HHS Releases Long-Awaited HIPAA Omnibus Rule

Author: Tracy Morley, XpertHR Legal Editor

On January 17, 2013, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released its long-awaited Omnibus Rule containing modifications to the Privacy, Security, Enforcement and Breach Notification Rules under the Health Insurance Portability and Accountability Act (HIPAA). According to OCR Director Leon Rodriguez, the provisions in the final Omnibus Rule "not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections."

The final Omnibus Rule is comprised of the following four final rules.

  1. Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which include:
    1. Making business associates directly liable for compliance with HIPAA's privacy and security standards, and giving subcontractors of business associates the same compliance obligations as business associates;
    2. Strengthening the approach to marketing by requiring authorization for all treatment and health care operations communications when a covered entity receives financial remuneration for making the communication from a third party whose product or service is being marketed;
    3. Requiring an individual's authorization before a covered entity or business associate can sell protected health information (PHI);
    4. Expanding an individual's right to receive electronic copies of his or her PHI;
    5. Restricting disclosures to health plans concerning treatment for which an individual has paid out of pocket and in full; and
    6. Requiring covered entities to modify and redistribute their notice of privacy practices.
  2. The final rule adopting changes to HIPAA's Enforcement Rule incorporating the increased and tiered civil penalty structure provided by the HITECH Act.
  3. The final rule on breach notification for unsecured PHI under the HITECH Act. The new standard replaces the Breach Notification Rule's "harm" threshold. Under the new standard, a breach is presumed unless the covered entity can demonstrate a low probability that PHI has been compromised.
  4. The final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA).

The HIPAA final Omnibus Rule will be published in the Federal Register on January 25, 2013, and is effective March 26, 2013. Covered entities and business associates have until September 23, 2013, to comply.