The passage of HIPAA Omnibus Rule heralds a new era of accountability for organizations that fall under the category of ‘business associates’ to a healthcare provider. The new rule has made some sweeping changes to the penalty system applied to each HIPAA violation category. Before you jump the gun and start worrying about the hefty fines, read this post to know whether you actually fit the role of a ‘business associate’ under the new rule.

The New Penalty System

Under the new rule, civil monetary penalties for noncompliance have been increased based on the level of violation. So, any breach of PHI (Protected Health Information) – whether intentional or accidental – can potentially set you back by up to USD 1.5 million. In fact, there is no theoretical maximum fine per year. The maximum will ultimately be at the discretion of HHS (US Department of Health and Human Services) and depends on how many different kinds of violations are found.

The final Omnibus rule establishes four categories of violations and four corresponding levels of penalties based on the gravity of the violation. The new penalty structure is summarized in the table below:

Did Not Know $100 – $50,000 $1,500,000
Reasonable Cause $1,000 – $50,000 $1,500,000
Willful Neglect – Corrected $10,000 – $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $1,500,000


The biggest burden now falls on the business associates. If you support the healthcare industry or deal with patient data in any way, then you must ensure that all patient data are fully secured according to the standards established by the new rule.

Getting HIPAA compliant can neither be quick nor cost effective for those who just discovered their new status as business associates. And the task has been made even more daunting, with the deadline for compliance set at September 23rd, 2013.

So, you need to be swift in your actions. Talk to your legal team, study the breach notification guidelines and prepare a plan. Teach the employees about the best practices in handling PHI and HIPAA guidelines. Spruce up your IT security and get ready to demonstrate HIPAA compliance before September.

ManageEngine has a set of Windows Active Directory Management and Auditing tools to help you handle the IT part of HIPAA regulations effectively. The integrated Identity and Access Management (IAM) solutions from ManageEngine will help you deal with IT Security, and make you compliant with any regulatory law. The products that can help you in your HIPAA compliance objective:

AD360: An integrated Identity and Access Management Solution

ADManager Plus: Active Directory Management and Reporting Software

ADAudit Plus: Auditing solution for Active Directory, File Servers and NetApp Filers

Exchange Reporter Plus: Exchange Auditing and Reporting Solution

To learn more about how our tools can help you with HIPAA compliance, click here.

  1. Linda A. Sherman, PAHM

    I have been looking for something short, sweet & understandable to all levels of my trainees for my HIPAA in the Workplace Training (I am the HIPAA Trainer for the state’s health plan); HHS and the Federal Register were total washouts and I have gone to a bunch of other sites for this information in the past month. Your information was perfect and easy to understand (even for a HIPAA trainer from a little backwoods state). And our “Be Careful of Scary Websites!” didn’t block your site out so you all must be doing a lot right. Thank you so very much.

    • Radhakrishnan

      Glad to be of help. Keep checking this space for more updates on HIPAA omnibus rule.

  2. Marc Haskelson

    Hi, A nice blog you have mentioned about “HIPAA Omnibus Rule”.Its attracive, still i can suggest the page “” where
    you can grasp some new.Thanks.