The HIPAA Omnibus Rule is a Rule published by HHS’ Office for Civil Rights in January 2013 that modified areas of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules to comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Non-discrimination Act (GINA).
The HIPAA Omnibus Rule 2013 is responsible for several important changes to the Administrative Simplification Regulations of the Health Insurance Portability and Accountability Act (HIPAA). The changes were felt necessary to strengthen existing privacy and security protections and to increase flexibility for – and decrease the burden on – regulated entities.
The Rule got the title “HIPAA Omnibus Rule” due to combining four Rules into one to reduce the impact of each Rule and to reduce the number of times compliance activities had to be undertaken by regulated entities. Three of the Final Rules introduced measures required by the HITECH Act, while the fourth prohibited the use of genetic information for underwriting purposes.
Changes Introduced by the HIPAA Omnibus Rule 2013
Possibly the most significant change introduced by the HIPAA Omnibus Rule 2013 was to make business associates directly liable for compliance with the Security and Breach Notification Rules and any applicable regulations, standards, and implementation specifications of Part 160 Subpart A (the HIPAA General Provisions) and Part 164 Subpart E (the HIPAA Privacy Rule).
Prior to this change, HHS’ Office for Civil Rights had no right of action against business associates that violated HIPAA. While the agency could take enforcement action against a covered entity, business associates could only be held responsible for data breaches via breach of contract claims brought by the covered entities for whom they provided a service.
Most other changes introduced by the HIPAA Omnibus Rule 2013 affected existing Privacy Rule standards. For example, the HIPAA Omnibus Rule:
- Limited uses and disclosures of PHI for marketing and fundraising purposes.
- Prohibited the sale of PHI without individual authorization.
- Expanded individuals’ rights to receive electronic copies of their health information.
- Restrict disclosures of PHI to health plans when an individual pays for treatment in full.
- Require modifications to, and the redistribution of, Notices of Privacy Practices.
- Prohibited health plans from using or disclosing genetic information for underwriting purposes.
- Modified authorization requirements to facilitate research, to disclose child immunization status to schools, and to enable access to decedent information by family members.
Changes to the Enforcement and Breach Notification Rules
In the original text of HIPAA (§1176), the Secretary for Health & Human Services was authorized to impose civil monetary penalties of up to $100 for each failure to comply with the requirements and standards up to a maximum penalty of $25,000 per year for violations of a similar nature – provided the violations were attributable to willful neglect
The HITECH Act replaced this provision with a four-tier scale of penalties for HIPAA violations that not only increased the maximum penalties for willful neglect to $50,000 per violation, but also authorized the Secretary for Health & Human Services to impose civil monetary penalties for violations attributable to a lack of knowledge or a lack of oversight.
Finally, under a change to the Breach Notification Rule, the “harm” threshold was reversed. Rather than HHS’ Office for Civil Rights having to prove that an individual had suffered harm before being able to commence enforcement action, the breached entity had to prove a low likelihood of harm if not notifying the individual and HHS’ Office of Civil Rights of a breach of unsecured PHI.
When Will There be Further Changes to HIPAA?
There have already been further changes to HIPAA since the publication of the HIPAA Omnibus Rule in 2013. The following year, HHS’ Office for Civil Rights removed an exception to an individual’s right of access following an amendment to the Clinical Laboratory Improvement Act; and, in 2016, a new subsection was added to the Privacy Rule that allows covered entities to disclose PHI to the National Instant Criminal Background Check System.
Between these two changes, the passage of the Federal Civil Penalties Inflation Adjustment Act Improvement Act enabled HHS’ Office for Civil Rights to increase the minimum and maximum penalties in the four-tier penalty scale to account for inflation. A subsequent reinterpretation of the HITECH Act means that the penalties for violations of HIPAA are currently:
|Penalty Tier||Level of Culpability||Minimum Penalty per Violation Type||Maximum Penalty per Violation Type||Annual Penalty Limit|
|Tier 1||Lack of Knowledge||$127||$31,987||$31,987|
|Tier 2||Lack of Oversight||$1,280||$63,97||$127,974|
|Tier 3||Willful Neglect||$12,794||$63,973||$319,865|
|Tier 4||Willful Neglect not Corrected within 30 days||$63,973||$63,973||$1,919,173|
It is very likely there will be further changes to HIPAA, but it is not known when. A Notice of Proposed Rule Making (NPRM) was published by HHS’ Office for Civil Rights in January 2021 which proses multiple changes to the Privacy Rule. This was followed by a further NPRM proposing attestations for disclosures of reproductive health information, and a “Request for Information” requesting input on how best to implement the settlement sharing requirement of the HITECH Act.
Covered entities and business associates are advised to keep up to date with proposed HIPAA Rule changes – especially those who deal with Substance Use Disorder records as 42 CFR Part 2 may be included in the proposed attestation standards. Regulated entities that want to find out more about further changes to HIPAA can subscribe to HHS email alerts, review new entries on the Federal Register, or seek professional compliance advice.