What did the HIPAA Omnibus Rule Mandate?
The HIPAA Omnibus Rule mandated modifications to the Privacy, Security, and Enforcement Rules in order to adopt measures passed in the HITECH Act, finalized the Breach Notification Rule, and added standards to account for the passage of the GINA Act. The key provisions of the HIPAA Omnibus Rule were:
- Make business associates of covered entities directly liable for HIPAA compliance.
- Strengthen the limitations on uses and disclosures of Protected Health Information.
- Expand individuals’ rights to restrict disclosures of Protected Health Information.
- Expand individuals’ rights to request copies of their Protected Health Information.
- Require modifications to – and require redistribution of – Notices of Privacy Practices.
- Modify the authorization requirements for disclosures of Protected Health Information.
- The adoption of a four-tired civil monetary penalty structure for violations of HIPAA.
- The finalization of the Breach Notification Rule and the revised “harm” threshold.
- The addition of standards to account for the passage of the GINA Act 2008.
What was the HIPAA Omnibus Rule of January 2013?
The HIPAA Omnibus Rule of January 2013 was comprised of four Final Rules which were combined into one Omnibus Rule to reduce the impact of the changes and the number of times covered entities and business associates would need to undertake compliance activities. Although effective in March 2013, some of the changes were already in force due to Interim Rules having been issued following the passage of the HITECH Act in 2009.
For example, an Interim Rule to explain what information the Breach Notification Rule applied to was published in April 2009, followed by a further Interim Rule to implement the breach notification provisions of the HITECH Act in August 2009. The changes attributable to the Genetic Information Nondiscrimination Act (GINA) were published as a Proposed Rule in April 2009, while the proposed modifications to the Privacy, Security, and Enforcement Rules were published in July 2010.
Despite covered entities and business associate having up to four years to prepare for the HIPAA Omnibus Rule mandated changes – and despite the new categories of HIPAA violations to address violations attributable to reasons other than willful neglect – it appears few covered entities and business associates were ready for the Final Omnibus Rule of January 2013. OCR penalties for HIPAA violations doubled over the next five years and have further increased since.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
What did the HIPAA Omnibus Rule Mandate in Greater Detail
It is worth noting that the HIPAA Omnibus Rule did not mandate all the modifications passed in the HITECH Act, and that there have been changes to the Privacy and Enforcement Rules since the publication of the HIPAA Omnibus Rule of 2013. One of the main provisions of the HITECH Act not mandated by the HIPAA Omnibus Rule was settlement sharing (which is still under discussion), while the Privacy Rule has been amended twice to accommodate other Acts, and the Enforcement Act is amended every year to account for inflationary increases in the penalties for HIPAA violations.
To best explain what exactly did the HIPAA Omnibus Rule mandate in 2013, we need to look into each of the modifications and finalizations individually:
Make business associates of covered entities directly liable for HIPAA compliance.
Prior to the HIPAA Omnibus Rule of 2013, if a business associate violated HIPAA, the covered entity to whom the business associate was providing a service would be liable for the violation as business associates was considered agents of covered entities. By amending Subpart D of the General Rules and §164.500 of the Privacy Rule, business associates of covered entities – and subcontractors of business associates – became directly liable for their own HIPAA violations.
Strengthen the limitations on uses and disclosures of Protected Health Information.
The new limitations on uses and disclosures of Protected Health Information were themselves “limited”. Rather than making widespread changes to the Privacy Rule, the HIPAA Omnibus Rule only gave patients and plan members the right to opt out of fundraising communications and conditioned the sale of Protected Health Information (that is not de-identified) on an authorization signed by the individual who is the subject of the Protected Health Information or their personal representative.
Expand individuals’ rights to restrict disclosures of Protected Health Information.
Individuals already had the right to request restrictions on how their Protected Health Information is used and disclosed, but – prior to the Omnibus Rule – covered entities were not required to agree to the requests. A new clause in §164.522 required covered entities to agree to a request if the request related to withholding payment information from a health plan when an individual or a person on the individual’s behalf other than the health plan has paid for treatment or medical equipment.
