HIPAA Omnibus Rule Now Legally Binding

by | Sep 25, 2013

The HIPAA Omnibus Rule was passed in March this year, although the OCR gave covered bodies a grace period in which to bring their organizations strategies and procedures up to date with the new regulations.

The Omnibus Rule amended HIPAA to cover Business Associates of covered bodies – and their subcontractors – with the 6-month grace period put in place to give these newly covered organizations time to become compliant. That grace period elapsed today and the Omnibus Rule is now enforceable, with the OCR able to issue fines for any non-compliance issues it now finds.

The Omnibus Rule adds a number of security controls to ensure that private medical records are properly secured, including new restrictions on who is able to access them. Breach Notification Rules have been updated and now presume that any unauthorized access of PHI is a reportable violation, and not just those which pose a significant danger. Possible victims – as well as the OCR – must be warned about of the breach within 60 days of it being identified.

Any security breach must be now reviewed to decide if it is reportable using the following four criteria: The nature of the data exposed, the unauthorized individual who accessed – or could possibly access – the data, whether the PHI was acquired and/or viewed and the extent to which the organization has been able to minimize any damage inflicted. Prior to the passing of the new final rule, there must have been a risk of harm before a breach was reportable whereas now the breach must be reported unless it can be established and proven that the risk of data being compromised is small.

The requirement for violation reporting under past legislation was dictated by the extent of information which was exposed. In the past, personal data such as dates or birth and Social Security numbers must have been exposed for notifications to be issued, whereas now, even the exposure of limited data with no dates of birth or Social Security numbers must be dealt with as a full data breach.

Notices of Privacy Practices must be refreshed under the new rule, which requires people to be informed about how they will be contacted by the covered body and under what circumstances and they should now be permitted to opt out of receiving correspondence. The use of Protected Health Information has also been limited and cannot be used for marketing reasons, while the sale of PHI has been prohibited.

Other amendments serve to increase patient rights to access their health information and limits to whom their information can be given to. Patients can ask that Medicare is not advised of any medical services that have been received and paid for in full by the patient, and similarly a request can be submitted to a healthcare provider not to disclose details of medical treatments to their health plan if they have been paid for in full by the patient out of their own pockets.

Prior to the passing of the new rule, Business Associates of covered bodies could not be held responsible for HIPAA violations and neither could their covered body if it could be established that they were unaware of any pattern or practice that breached their business agreement (provided they have complied with HIPAA Privacy and Security Rules). The Omnibus Rule takes away this exception and Business Associates can be held liable for non-compliance issues and data breaches, provided they acted in the capacity of an agent of the covered entity.

The OCR will now be enforcing the Omnibus Rule, although it is not expected to issue any financial sanctions immediately; however fines of up to $1.5 million per violation can be issued by the OCR for non-compliance occurrences. It is therefore important that all covered bodies which have not yet put in place the changes mandated by the Omnibus Rule do so immediately and check their Business Associate agreements to ensure that they have been brought up to date to take the Omnibus changes into account.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy