Which HIPAA Rule Incorporated Privacy and Security Provisions? The Omnibus Rule Explained

Overview of the HIPAA Omnibus Rule

If you’re asking which HIPAA rule incorporated privacy and security provisions, the answer is the HIPAA Omnibus Rule. Finalized in 2013, it updated the HIPAA Privacy Rule, HIPAA Security Rule, the Breach Notification Rule, and the Enforcement Rule in one comprehensive package.

The Omnibus Rule strengthened protections for Protected Health Information (PHI), expanded who must comply, and aligned HIPAA with HITECH Act Compliance and GINA Regulations. In practical terms, it modernized HIPAA for an electronic, data-sharing healthcare ecosystem while preserving patient trust.

Implementation of HITECH Act Provisions

The HITECH Act introduced stronger privacy and security standards for electronic PHI; the Omnibus Rule is what put many of those standards into effect. It sharpened accountability and clarified that the HIPAA Privacy Rule and HIPAA Security Rule apply beyond traditional covered entities.

• Extended HIPAA Security Rule safeguards to business associates and their subcontractors to protect ePHI.
• Operationalized the Breach Notification Rule with clearer thresholds and a standard risk assessment.
• Restricted marketing and the sale of PHI without valid authorization, tightening patient control.
• Enhanced patient access rights, including electronic copies and directed transmissions to third parties.
• Elevated enforcement with tiered civil monetary penalties and mandatory investigations for willful neglect.

Expansion of Business Associate Responsibilities

The Omnibus Rule made business associates—and their subcontractors—directly accountable for compliance. If you provide services like EHR hosting, claims processing, data analytics, cloud storage, or transcription that involve PHI, you must meet Security Rule standards and certain Privacy Rule requirements.

• Business Associate Agreements must spell out permitted uses, safeguards, breach reporting, and “flow-down” duties to subcontractors.
• Required actions include risk analysis, risk management, workforce training, access controls, audit logging, and incident response.
• Business associates face the same enforcement exposure as covered entities for violations involving PHI.

Enhancements to Breach Notification Requirements

The Omnibus Rule replaced the old “risk of harm” approach with a presumption that an impermissible use or disclosure of PHI is a breach unless a documented assessment shows a low probability of compromise. Your risk assessment must consider:

• The nature and extent of PHI involved (identifiers and sensitivity).
• The unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, through timely retrieval or encryption).

Notifications must be made without unreasonable delay and no later than 60 days after discovery, with additional duties for incidents affecting 500 or more residents of a state or jurisdiction. The “safe harbor” for properly encrypted data remains a key breach-prevention strategy.

Strengthening of Patient Rights

The Omnibus Rule reinforced patient control over PHI. You must provide timely access to records, including electronic copies where maintained electronically, and—on request—transmit an e-copy to a third party designated by the patient.

Patients can require you to restrict disclosures to a health plan when they pay out-of-pocket in full. Updated Notices of Privacy Practices must explain new rights and uses, including limits on marketing and the sale of PHI, and provide a clear opt-out for fundraising communications.

Enforcement and Compliance Updates

OCR’s enforcement framework now features tiered penalties that scale with culpability, with significant maximums per violation category. Willful neglect triggers mandatory investigations and can lead to resolution agreements and corrective action plans.

• Prioritize an enterprise-wide risk analysis and ongoing risk management.
• Refresh policies, procedures, and Business Associate Agreements to reflect Omnibus requirements.
• Train your workforce, test incident response, and document everything to demonstrate compliance.

Implications of Genetic Information Nondiscrimination Act (GINA)

The Omnibus Rule incorporates GINA Regulations by treating genetic information—including family medical history and genetic test results—as PHI. Health plans are prohibited from using or disclosing genetic information for underwriting purposes, with limited exceptions (for example, issuers of long-term care insurance are not subject to this specific underwriting ban).

Notices of Privacy Practices must reflect these limits, and internal processes should prevent the collection or use of genetic data for underwriting. The takeaway: genetic information receives heightened privacy protections within HIPAA.

In summary, the HIPAA Omnibus Rule is the vehicle that integrated privacy and security enhancements across HIPAA, implemented HITECH Act provisions, expanded business associate accountability, refined breach notifications, strengthened patient rights, and embedded GINA safeguards—so you can protect PHI with clarity and confidence.

FAQs

What is the HIPAA Omnibus Rule?

The HIPAA Omnibus Rule is a comprehensive update that aligned the HIPAA Privacy Rule, HIPAA Security Rule, Breach Notification Rule, and Enforcement Rule with the HITECH Act and GINA. It modernized HIPAA by strengthening PHI protections, expanding who must comply, and clarifying patient rights.

How did the Omnibus Rule change business associate obligations?

Business associates—and their subcontractors—became directly liable for Security Rule safeguards and certain Privacy Rule provisions. They must execute compliant Business Associate Agreements, conduct risk analyses, implement administrative, physical, and technical safeguards, and report breaches promptly.

What are the new breach notification requirements under the Omnibus Rule?

An impermissible use or disclosure of PHI is presumed a breach unless a risk assessment shows a low probability of compromise. You must notify affected individuals without unreasonable delay and no later than 60 days, with added duties for larger incidents and a continued safe harbor for properly encrypted data.

How does the Omnibus Rule affect patient rights?

Patients gained stronger access rights to electronic copies of PHI and can direct you to send their records to a third party. They can restrict disclosures to health plans when paying in full out-of-pocket, and must receive updated Notices of Privacy Practices explaining new limits on marketing, sale of PHI, and fundraising opt-outs.