EHR systems; 19 and ( 2) enhance HIPAA’s privacy and security protections. 20
With respect to EHR systems, the HITECH Act made federal funds available
to providers to facilitate adoption of EHR technology and to conduct training
and education to develop “best practices” of EHR use. 21 The Act also
delegated authority to HHS to promulgate rules that enhance privacy and
security protections and strengthen the government’s ability to enforce the
law. 22 On January 17, 2013, HHS released the “Omnibus Rule,” which
implements key aspects of the HITECH Act. 23
a. The Omnibus Rule
The Omnibus Rule revised the HIPAA Privacy24 and Security Rules, 25 as
well as the Breach Notification Rules. 26 Key changes to the rules include:
1. Making business associates of covered entities directly
liable for compliance with certain HIPAA Privacy and
Security Rule requirements;
2. Adopting proposed changes to the HIPAA Enforcement
Rule to incorporate the increased tiered civil money
penalty structure called for by the HITECH Act; and
3. Replacing the old breach notification requirements with
a stricter Breach Notification Rule that sets out more
objective standards to determine if notification is
The most notable changes related to the security of e-PHI are the harsher
penalties in the event of a breach and the overhaul of the Breach Notification
Rule. 28 If and when a breach is discovered, the Breach Notification Rule
requires covered entities and their business associates to promptly notify
affected individuals of a breach, as well as the HHS Secretary and the media
19. Lisa L. Dahm, Carrots and Sticks in the HITECH Act: Should Covered Entities
Panic?, 22 HEALTH LAW. 1, 1 (2010).
21. Id. at 3.
22. See HITECH Act, 42 U.S. C. §§ 300jj, 17901 (2012).
23. See generally 45 C.F.R. §§ 160, 164 (2014).
24. See 45 C.F.R. § 164, Subpart E (2013).
25. See id. Subpart C.
26. See id. Subpart D.
27. See 45 C.F.R. §§ 160, 164 (2014).
28. See id.