Omnibus Final Rule Quick Overview

There is a lot of information to cover in the details of the Final Rule. This article only contains a list of bullet points.  All changes in the 2013 Omnibus Rule are not guaranteed to be included in this list. Each entity should make sure they review all aspects of the Rule with their business practices for compliance changes that may be required.

Effective Dates

  • Effective date for the omnibus rule requirements is March 26, 2013.
  • There is a grace period so the real compliance date is September 23, 2013.
  • The breach requirements are NOT included in the grace period
  • There are some specific allowances for getting new Business Associate Agreements signed when a BAA is already effective

Privacy Rule

  • Notice of Privacy Practices need updates and redistribution by all Covered Entities to their patients
  • Prohibition on Sale of PHI without Authorization is now specifically defined
  • Marketing Communications paid for by third parties now require patient authorization (with limited exceptions for Rx)
  • Opt-out option for fundraising communications must be available
  • Right to restrict disclosure to Health Plans of treatment and services paid for in cash
  • Right to direct an electronic copy of Health Record to a third party
  • Requires genetic information be classified as PHI and treated appropriately
  • Genetic information can not be used or disclosed for underwriting purposes or in discrimination in provision of health insurance
  • Easier authorizations for immunization records released to schools
  • Single authorizations can be used for multiple research purposes and relaxed requirements for future research
  • Eases access to friends and families for decedent PHI

Business Associates

  • Now separately and directly liable for compliance rules
  • All Business Associate Agreements must be updated and resigned
  • Criminal and civil penalties apply for violations of uses and disclosures limitations in Privacy Rule
  • Subcontractors are now considered BAs and all the requirements that come with that classification
  • Any person who “creates, received, maintained, or transmits” PHI on behalf of a CE is a BA
  • If you have access to electronic PHI you are a BA
  • The lack of a Business Associate Agreement does not relieve liability – a BA is defined by the work they do not by the agreements they sign
  • Breach reporting required to CE throughout the chain of access from BAs

Breach Notifications

  • Harm definition removed and changed to a 4 factor risk assessment of all breaches
  • Breach is assumed to require notifications unless proved to be a low probability of risk based on the 4 factor assessment
  • Breach assessment must be completely documented
  • Clarification of when the 60 day maximum notification time limit begins – as soon as a breach is discovered or reasonably should have been known
  • All CEs and BAs have burden of proof that notifications were made as required


  • Requires investigations of any incident or complaint that could indicate willful neglect of obligation to comply even if no breach occurred
  • Review only has to indicate willful neglect is possible, not probable, to require investigation
  • If willful neglect is obvious there is no requirement to try informal methods of resolution before moving to the penalty phase
  • HHS can include “state of mind” and “general compliance history” when determining penalties (both positively and negatively)
  • Penalty structure officially adopted that includes a required $50,000 minimum penalty per violation for uncorrected willful neglect cases
  • Maximum penalty per violation type per year $1,500,000
  • If a violation occurs over a period of time it is counted as one violation per day that the safeguards weren’t in place
  • Multiple types of violations are counted separately (one violation per day for ineffective or nonexistent safeguards and one violation per day for impermissible use or disclosure )

So, that is the Overview.  Next, we will discuss what should be your overall plan of action to deal with all of this information.  But, then, we talk about each area above in more detail.

There is a lot of information to absorb for small providers and especially for business associates.  I am doing my best to break it down into manageable short articles.

Breaking HIPAA down to small manageable bites is the approach we built-in to our Quick Start Compliance Coaching program.  We found it less overwhelming to do your assessments and build your plan one specific task at a time.  That approach will only work if you get started now, though.  It takes at least 90 days to go through the program.  Completing the program means you have a well documented assessment, completed risk analysis and you are ready to make your compliance plan.    You will not be compliant and done with the project at the end of 90 days.  Compliance is an ongoing process, not a project with a beginning and ending date.

If you are a Business Associate or Covered Entity the time to act is now.  The longer you wait the harder the process becomes.

Filed under: Grab Bag, HIPAA Tagged: Breach Notification Rule, Business Associate, Business Associate Agreements, Business Associates, Compliance, Enforcement, Four Factor Assessment, Health IT, HIPAA, HITECH, information hipaa, Privacy Rule, private patient, Security Rule, Small Provider