The HIPAA Omnibus Rule

The HIPAA Omnibus Rule was finalized by the Office for Civil Rights (OCR). The Office of Management and Budget (OMB) approved the final rule and subsequently published it in the Federal Register. The Federal Register has published the final Omnibus rules written by the U.S. Department of Health and Human Services (HHS) that will modify the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The United States Government’s requirement to implement Electronic Medical Records and Health IT compliance has prompted the US Government to adopt the long awaited HIPAA Omnibus Rule.

The modifications implement most of the privacy and security provisions of the HITECH Act and relevant provisions of the Genetic Information Nondiscrimination Act (GINA). The rule changes outlined in this HIPAA security rules summary are not surprises but are very impacting and will change the responsibilities imposed on covered entities, business associates and subcontractors.

The rule effectively merges four separate rule makings, which are as follows:

• Amendments to HIPAA Privacy and Security rules requirements;
• HIPAA and HIPAA HITECH under one rule now;
• Further requirements for data breach notifications and penalty enforcements;
• Approving the regulations in regards to the HITECH Act’s breach notification rule;
The Omnibus Rule includes regulations that will
• Manage the use of patient information in marketing;
• Includes a provision that requires healthcare providers to report data breaches that are deemed not harmful;
• Makes certain that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA.
• The rule requires HIPAA privacy and security requirements to be employed by business associates and sub-contractors.

hipaa omnibus rule

Breach Notification

HHS has eliminated the harm threshold that requires the entity to provide a notice of a security breach should the breach pose a significant risk of harm to affected individuals and that the breach was over 500 individuals. It has implemented instead that any use or disclosure of protected health information (PHI) that is not permitted by the Privacy Rule will be presumed to be a reportable breach. Covered entities and business associates can prevent this deduction by conducting a risk analysis using the four factors that HHS published in the rule, but HHS has made clear that its expectation is that impermissible uses and disclosures of PHI will likely be a reportable breach. This change will mean an increase in the number of breaches reported.

HIPAA Omnibus Rule and Business Associates

Some of the Privacy Rule and all of the Security Rule enforcement now apply directly to business associates and their subcontractors. Business associate agreements are likely to require an update and, in light of breach requirements and increasing compliance reviews, covered entities should improve their process to review business associate compliance and consider appropriate liability protections in their business associate agreements. HHS has provided a new Business Associate for Entities use.

Let’s Simplify Compliance

Do you need help with business associate compliance? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance
hipaa omnibus rule 2013

Enforcement and Penalties

HHS has retained its penalty schedule that is currently in effect, meaning that penalties can range from $100 to $50,000 per violation depending on an entities due diligence and level of willful neglect. These fines can be up to an annual maximum cap of $1.5 million per violation. Business associates and subcontractors are directly liable for their violations, but covered entities also can be penalized for their violations. A covered entity can get blame for a Business Associate if it has not acquired the necessary assurances that the BA is complying with the HIPAA act. HHS is now required to conduct compliance reviews if willful negligence is indicated following a preliminary review of the facts.