Join the thousands of companies using Secureframe

The HIPAA Omnibus rule, made effective in 2013, is the final rule in the set of requirements laid out in HIPAA legislation. Enacted by the Office for Civil Rights (OCR) in response to the Health Information Technology for Economic and Clinical Health (HITECH) Act and Genetic Information Nondiscrimination Act (GINA), the Omnibus Rule includes amendments to the previous HIPAA rules to improve confidentiality and security when data is shared between healthcare providers. The Omnibus Rule provides one document that includes all of the requirements for compliance with both HIPAA and HITECH. 

One of the key points of HIPAA legislation is to give patients greater control over who can access their medical records and when. Under the Omnibus Rule, covered entities must comply with a patient’s request to access or share their medical records.

In addition, the Omnibus Rule requires healthcare providers to maintain updated Business Associate Agreements to ensure that business associates are complying with the HIPAA Security Rule and Privacy Rule.

How the Omnibus Rule affects business associates

The HITECH Act makes business associates and subcontractors directly liable for their own HIPAA compliance. Previously, business associates signed a business associate agreement (BAA) to clearly define what they can and can’t do with PHI, and covered entities were held responsible for any noncompliance on behalf of their business associates.

The Omnibus Rule makes those compliance requirements enforceable for BAs — business associates are now subject to their own audits and fines for noncompliance by the U.S. Department of Health and Human Services (HHS). Covered entities are still responsible for getting appropriate assurances from their business associates that they are complying with HIPAA. 

Lastly, the Omnibus Rule requires covered entities and business associates to maintain and distribute updated Notice of Privacy Practices. 

How the Omnibus Rule affects the other HIPAA rules

The Omnibus Rule modifies the other HIPAA rules in a few ways:

The HIPAA Privacy Rule

The Omnibus Rule extends protections to protected health information (PHI) that is:

  • Used for marketing or fundraising purposes
  • Sold without express patient consent. PHI can no longer be sold without direct permission from the patient. 
  • Shared during treatment or payment for care
  • Part of a student immunization record
  • Classified as genetic information

The Omnibus Rule also assures a patient’s right to restrict disclosure of the PHI to health plans and access their own electric PHI (ePHI). 

The HIPAA Breach Notification Rule

Under the original HIPAA Rules, organizations were required to report breaches affecting more than 500 records. The Omnibus Rule modifies this to any unauthorized access of PHI under the Privacy Rule, regardless of the number of records affected. 

An easy way to stay compliant with HIPAA rules

Secureframe’s all-in-one security and privacy automation platform makes it easy to ensure compliance with HIPAA Rules. Train your employees on HIPAA best practices, track vendors with access to PHI, and automatically monitor your HIPAA safeguards. Learn more about simplifying HIPAA compliance with Secureframe. 

prevWhat Is the HIPAA Minimum Necessary Rule? + How to Comply