In 2013, the Federal Department of Health and Human Services (HHS) issued final omnibus amendments to regulations arising under the Health Insurance Portability and Accountability Act (HIPAA). The omnibus rules implemented privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The omnibus rules required a new and significant compliance burden, widened the scope of those burdened with compliance and provided for large penalties for noncompliance—something new under HIPAA. Although HITECH and HHS’ omnibus rules had been a long time coming, many affected entities took a “wait and see” approach to compliance. For some, budgets were not prepared for compliance; others did not believe that there was significant risk of a breach. Worse, some believe that the risk of getting caught was insignificant in light of the cost and burden of compliance.

It has since become clear that reportable breaches happen to every covered entity and business associate; frequently multiple times a year. These breaches are not only of personally identifiable health information protected under HIPAA, but of other personal information outside of the health care context. These breaches now not only implicate more than HIPAA, but more than U.S. law alone.