Blog

HIPAA and the Omnibus Rule

HIPAA
October 14, 2020
The HIPAA Omnibus Final Rule modified the Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule.

What is the HIPAA Omnibus Rule?

What is the HIPAA Omnibus rule?

The HIPAA Omnibus Rule, which was finalized in 2012 and became effective in 2013, contains edits and updates to all the previously passed HIPAA compliance rules. The modifications to the Security, Privacy, Breach Notification, and Enforcement Rules were intended to enhance confidentiality for PHI and security in data sharing (with regard again to protected health information). The Omnibus Rule provided one single, exhaustive document that details all the requirements for complying with HIPAA and HITECH. Please read on so the Accountable blog can fill you in on the rest of the 'need to knows' for the HIPAA Omnibus rule and what it meant for your compliance plan.

The Omnibus Rule

The Omnibus Rule, the most recent addition to HIPAA (The Health Insurance Portability and Accountability Act), was passed to strengthen the protection of protected health information , especially in electronic form, as well as give patients more access to their individual health information. This rule was in response to The Health Information Technology for Economic and Clinical Health (HITECH) Act as it fully implemented liability for this noncompliance with this act in addition to the previous HIPAA acts. 

There were many changes that the Omnibus Rule brought about stemming from the updates it added to the individual rules and therefore to comply with HIPAA as a whole. 

Business Associate Liability 

The Omnibus Rule followed just after the HITECH Act which made business associates and their subcontractors directly liable for their own compliance with HIPAA (the Health Insurance Portability and Accountability Act). Although this change was first mentioned in HITECH (Health Information Technology for Economic and Clinical Health Act), the Omnibus Rule took it to another level by enforcing these regulatory requirements upon business associates. This rule was finalized by the Office for Civil Rights (OCR) as they are the party that is responsible for enforcing the expectations of the Omnibus Rule. Business Associates are now bound to HIPAA mandates, the same as their Covered Entity clients. This makes it so that business associates can now be audited and/or fined directly for noncompliance by the Department of Health and Human Services, or Office of Civil Rights, rather than the covered entities being held responsible on behalf of the business associate. 

Privacy Changes

The Omnibus Rule addresses the following questions and issues relating to use of PHI

  • PHI used in marketing or fundraising materials or events 
  • Selling PHI without the express consent of the patient 
  • Student immunization record disclosures 
  • Sharing of PHI (protected health information) in reference to either the treatment of a patient, or when seeking payment for their care
  • Patient’s gained the right to restrict disclosure of their health information to health plans 
  • Individual’s also gained the ability to access their electronic PHI (ePHI)

The Omnibus Rule; Other Significant Changes

  • In the Breach Notification Rule , it was required that organizations report breaches where there was a significant potential of harm to over 500 people. The Omnibus Rule changes this and says that any unauthorized use or sharing of protected health information should be presumed to be a breach. This has certainly led to a higher number of reported data breaches each year. 
  • Increased limitations were placed on sharing protected health information (PHI). One example was that PHI was no longer allowed to be sold to anyone without direct, written permission from the patient. If permission is granted by the patient, the patient retains their right to reverse this authorization at any time and ask the Covered Entity to stop using their health info.
  • In expanding one of the main goals of HIPAA, The Omnibus Rule gave more rights for individuals to access their own ePHI. 
  • The tiered penalties against organizations that violate HIPAA and HITECH were updated and the extent of enforcement was increased. 
  • The Omnibus Rule requires changes to & redistribution of each covered entity’s notice of privacy practices (NPPs)

The HITECH rule made the changes, but the Omnibus Rule put muscle behind those changes. This law modified the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. This law did not contain a ton of new information that has not been mentioned in previous legislation but rather it is finalization and summation of all that HIPAA contains and requires of it’s covered entities and business associates. 

Understanding all the aspects of the Omnibus Rule and HIPAA can be overwhelming and exhausting, but that is exactly why Accountable is here to simplify what it means to be HIPAA-compliant. Learn more today by booking a demo here!


More from the Blog

It Sounds Like The Plot Of A Movie: The Story of How Russian Spies Committed a HIPAA Violation in 2022
HIPAA

It Sounds Like The Plot Of A Movie: The Story of How Russian Spies Committed a HIPAA Violation in 2022

Rubric Health has achieved HIPAA Compliance with Accountable
HIPAA

Rubric Health has achieved HIPAA Compliance with Accountable

Skali has achieved HIPAA Compliance with Accountable
HIPAA

Skali has achieved HIPAA Compliance with Accountable

Top 10 HIPAA Policy and Procedure Standards Every Healthcare Business Owner Should Know
HIPAA

Top 10 HIPAA Policy and Procedure Standards Every Healthcare Business Owner Should Know

Simplifying Medical Release Forms: Your Path to HIPAA Compliance with Accountable
HIPAA

Simplifying Medical Release Forms: Your Path to HIPAA Compliance with Accountable

Accountable Simplifies Your Annual HIPAA Training Requirements for Staff
Compliant Tools

Accountable Simplifies Your Annual HIPAA Training Requirements for Staff

Understanding the HIPAA Minimum Necessary Rule: Why it Matters for Your Healthcare Organization
HIPAA

Understanding the HIPAA Minimum Necessary Rule: Why it Matters for Your Healthcare Organization

A Guide to Understanding HIPAA Compliance for Vendor Management
HIPAA

A Guide to Understanding HIPAA Compliance for Vendor Management

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by
Accountable Compliance Management Logo

We make it easy to build trust and manage risk for your company.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of ComplianceGet Support
Solutions
HIPAAGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password

"Quickly Establish Core HIPAA Compliance and Security Program Foundation" - Michael H.

© 2022 Accountable HQ, Inc.
SitemapTerms of ServicePrivacy Policy