HIPAA Omnibus Rule – Are You in Compliance with New Breach Notification Requirements?


On January 17,2013, the U.S. Department of Health and Human Services (HHS) issued the Omnibus Rule, which significantly expands the types of entities required to protect patient privacy and the non-compliance penalties under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Omnibus Rule becomes effective on March 26, 2013, and HIPAA covered entities and business associates must comply with its requirements by September 23, 2013. The new rule affects the HIPAA Privacy, Security, Enforcement and Breach Notification Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA violation investigations are on the rise by the HHS. Last year, the HHS settled with five covered entities for amounts ranging from $50,000 to $1.7 million.

  • The Hospice of Northern Idaho agreed to pay $50,000 after an unencrypted laptop containing health records was stolen.
  • Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. agreed to pay $1.5 million to settle potential violations of HIPAA after an unencrypted laptop was stolen.
  • Alaska Department of Health and Human Services agreed to pay $1.7 million after a USB hard drive possibly containing health records was stolen from an employee’s vehicle.
  • Phoenix Cardiac Surgery settled for $100,000 after the investigation concluded that the practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible.
  • Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million after they reported that 57 unencrypted computer hard drives had been stolen from a leased facility.

The HIPAA Privacy and Security Rules have so far focused on health care providers, hospitals, health plans and other entities that process health insurance claims. The Omnibus Rule expands many of the requirements to business associates of these entities, such as vendors and subcontractors who have access to protected health information. Some of the largest breaches that have been reported to HHS have involved business associates.

Other changes include:

  • Clarification of when breaches of unsecured health information must be reported to HHS under the HITECH Act’s Breach Notification Rule
  • Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation
  • New limits on how information is used and disclosed for marketing and fundraising purposes
  • Prohibits the sale of an individual’s health information without their permission
  • More individual rights for patients regarding medical records, sharing proof of immunizations and authorizing use of health information for research

Covered entities and their business associates need to be in compliance with the Omnibus Rule by September 23, 2013.  Business associates must identify an information security officer who can implement the compliance program, have a consulting firm implement the program or take a hybrid approach.

Contact me to learn more about how you can comply with the HIPAA Omnibus Rule and safeguard protected health information. Our information security and compliance team can provide risk assessments, security training and guidance on HIPAA and HITECH.

Download our healthcare data breaches white paper.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Leave a Reply

Your email address will not be published. Required fields are marked *

We respect your personal information. Please review our Privacy Policy for more details.