It’s Time to Comply with New HIPAA Omnibus Rule


HIPAA covered entities and business associates must comply with the requirements of the new Omnibus Rule by September 23, 2013, in order to avoid stiff penalties.

The U.S. Department of Health and Human Services (HHS) issued the Omnibus Rule earlier this year, greatly expanding the types of entities that are required to protect patient privacy and the non-compliance penalties under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specifically, the new rule affects the HIPAA Privacy, Security, Enforcement and Breach Notification Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Up until this point, the HIPAA Privacy and Security Rules have mostly focused on health care providers, hospitals, health plans and other “covered entities” that process health insurance claims. The Omnibus Rule expands many of the requirements to business associates of these entities, such as vendors and subcontractors who have access to protected health information.

One of the requirements of the Omnibus Rule is that business associates must either identify an information security officer who can implement a compliance program, have a consulting firm implement the program or take a hybrid approach.

Other changes include:

  • Clarification of when breaches of unsecured health information must be reported to HHS under the HITECH Act’s Breach Notification Rule
  • Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation
  • New limits on how information is used and disclosed for marketing and fundraising purposes
  • Prohibits the sale of an individual’s health information without their permission
  • More individual rights for patients regarding medical records, sharing proof of immunizations and authorizing use of health information for research

If you’re affected by this new rule, we can help. Kaufman, Rossin’s information security and compliance team can provide risk assessments, security training and guidance on HIPAA and HITECH and help you safeguard protected health information. Contact me to learn more.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Leave a Reply

Your email address will not be published. Required fields are marked *

We respect your personal information. Please review our Privacy Policy for more details.