left unchanged.