The HIPAA Omnibus rule, made effective in 2013, is the final rule in the set of requirements laid out in HIPAA legislation. Enacted by the Office for Civil Rights (OCR) in response to the Health Information Technology for Economic and Clinical Health (HITECH) Act and Genetic Information Nondiscrimination Act (GINA), the Omnibus Rule includes amendments to the previous HIPAA rules to improve confidentiality and security when data is shared between healthcare providers. The Omnibus Rule provides one document that includes all of the requirements for compliance with both HIPAA and HITECH. 

One of the key points of HIPAA legislation is to give patients greater control over who can access their medical records and when. Under the Omnibus Rule, covered entities must comply with a patient’s request to access or share their medical records.

In addition, the Omnibus Rule requires healthcare providers to maintain updated Business Associate Agreements to ensure that business associates are complying with the HIPAA Security Rule and Privacy Rule.

How the Omnibus Rule affects business associates

The HITECH Act makes business associates and subcontractors directly liable for their own HIPAA compliance. Previously, business associates signed a business associate agreement (BAA) to clearly define what they can and can’t do with PHI, and covered entities were held responsible for any noncompliance on behalf of their business associates.

The Omnibus Rule makes those compliance requirements enforceable for BAs — business associates are now subject to their own audits and fines for noncompliance by the U.S. Department of Health and Human Services (HHS). Covered entities are still responsible for getting appropriate assurances from their business associates that they are complying with HIPAA. 

Lastly, the Omnibus Rule requires covered entities and business associates to maintain and distribute updated Notice of Privacy Practices. 

How the Omnibus Rule affects the other HIPAA rules

The Omnibus Rule modifies the other HIPAA rules in a few ways:

The HIPAA Privacy Rule

The Omnibus Rule extends protections to protected health information (PHI) that is:

  • Used for marketing or fundraising purposes
  • Sold without express patient consent. PHI can no longer be sold without direct permission from the patient. 
  • Shared during treatment or payment for care
  • Part of a student immunization record
  • Classified as genetic information

The Omnibus Rule also assures a patient’s right to restrict disclosure of the PHI to health plans and access their own electric PHI (ePHI). 

The HIPAA Breach Notification Rule

Under the original HIPAA Rules, organizations were required to report breaches affecting more than 500 records. The Omnibus Rule modifies this to any unauthorized access of PHI under the Privacy Rule, regardless of the number of records affected. 

An easy way to stay compliant with HIPAA rules

Secureframe’s all-in-one security and privacy automation platform makes it easy to ensure compliance with HIPAA Rules. Train your employees on HIPAA best practices, track vendors with access to PHI, and automatically monitor your HIPAA safeguards. Learn more about simplifying HIPAA compliance with Secureframe. 


What does the Omnibus Rule include?

The Omnibus Rule includes a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under HIPAA.

What is the purpose of the Omnibus Rule?

The purpose of the Omnibus Rule is to modify the HIPAA Privacy, Security, and Enforcement Rules to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities, according to the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”).

What is one of the most important changes in the final Omnibus Rule?

One of the most important changes in thefinal Omnibus Rule is how it clarified the scope of HIPAA. For example, it made it clear that business associates and their subcontractors must comply with HIPAA's requirements — or they will be held directly accountable for failure to do so. It also encompassed more entities that must comply with the law, including health information exchange networks and personal health records (PHRs) that are offered through a covered entity's electronic health record.

When was the Omnibus Rule passed?

The Omnibus Rule was released by HHS on January 17, 2013 and became effective on March 26, 2013. It combined and replaced four previously issued proposed and interim final rules.