25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HIPAA Omnibus Rule Comes into Force

Posted By on Mar 31, 2013

The HIPAA Omnibus Rule was published on Jan 25, 2013 by the Department of Health and Human Services (HHS) as an amendment to the Health Insurance Portability and Accountability Act (HIPAA). The new rule came into force on March 26, 2013 and modifies existing HIPAA regulations to provide greater protection of patient data; extending the reach of HIPAA and modifying regulations to bring them in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HIPAA Omnibus Rule contains many amendments, although it introduces four new rules:

  1. The HIPAA Privacy, Security and Enforcement regulations have been updated as follows:
    1. Liability for HIPAA compliance extended to include business associates and subcontractors
    2. Sale of PHI prohibited without authorization and the use of PHI for marketing or fundraising has been prohibited.
    3. Greater powers for patients allowing them access to their electronic medical and health data, while restricting information which must be disclosed to a health plan if treatment has been paid in full by the patient.
    4. Notices of Privacy Practices must be modified by HIPAA-covered organizations
    5. Clarifies the procedure for identifying privacy and security breaches and when they are reportable by business associates and other covered entities.
  2. Introduction of a tiered structure of financial penalties under HITECH
  3. HITECH breach notification rules have been clarified to help healthcare organizations assess whether a security breach must be reported.
  4. HIPAA Privacy Rule modified in accordance with the Genetic Information Nondiscrimination Act, (GINA) as proposed in Oct 2009, to prevent the disclosure or use of genetic information for the purpose of underwriting health plans.

New Penalties for HIPAA Security Breaches

Violation of the Health Insurance Portability and Accountability Act (HIPAA) will see a financial penalty incurred of between $100 and $50,000 for each individual violation if it can be established the organization has acted with a reasonable amount of diligence and the breach occurred without the knowledge of the entity concerned.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In the case of a rule violation due to reasonable cause the penalty rises to between $1,000 and $50,000 per violation, provided there was no willful neglect. In cases of willful neglect the penalty will be between $10,000 and $50,000 per offence. A minimum fine of $50,000 for each violation up to a maximum annual penalty of $1.5 million per annum will apply in cases of willful neglect where there was no timely response to address a security breach.

Privacy, Security and Enforcement Rules for Breaches

A breach notification must be issued unless the organization or a business associate can demonstrate with reasonable certainty that no PHI has been accessed by – or disclosed to – an unauthorized individual. Proof must also be provided to support this. Business associates must determine the nature of any data accessed, whether personal identifiers have been viewed, who the PHI was displaced to, the risk to patients and whether that risk has been mitigated.

Who Does the Omnibus Rule Affect?

Physicians and healthcare professionals who transmit or store electronic health information together with any business associates who receive, transmit or maintain PHI data records are covered under HIPAA, and therefore the new Omnibus Rule will be applicable.

Business associates or any entity that requires access to PHI or provides data transmission services, offers a personal health record on behalf of a HIPAA-covered entity or is a subcontractor with access to PHI must also comply with the Omnibus Rule.

The Omnibus Rule constitutes a material change, and as such requires an update of the Notices of Privacy Protection by covered entities. Healthcare organizations and other covered entities have until Sept 23, 2013 to update NPP’s and implement the new rules. After this date a failure to implement the changes will be deemed non-compliance and is likely to incur financial penalties.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist