On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released its final Omnibus Rule to increase HIPAA (Health Insurance Portability And Accountability Act) privacy and security protections.

Known as the HIPAA Omnibus Rule of 2013, the final rule aimed to safeguard patient privacy and protect patients’ health information in an increasingly digital world.

The Omnibus Rule, which modified the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, was published in the Federal Register on January 25, 2013. The new rule went into effect on March 26, 2013, and the compliance date was September 23, 2013. 

See also

Automating GRC: The Next Frontier in Risk Management

In 2009, President Barack Obama signed the Health Information Technology for Economic and Clinical Health (HITECH) Act into law. This regulation mainly focused on changes to the HIPAA privacy regulations. But it also changed the requirements for breach notifications, business associate liabilities, and business associate agreements. 

The HIPAA breach notification rule mandates that covered entities and their business associates notify patients and HHS following any breach of the individuals’ unsecured protected health information (PHI). Covered entities include health care providers, health plans, and health care clearinghouses. A business associate is any company or individual that does work for a covered entity (but is not an employee of that organization).

Under the Omnibus Rule, an organization should consider any improper use or disclosure of personal health information a breach that would trigger official notification requirements unless the company performs a risk assessment and determines that a breach did not occur.

The Omnibus Rule enhanced the enforcement component of the law, giving the HHS OCR (Office for Civil Rights) more power to enforce the rules and levy fines. It also made changes to the Genetic Information Nondiscrimination Act, classifying genetic information as protected health information. As such, the rule imposed restrictions that stopped health plans from using genetic information for underwriting purposes.

In part, the final rule provided these rules:

  • Gave patients more rights by letting them ask for copies of their medical records in electronic form if they were available electronically.
  • Broadened the definition of a business associate to include all organizations that created, received, maintained, or transmitted PHI on behalf of a covered entity. Business associates include patient safety organizations and health information organizations.
  • Expanded the requirements of the privacy and security rules to physicians’ business associates and their subcontractors.
  • Established new limitations on how organizations could use personal health information for marketing and fundraising.
  • Prohibited the sale of patients’ personal health information without their consent.
  • Required covered entities to modify and redistribute their individual notices of privacy practices.

Automating GRC: The Next Frontier
in Risk Management