What is the HIPAA Omnibus Rule?
The HIPAA Omnibus Rule, which was finalized in 2012 and became effective in 2013, contains edits and updates to all of the previously passed rules. The modifications to the Security, Privacy, Breach Notification, and Enforcement Rules were intended to enhance confidentiality and security in data sharing. The Omnibus Rule provided one single, exhaustive document that details all the requirements for complying with HIPAA and HITECH.
The Omnibus Final Rule, the most recent addition to HIPAA, was passed to strengthen the protection of protected health information, especially in electronic form, as well as give patients more access to their individual health information. This rule was in response to The Health Information Technology for Economic and Clinical Health (HITECH) Act as it fully implemented liability for this noncompliance with this act in addition to the previous HIPAA acts.
There were many changes that the Omnibus Rule brought about stemming from the updates it added to the individual rules and therefore to comply with HIPAA as a whole.
Business Associate Liability
The Omnibus Rule followed just after the HITECH Act which made business associates and their subcontractors directly liable for their own compliance with HIPAA. Although this change was first mentioned in HITECH, the Omnibus Rule took it to another level by legitimately enforcing these requirements upon business associates beyond simply signing a business associate agreement. This rule was finalized by the Office for Civil Rights (OCR) as they are the party that is responsible for enforcing the expectations of the Omnibus Rule. Business Associates are now able to be audited or fined directly for noncompliance by the Department of Health and Human Services rather than the covered entities being held responsible on behalf of the BAs.
The Omnibus Rule addresses the following questions and issues relating to use of PHI:
- PHI used in marketing or fundraising materials or events
- Selling PHI without the express consent of the patient
- Student immunization record disclosures
- Sharing of PHI in the treatment of a patient or during payment for their care
- Patient’s rights to restrict disclosure of their PHI to health plans
- Individual’s ability to access their electronic PHI (ePHI)
Other Significant Changes
- In the Breach Notification Rule, it was required that organizations report breaches where there was a significant potential of harm to over 500 people. The Omnibus Rule changes this and says that any unauthorized use or sharing of protected health information should be presumed to be a breach. This has certainly led to a higher number of reported data breaches each year.
- Increased limitations were placed on sharing protected health information (PHI). One example was that PHI was no longer able to be sold to anyone without direct permission from the patient.
- In expanding one of the main goals of HIPAA, The Omnibus Rule gave more rights for individuals to access their own ePHI.
- The tiered penalties against organizations that violate HIPAA and HITECH were updated and the extent of enforcement was increased.
- The Omnibus Rule requires changes to & redistribution of each covered entity’s notice of privacy practices (NPPs)
The HITECH rule made the changes, but the Omnibus Rule put muscle behind those changes. This law modified the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. This law did not contain a ton of new information that has not been mentioned in previous legislation but rather it is finalization and summation of all that HIPAA contains and requires of it’s covered entities and business associates.
Understanding all the aspects of the Omnibus Rule and HIPAA can be overwhelming and exhausting but that is exactly why Accountable is here to simplify what it means to be HIPAA compliant.