HIPAA Omnibus Rule in Force From Today

by | Mar 26, 2013

The HIPAA Omnibus Rule comes into today, March 26, and amends existing HIPAA regulations to provide greater security for patient data; extending the reach of HIPAA and changing regulations to bring them in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The rule was signed in law on on Jan 25, 2013 by the Department of Health and Human Services (HHS) as an amendment to the Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA Omnibus Rule contains many changes, although it introduces four new regulations:

  1. The HIPAA Privacy, Security and Enforcement regulations have been amended as follows:
    1. Liability for HIPAA compliance reached enhances to include business associates and subcontractors
    2. Sale of PHI illegal without authorization and the use of PHI for marketing or fundraising is not allowed.
    3. Improved  powers for patients allowing them access to their electronic medical and health data, while restricting data which must be disclosed to a health plan if treatment has been paid entirely by the patient.
    4. Notices of Privacy Practices must be amended by HIPAA-covered groups
    5. Clarifies the process for identifying privacy and security violations and when they are reportable by business associates and other covered bodies.
  2. Initiation of a tiered structure of financial penalties under HITECH
  3. HITECH breach notification regulations have been explained to help healthcare organizations assess whether a security violation must be reported.
  4. HIPAA Privacy Rule modified in accordance with the Genetic Information Nondiscrimination Act, (GINA) as proposed in Oct 2009, to stop the disclosure or use of genetic datefor the purpose of underwriting health plans.

Violation of the Health Insurance Portability and Accountability Act (HIPAA) will see a financial penalty allied of between $100 and $50,000 for each individual violation if it can be ruled the organization has acted with a reasonable amount of diligence and the breach occurred without the knowledge of the body concerned.

In the case of a rule violation due to reasonable cause the penalty rises to between $1,000 and $50,000 per breach, provided there was no willful neglect. In cases of willful neglect the fine will be between $10,000 and $50,000 per offence. A minimum fine of $50,000 for each breach up to a maximum annual penalty of $1.5 million per annum will be applicable in cases of willful neglect where there was no speedy response to address a security breach.

A breach notification must be sent unless the organization or a business associate can show with reasonable certainty that no PHI has been accessed by – or disclosed to – an unauthorized person. Proof must also be provided to show this. Business associates must determine the nature of any data which was accessed, whether personal identifiers have been seen, who the PHI was displaced to, the risk to patients and whether that risk has been mitigated.

Physicians and healthcare workers who transmit or store electronic health information along with any business associates who receive, transmit or maintain PHI data records are included in HIPAA, and therefore the new Omnibus Rule will be applicable.

Business associates or any body that needs access to PHI or supplies data transmission services, offers a personal health record on behalf of a HIPAA-covered entity or is a subcontractor with access to PHI must also adhere with the Omnibus Rule.

The Omnibus Rule is a material change, and as such requires an update of the Notices of Privacy Protection by covered bodies. Healthcare organizations and other covered bodies have until Sept 23, 2013 to update NPP’s and put the new rules in place. After this date a failure to apply the changes will be deemed non-compliance and is likely to incur financial sanctions.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy