HIPAA Omnibus Rule: An Overview

The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act brought about significant changes to the Health Information Privacy and Accountability Act (HIPAA) Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.[1] The HIPAA Omnibus Rule finalizes these changes, and the deadline for compliance with most provisions was September 23, 2013. Penalties are becoming more strict, and enforcement is getting more vigorous.

Some of the most significant provisions of the new HIPAA rules involve business associates:

  • The new rule expands the definition of “business associate”; entities that were not considered business associates under the old rule may be under the Omnibus Rule.[2]
  • Business associates of covered entities and certain subcontractors of business associates will be directly liable for compliance with and subject to penalties for violations of many HIPAA Privacy and Security requirements.[3]
  • HIPAA Privacy and Security Rules will now apply to the “workforce” of business associates as well as to covered entities.[4]
  • Business associates must execute Business Associate Agreements with certain “downstream” subcontractors, and “downstream” subcontractors must comply with many HIPAA provisions.[5]
  • Covered entities and business associates may be liable for the acts of some business associates.[6]

The new rule also includes increased protections for individual rights:

  • Sale of PHI without individual authorization is prohibited.[8]
  • Individuals’ ability to get electronic copies of their health information has been increased.[9]
  • Individuals who pay for treatments out of pocket can restrict disclosures of those treatments to a health care plan.[10]
  • Individual authorization requirements have been changed to allow easier research and disclosure of proof of child immunization to schools.[11]

The Omnibus Rule changes requirements regarding breaches of unsecured PHI:

  • Any impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity or business associate can demonstrate, using a risk analysis, that there is a low probability that the PHI has been compromised.[12]
  • The risk analysis must consider at least four factors: 1) to whom the information was disclosed, 2) whether the information was actually accessed or viewed, 3) the potential ability of the unauthorized recipient to identify the subject of the data and 4) whether the recipient took appropriate mitigating actions.[13]

The Omnibus Rule also increases civil money penalties and implements a tiered scheme for violations[14] and prohibits most health plans from using or disclosing genetic information for underwriting purposes.[15]

Business Associate Agreements, Notice of Privacy Practices and Policies and Procedures must be reviewed and revised to reflect these changes. Contact Feldman Kieffer today for a HIPAA compliance review.



[1] 78 Fed. Reg. 5565, 5566 (Jan. 25, 2013) (codified at 45 C.F.R. pts. 160 & 164).

[2] 46 C.F.R  § 160.103 (2013).

[3]Id. § 160.402.

[4]Id.

[5]Id. § 164.308(b)(1).

[6]Id. § 160.402.

[7]Id. § 164.508(a)(3).

[8]Id. § 164.508(a)(4).

[9]Id. § 164.524.

[10]Id. § 164.522(a)(vi).

[11] Id. § 164.512(b)(vi).

[12]Id. § 164.402.

[13]Id.

[14]Id. §§ 160.404, 406, 408, 412.

[15]Id. § 164.502(a)(5)(i).

Comments are closed.