Before the Omnibus Rule, which of these was not possible?

The Omnibus Rule, which was implemented in 2013, significantly expanded the scope of HIPAA enforcement especially concerning business associates. Prior to the Omnibus Rule, business associates, which include vendors and contractors who handle protected health information on behalf of a covered entity, were not directly liable for HIPAA violations. This meant that while covered entities faced penalties for non-compliance, the business associates themselves could operate without the same level of direct legal consequence, limiting the overall accountability of all parties involved in the handling of sensitive health information.

In contrast, the ability to issue fines to healthcare providers for HIPAA violations, charge patients for copies of their medical records, and implement penalties for unauthorized disclosures were established parts of HIPAA regulations before the Omnibus Rule was enacted. Therefore, the introduction of direct penalties for business associates marks a significant reinforcement in ensuring compliance throughout the entire healthcare ecosystem.