What is the HIPAA Omnibus Rule?

The HIPAA Omnibus Rule is a set of regulations issued by the U.S. Department of Health and Human Services (HHS) that modifies the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and other laws related to health information privacy and security. The Omnibus Rule was published in 2013 and went into effect on September 23, 2013.

The Omnibus Rule includes a number of provisions that strengthen individuals' privacy and security protections for their protected health information (PHI). Some of the key provisions of the rule include:

  • Expanding the definition of "business associate" to include subcontractors, and making business associates directly liable for compliance with certain HIPAA Privacy and Security Rule requirements.
  • Strengthening individuals' rights to receive electronic copies of their PHI, and expanding their rights to restrict certain disclosures of their PHI.
  • Requiring covered entities and business associates to notify individuals in the event of a breach of unsecured PHI, regardless of the level of risk posed by the breach.
  • Clarifying the circumstances under which covered entities may use or disclose PHI for research purposes, and requiring that certain provisions be included in research authorizations.
  • Strengthening the requirements for authorizations for the use or disclosure of PHI for marketing purposes.

Requiring that covered entities revise their Notices of Privacy Practices (NPPs) to reflect the changes made by the Omnibus Rule, and to distribute the revised NPPs to individuals. The Omnibus Rule also increased the penalties for HIPAA violations, and provided for expanded enforcement authority for HHS.