What is the HIPAA Omnibus Rule and how does it affect me?

In 2013, the Department of Health and Human Services (HHS) strengthened the enforcement of HIPAA and HITECH with the final omnibus rule (omnibus is a Latin term meaning “for everything”). But many covered entities and their business associates do not realize the legal ramifications of this rule. Because some of the largest HIPAA-related breaches that have occurred involved business associates, the omnibus rule expanded the requirements of business associates to abide by the same Privacy and Security Rules as the covered entities that they work with. Maximum penalties due to severe negligence increased to up to $1.5 million per violation.

According to HHS Office for Civil Rights Director Leon Rodriguez:

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Rights of individuals were expanded in important ways, including:

  • Allows patients to request a copy of their medical record in an electronic format
  • When individuals pay out-of-pocket in full, they can instruct their provider not to disclose treatment information with their health plan
  • Set broader limits on how health information can be used and disclosed for marketing and fundraising purposes
  • Prohibits the sale of an individuals’ health information without their permission
  • Makes it easier for parents/guardians to allow health plans to disclose student immunization records with a school by permitting either oral or informal written approval

Another very important directive was that covered entities may need to update their Business Associate Agreements (BAAs) to include the provisions of the omnibus rule. If you are a covered entity with business associates and haven’t already done so, consult with your legal counsel to ensure your BAAs are compliant. The bottom line is that we who work in healthcare need to work together to abide by all provisions of HIPAA, HITECH and the final omnibus rule.


The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to address insurance portability, fraud, and administrative simplification. Privacy and Security were two key sections of the law and the term Covered Entity became the keyword for all health care entities that handled protected health information (PHI). The final Privacy Rule was published in 2001 and the final Security Rule in 2003. Deadlines for compliance came and went in the succeeding years, culminating in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) being signed into law, which made Business Associates accountable to the Security Rule as well, so they were ultimately fully accountable to the Data Security and Privacy rules. Covered entities and Business Associates can face noncompliance penalties including fines and even prison time in severe cases.

For more information on HIPAA, HITECH or the omnibus rule, visit www.hhs.gov or http://www.hhs.gov/news/press/2013pres/01/20130117b.html.

Thomas Streeter

Senior Vice President, Product Solutions
HCIM Co-Founder