Omnibus HIPAA rule
Omnibus HIPAA Rulemaking
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights announces a final rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Consequently, Business Associates are now directly liable for any non-compliance and any fines associated with the non-compliance. The update improved patient privacy protections and gave individuals new rights to their health information.
The Omnibus Rule finalized:

- Modifications to the HIPAA Privacy, Security, and Enforcement Rules
- The HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
- Changes on Breach Notification for unsecured PHI under the HITECH Act from providing evidence to prove there was a breach, to presuming a breach occurred and requiring proof how data was not compromised
- Modifications to the HIPAA Privacy Rule addressing the GINA (Genetic Information Nondiscrimination Act) to prohibit most health plans from using or disclosing genetic information for underwriting purposes
- Patients may pay out of pocket in full and instruct their provider to refrain from sharing information about their treatment with their health plan
- Federal Common Law of Agency – the law holds Business Associates and Subcontractors to the same standards required of Covered Entities. They are subject to the same fines and penalties as Covered Entities
- Healthcare providers can share vaccination records with schools directly with a written or verbal release from the student’s parent or guardian
- The Omnibus Rule adopted HITECH’s prohibition against the marketing, fundraising, and sale of PHI without authorization3
On January 25, 2013, the HIPAA Omnibus Rule was published in the Federal Register, which created the final modifications to the HIPAA privacy and security rule. The Omnibus Rule also created changes for enforcement, breach notification rules, and the Genetic Information Nondiscrimination Act (GINA). The Omnibus Rule of 2013 did not address the provisions for accounting of disclosures, minimum necessary guidance, and distribution of monetary penalties to individuals impacted.
The major components of the HIPAA Omnibus Rule of 2013 address:

- Business associates’ liability and requirement changes
- Marketing and protected health information
- Sale of protected health information
- Compound authorizations for research, and authorizing for future research studies
- Decedents and protected health information
- Disclosures to decedent’s protected health information to family members and others involved in decedent’s care
- Disclosure of immunization information to schools
- Fundraising and protected health information
- The need to update and distribute the notice of privacy practices
- Patients’ right to restrict protected health information to a health plan
- Access to protected health information in electronic formats
- Breach notification rule updates
- Genetic information is considered protected health information and underwriting impacts