The HIPAA Breach Notification Rule – This rule defines the actions an organization must take in case of a PHI data breach. All affected parties must be notified in writing if at all possible. If the breach involves fewer than 500 records, a breach notification report must be filed with the Secretary of Health and Human Services within 60 days of the end of the calendar year that it occurred.
Suppose the breach affects 500 or more patients. In that case, a breach notification report must be filed with the Secretary of Health and Human Services within 60 days of the breach’s discovery, and the breach must be reported to local media.
The Omnibus Rule – This rule was introduced to strengthen the privacy and security protections of PHI data under HIPAA by extending the HIPAA Privacy Rule’s obligations to Business Associates and their subcontractors.
This rule also modified the breach notification standard, expanded patient rights to access and restrict disclosure of PHI, and imposed new rules governing the uses and disclosures of PHI.
The HIPAA Enforcement Rule and You
The HIPAA Enforcement Rule does not directly apply to covered entities or business associates. Instead, it details how the Department of Health and Human Services defines compliance.
It empowers the HHS Office for Civil Rights (OCR) to investigate possible HIPAA violations by Business Associates or Covered Entities and determine whether or not they complied with the standards of the law.
If they are not in compliance with the law, OCR has the power to resolve the violation through voluntary compliance, corrective action plans, resolution agreements, or a combination of these.
The Enforcement Rule also grants OCR the authority to impose civil and criminal penalties for HIPAA violations, depending upon several factors, including the severity of the violation.