The HITECH Act of 2009 is the law most widely recognized for making significant changes to HIPAA. It expanded privacy and security protections, created mandatory breach notification requirements, extended direct regulation to business associates, and introduced penalty tiers reaching up to $1.5 million per year for the most serious violations. But HITECH wasn’t the only law to reshape HIPAA. Several subsequent laws, including the 2013 Omnibus Rule, the Genetic Information Nondiscrimination Act, the 21st Century Cures Act, and the CARES Act, have each modified how HIPAA works in practice.
The HITECH Act: HIPAA’s Biggest Overhaul
The Health Information Technology for Economic and Clinical Health Act, passed in 2009 as part of the American Recovery and Reinvestment Act, was the most sweeping update to HIPAA since its original passage in 1996. It addressed a fundamental gap: under the original HIPAA rules, “business associates” (companies that handle patient data on behalf of hospitals, insurers, and other covered entities) were only bound by private contracts, not by federal law. HITECH changed that by making business associates directly subject to HIPAA’s privacy and security rules.
HITECH also created the Breach Notification Rule, which had no equivalent under the original HIPAA framework. Covered entities must now promptly notify affected individuals whenever their protected health information is exposed. When a breach affects more than 500 people, the organization must also notify the HHS Secretary and local media. Breaches affecting fewer than 500 individuals are reported to HHS on an annual basis. Organizations that encrypt or properly destroy health information are exempt from notification if that secured data is breached.
The enforcement teeth changed dramatically too. HITECH established a four-tier penalty system based on the level of negligence:
- Unknowing violations: $100 to $50,000 per violation, up to $25,000 per year for repeat violations
- Reasonable cause: $1,000 to $50,000 per violation, up to $100,000 per year
- Willful neglect, corrected on time: $10,000 to $50,000 per violation, up to $250,000 per year
- Willful neglect, not corrected: $50,000 per violation, up to $1.5 million per year
Before HITECH, only HHS could enforce HIPAA. The new law gave state attorneys general enforcement authority as well, opening another avenue for holding organizations accountable.
The 2013 Omnibus Rule
The Omnibus Rule, finalized in January 2013, implemented many of HITECH’s provisions and added several changes of its own. It made business associates directly liable for compliance with both the Privacy Rule and the Security Rule’s administrative, physical, and technical safeguards. This wasn’t just a restatement of HITECH. It spelled out exactly which requirements applied and how enforcement would work.
The rule also strengthened patient rights and placed new limits on how health information could be used commercially. Health organizations could no longer use or disclose protected health information for marketing or fundraising without meeting stricter requirements, and selling patient data without individual authorization was explicitly prohibited. Patients gained the right to receive electronic copies of their health records and to restrict disclosures to a health plan when they paid for treatment entirely out of pocket.
One of the more technical but important changes involved the definition of “breach.” The original interim rule had a “harm standard,” meaning organizations could avoid reporting a breach if they determined it was unlikely to cause harm. The Omnibus Rule replaced this with a more objective test: any impermissible use or disclosure is presumed to be a breach unless the organization can demonstrate a low probability that the information was actually compromised. This shift put the burden on the organization to prove a breach wasn’t serious, rather than allowing them to quietly decide no harm was done.
The Genetic Information Nondiscrimination Act
GINA, passed in 2008, required HHS to modify the HIPAA Privacy Rule in a targeted but important way. It explicitly classified genetic information as protected health information and prohibited health plans from using or disclosing genetic data for underwriting purposes. This means a group health plan or health insurance issuer cannot look at your genetic test results or family medical history to adjust premiums or make coverage decisions. The prohibition holds even if you’ve signed an authorization allowing such use.
The 21st Century Cures Act
The 21st Century Cures Act, signed in 2016, didn’t amend HIPAA directly but reshaped the landscape of health data sharing in ways that intersect with HIPAA’s privacy framework. Its central contribution was the concept of “information blocking,” which it defined as any practice by a healthcare provider, health IT developer, or health information network that interferes with the access, exchange, or use of electronic health information.
The law made sharing electronic health information the expected default in healthcare. Providers who knowingly and unreasonably block access to electronic health data face disincentives established by HHS. Health IT developers participating in federal certification programs are prohibited from taking any action that constitutes information blocking. When someone requests electronic health information, the entity receiving the request must fulfill it in the manner requested, or if that’s technically impossible, offer an alternative way to provide the data. These rules apply regardless of the technology involved, including automated systems and AI tools that access health records.
The CARES Act and Substance Use Records
For decades, substance use disorder treatment records were governed by a separate, stricter set of federal privacy rules known as 42 CFR Part 2. These rules made it extremely difficult to share addiction treatment records, even among a patient’s own care team, creating real barriers to coordinated care. The CARES Act of 2020 amended Part 2 to align it more closely with HIPAA, particularly by allowing substance use disorder records to be used and disclosed for treatment, payment, and healthcare operations in ways that mirror standard HIPAA permissions. This change made it easier for providers to access a patient’s full medical picture when delivering care, while still maintaining privacy protections specific to the sensitivity of addiction treatment records.
The 2024 Reproductive Health Privacy Rule
In April 2024, HHS finalized a new rule prohibiting covered entities and their business associates from disclosing protected health information to support investigations or legal actions against individuals for seeking, obtaining, providing, or facilitating lawful reproductive healthcare. Under this rule, if someone traveled to another state to receive an abortion that was legal where it was performed, a health plan or provider could not release their records to support a criminal or civil investigation into that care. The rule included a presumption that reproductive healthcare provided by another entity was lawful unless the organization receiving the records request had actual knowledge otherwise.
However, in June 2025, a federal district court in Texas declared most of this rule unlawful and vacated it, leaving the legal status of these protections uncertain.