The HIPAA omnibus rule (Health Insurance Portability and Accountability Act of 1996 omnibus rule), in a health information technology (HIT) context, is a rule enacted by the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HIPAA omnibus rule marks the most extensive changes to the HIPAA Privacy and Security Rules since they were first implemented. Changes include:
- Strengthening the privacy and security protection for individuals' personal health information (PHI).
- Modifying the Breach Notification Rule for Unsecured Protected Health Information, putting in place more objective standards for assessing a health care provider's liability following a data breach.
- Modifying the HIPAA Privacy Rule to strengthen the privacy protections for genetic information.
- Outlining the Office for Civil Rights' (OCR's) data privacy and security enforcement strategies, as updated for the electronic health record (EHR) era mandated by the HITECH Act.
- Holding HIPAA business associates to the same standards for protecting PHI as covered entities, including subcontractors of business associates, in the compliance sense.
- Stipulating that when patients pay by cash they can instruct their provider not to share information about their treatment with their health plan.
- Setting new limits on how information is used and disclosed for marketing and fundraising purposes.
- Prohibiting the sale of an individuals’ health information without their permission.
- Making it easier for parents and others to give permission to share proof of a child’s immunization with a school.
- Streamlining individuals’ ability to authorize the use of their health information for research purposes.
- Increasing penalties for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation.
- Guaranteeing that organizations can operate with certainty that their privacy and security policies comply with all applicable regulations.
The 563-page rule, released Jan. 17, 2013, goes into effect March 26, 2013. HIPAA covered entities and business associates have 180 days afterward – or until Sep. 22, 2013 – to come into compliance with most of the final rule’s provisions.
The proposed rule was first released in July 2010 and the final rule was at the Office of Management and Budget since March 2012. Officials delayed the final release until January 2013, seeking to address stakeholder concerns.