Expand individuals’ rights to request copies of their Protected Health Information.
This change to the Privacy Rule required covered entities (and business associates where applicable) to provide electronic copies of Protected Health Information to individuals in the format requested by the individuals where the information was readily available in that format. The Rule change had a considerable amount of flexibility inasmuch as covered entities could offer to provide electronic information in alternate formats or via a hard copy if no suitable electronic format could be agreed.
Require modifications to – and require redistribution of – Notices of Privacy Practices.
The requirement to modify and redistribute Notices of Privacy Practices arose due to the strengthened limitations and the expansion of individuals’ rights being material changes to privacy practices. Although the requirement already existed (in §164.520(c)), the notes accompanying the Omnibus Rule explain how health plans and healthcare providers can comply with the redistribution requirement to avoid unnecessary costs and administrative processes.
Modify the authorization requirements for disclosures of Protected Health Information.
While the Omnibus Rule added the requirement to obtain an authorization prior to the sale of Protected Health Information, other events were removed from the list of uses and disclosures requiring prior authorization. These included seeking a parent’s authorization before disclosing a child’s immunization status to a school and seeking a personal representative’s authorization for the disclosure of Protected Health Information once an individual has been dead for fifty years.
The adoption of a four-tired civil monetary penalty structure for violations of HIPAA.
When HIPAA was passed in 1996, the penalties for violations of HIPAA were capped at $100 per violation up to a maximum of $25,000 per year. In addition, the penalties could only be issued if there was evidence of willful neglect to comply with HIPAA. The HITECH Act introduced a new four-tier penalty structure and increased the amount of civil monetary penalties that could be issued to $50,000 per violation up to a maximum of $1,500,000. The penalties have since further increased.
The finalization of the Breach Notification Rule and the revised “harm” threshold.
Although the Breach Notification Rule had been effective since 2009, the HIPAA Omnibus Rule of January 2013 added new standards to the Breach Notification Rule and amended existing standards in the Privacy and Security Rules to make it clear what constituted a breach and who was responsible for notifying it. The revised harm threshold made it a requirement to prove no harm was likely to occur following a breach if not notifying it to the individual and HHS’ Office for Civil Rights.
The addition of standards to account for the passage of the GINA Act 2008.
The Genetic Information Nondiscrimination Act of 2008 (GINA) made it an offence for health insurance companies and employers to discriminate against individuals based on genetic information. The HIPAA Omnibus Rule added genetic health information into the definition of Protected Health Information and expressly prohibited health plans from using or disclosing genetic information for underwriting purposes.
The Consequences of the HIPAA Omnibus Final Rule
The consequences of the HIPAA Omnibus Final Rule mandate changes were that individuals became more conscious of their HIPAA rights, that the scale of data breaches became more apparent, and organizations began to take HIPAA compliance more seriously. However, more than ten years after the publication of the HIPAA Omnibus Final Rule 2013, there is still a lot more that can be done to educate individuals about their rights, reduce data breaches, and improve compliance.
One of the concerns with regards to the lack of HIPAA compliance is that large scale changes to HIPAA are forecast over the next few years. Organizations that are not complying with HIPAA now will find it harder to comply with HIPAA in the future. This may not only result in financial penalties, but – according to HHS’ new Cybersecurity Strategy – could result in expulsion from Medicare and Medicaid programs for healthcare providers that fail to meet Cybersecurity Performance Goals.
Covered Entities and business associates that have failed to keep up with the changes mandated by the HIPAA Omnibus Final Rule of January 2013 are advised to assess their current privacy and security practices, implement measures to fill any gaps in compliance, and support the measures with comprehensive HIPAA training. Organizations unsure about any shortcomings in compliance or how to address them should seek professional HIPAA compliance advice.
