HIPAA Compliance Plan

Take a look at our Business Associate Agreement. It's Omnibus Rule Ready™!


By Carols Leyva
Published: February 3, 2013

HIPAA Omnibus Rule Summary

I have argued before that the HHS HIPAA Omnibus Rule ("the Rule") is neither a "Tweak" nor "Sweeping Reform." There is far too much substantive law included in the HIPAA Omnibus Rule for it to be characterized as the former. It also cannot be characterized as the latter. However, the HITECH Act was sweeping and, for the most part, the Omnibus Rule is simply HITECH-izing (read impacting) the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Enforcement Rule.

Sure there are some "odds and ends" that deal with something other than these four Rules, but that is a very small part. What is "sweeping" however, is the clarification and commentary that HHS has provided as part of the Final Omnibus Rule. For the foreseeable future the PDF Version of the Omnibus Rule will remain the “go to” place for HHS guidance on any number of issues. Although this article attempts to summarize the Omnibus Rule's changes to the various HIPAA Rules, there is simply no substitute for going to the source itself. That being said, on with the summary...

Questions about HIPAA Compliance in this post HITECH/Omnibus Final Rule world?
Get up to speed fast with the HIPAA Survival Guide Fourth Edition and
our Omnibus Rule Ready™ HIPAA Compliance Tools.

HHS's Summary of the HIPAA Omnibus Rule

HHS summarized the over 500 pages of Omnibus Rule as follows:

"This omnibus final rule is comprised of the following four final rules:

  1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications:
    1. Make Business Associates of Covered Entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
    2. Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
    3. Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
    4. Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
    5. Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
    6. Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
  2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
  3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.
  4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009."

The HIPAA Survival Guide's Take on the HIPAA Omnibus Final Rule

Although HHS presents an excellent summary at 100K feet, we will attempt a more detailed summary to give you a look at the prominent changes under each rule. In addition the Full HIPAA Omnibus Rule Text, as reflected in the updated Rules, is now available on the HIPAA Survival Guide. It is safe to say that "we aren't in Kansas anymore and this is not your daddy's HIPAA."

Before diving into a detailed review, we need to emphasize that much of the Omnibus Rule is not new rule making, but rather the finalization of HHS Interim Final Rules ("IFRs") and proposed rule making that was already available for public review. In short, there is very little new in the Omnibus Rule that hasn't been covered before. However, if you are unfamiliar with the HITECH Act and the HHS rule making that followed, the Omnibus Rule is likely to appear daunting and somewhat overwhelming.

It is our goal, as always, to simplify without losing any substance, and to help you see both the forest and the trees.

HHS' Prior Rule Making and Proposed Rules

Since enactment of the HITECH Act, a number of steps have been taken to implement the strengthened privacy, security, and enforcement provisions through rulemakings and related actions.

On August 24, 2009, the Department published interim final regulations to implement the breach notification provisions at section 13402 of the HITECH Act (74 FR 42740), which were effective September 23, 2009.

Similarly, the Federal Trade Commission (FTC) published final regulations implementing the breach notification provisions at section 13407 for personal health record vendors and their third party service providers on August 25, 2009 (74 FR 42962), effective September 24, 2009.

For purposes of determining what information the HHS FTC breach notification regulations apply, the Department also issued, first on April 17, 2009 (published on April 27, 2009, 74 FR 19006), and then later with its interim final rule, the guidance required by the HITECH Act under 13402(h) specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

Additionally, to conform the provisions of the Enforcement Rule to the HITECH Act’s tiered and increased civil money penalty structure, which became effective on February 18, 2009, the Department published an interim final rule on October 30, 2009 (74 FR 56123), effective November 30, 2009.

The Department published a notice of proposed rulemaking (NPRM) on July 14, 2010, (75 FR 40868) to implement many of the remaining privacy, security, and enforcement provisions of the HITECH Act. The public was invited to comment on the proposed rule for 60 days following publication. The comment period closed on September 13, 2010. The Department received about 300 comments on the NPRM.

Comment: with the exception of the Genetic Information Nondiscrimination Act (i.e. the inclusion of genetic information as Protected Health Information) very little (if anything) in the Omnibus Rule comes from "outside" the Interim Final Rules or the NPRM of July 14, 2010. However, HHS clearly made modifications to the NPRM in the Omnibus Rule and made other modifications to conform the HIPAA regulations to the HITECH Act. These are best understood on a rule-by-rule basis as discussed below.

Effective Dates

The final Omnibus Rule becomes effective on March 26, 2013. Covered entities and Business Associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA. However, there are some key exceptions and extensions that you will want to pay attention to as discussed below.

The Interim Final Rules previously promulgated are "good law" (i.e. already in effect). Therefore, during the 180 day period before compliance with this Final Rule is required, Covered Entities and Business Associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the Interim Final Rule(s). Again, as indicated, much of what is contained in the Omnibus Rule simply should not come as a surprise.

Modifications to Key Definitions

Part of the key to understanding the HITECH/HIPAA regulations is to become intimately acquainted with core concepts as reflected in key definitions. Some of these key definitions were changed by the Omnibus Rule as described below.

Business Associate

The Omnibus Rule ("the Rule" or "Rule" or "Final Rule") contains a significant amount of discussion related to the changed definition of Business Associate. HHS goes into great length (see pp. 18-36 in the PDF) in discussing who is, and who is not, considered a Business Associate.

Change Summary

Protected Health Information

HHS decided to change the definition of Protected Health Information because the Privacy and Security Rules do not now protect the individually identifiable health information of persons who have been deceased for fifty (50) years.

Workforce Member

The definition of Workforce was changed to make clear that the term includes the employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Business Associate, is under the direct control of the Business Associate, because some provisions of the Act and the Privacy and Security Rules place obligations on the Business Associate with respect to workforce members. In short, the term now applies to both Covered Eentities and Business Associates.

HIPAA Enforcement Rule

Section 13410 of the HITECH Act made several amendments to the Social Security Act to strengthen the HIPAA Enforcement Rule, which applies to the Secretary’s enforcement of all of the HIPAA Administrative Simplification Rules, as well as the Breach Notification Rule.

On October 30, 2009, the Department issued an interim final rule (IFR) revising the Enforcement Rule to incorporate the provisions of section 13410(d) of the HITECH Act that took effect immediately to apply to violations of the HIPAA Rules occurring after the enactment date of February 18, 2009. See 74 FR 56123. In general, section 13410(d) of the HITECH Act revised section 1176(a) of the Social Security Act to establish four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation, with a maximum penalty amount of $1.5 million annually for all violations of an identical provision.

Comment: what has been misunderstood by many is that the $1.5 million is not a comprehensive maximum fine for a given category/year, but rather a maximum for all identical violations. The commentary by HHS in the Omnibus Rule makes this clear. Therefore, there is no theoretical maximum fine per year. The maximum will ultimately be at the discretion of HHS and is dependent on how many different kinds of violations are found (see the Rule pp. 47-89).

HHS provides over forty (40) pages of commentary regarding the Enforcement Rule and there is no way we can do the full discussion justice. Therefore we will summarize what we believe to be the most salient points.

HIPAA Security Rule

The Omnibus Rule modifications to the HIPAA Security Rule (and its definitions) tend to be more "conforming and procedural" than the modifications to the HIPAA Privacy Rule or the Breach Notification Rule (see the Rule pp. 89-103). If you are looking for the real "meat and potatoes" changes imposed by the Omnibus Rule then the place to start is with the latter two rules. That said, the HIPAA Security Rule ("SR") does not escape unscathed.

HIPAA Privacy Rule

The Omnibus Rule's changes to the HIPAA Privacy Rule ("PR"), and commentary related to same, are extensive (see the Rule pp. 103-294). These modifications contain both substantive and technical (i.e. conforming/cleanup) changes which include, but are not limited to, the following subject matter areas: 1) Marketing Communications; 2) Business Associates; 3) Authorizations; 4) Fundraising; and 5) Notice of Privacy Practices ("NOPP").

Comment: although of late, the HIPAA Security Rule has gotten the most attention because of Meaningful Use attestations, the HIPAA Privacy Rule is real 800-pound gorilla that encompasses the essence of the HIPAA Rules from a public policy perspective.

Here's our summary of the changes to the HIPAA Privacy Rule:

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule ("BNR") did not exist prior to the HITECH Act. Section 13402 of the HITECH Act requires a Covered Entity to provide notification to affected individuals and to the Secretary of HHS following a discovery of a breach of unsecured Protected Health Information. In some cases, the Act requires Covered Entities to also provide notification of a breach to the media. In the case of a breach of unsecured Protected Health Information at a Business Associate of a Covered Entity, the Act requires the Business Associate to notify the Covered Entity.

This is nothing new; it has been the law for a couple of years now. The Final Rule simply finalizes the Breach Notification Interim Final Rule which has been in effect since August 24, 2009. Here's our summary of the changes to the HIPAA Breach Notification Rule (see pp. 294-375 of the Rule):

Comment: Do not be misled by the brevity of this section as compared to that of the HIPAA Privacy Rule. The Final Rule adopted much of the Interim Final Rule and therefore not as much commentary was necessary.

HIPAA Omnibus Rule Summary

We have attempted to distill the essence of the HHS HIPAA Omnibus Rule into far fewer than the 500 plus pages of the original source. However, in order to do so, we have eliminated many of the examples and hypotheticals that HHS responded to as it walked readers through the changes to each rule. Those responses provide invaluable guidance and we encourage readers to refer to the source for a much deeper understanding.

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.