HIPAA Omnibus Rule: Everything You Need to Know

Introduced in 2013, the HIPAA Omnibus Rule updated and expanded the Health Insurance Portability and Accountability Act (HIPAA), making it a critical regulation for healthcare providers and their business partners. 

Whether you're a healthcare provider or a vendor handling patient information, understanding and adhering to this rule is essential for protecting your organization from hefty fines and reputational damage.

What Is the HIPAA Omnibus Rule? 

The HIPAA Omnibus Rule strengthens privacy and security protections for patient health information, extends liability to business associates, and increases penalties for non-compliance. It also introduces stricter breach notification requirements and ensures patients' access to their own data, enhancing transparency and accountability in healthcare.

The HIPAA Omnibus Rule is a set of modifications to the Health Insurance Portability and Accountability Act of 1996 that strengthens the privacy and security protections of patient health information. It implements provisions from the Health Information Technology for Economic and Clinical Health (HITECH) Act and enhances the ability to enforce HIPAA requirements. 

The rule also extends liability to business associates of HIPAA-covered entities and increases penalties for non-compliance. In addition, it introduces requirements for breach notification and patient access to their own data. 

It also includes provisions to improve transparency and accountability in the handling of electronic protected health information (ePHI). 

Knowing the key requirements of this rule is essential for abiding by federal regulations and building trust with your patients or clients. If you ignore these rules, it could lead to hefty penalties and, even worse, damage your reputation. This could put your long-term success in the healthcare industry at risk. 

And makes it more challenging to attract new business, partnerships, talent, and investment down the road—to say the least.

Who Needs To Comply with the HIPAA Omnibus Rule?

Contrary to what some may believe, HIPAA compliance isn't exclusive to healthcare providers. It also applies to other businesses—and their partners, suppliers, and subcontractors—as long as they’re handling protected health information (PHI). 

If any of these parties mishandle patient data, it's a big problem for everyone involved. That's why the Omnibus Rule makes sure all parties play by the same rules. 

Or, in other words, avoid HIPAA violations. 

This legislation, at the end of the day, helps keep patient data safe and secure, no matter where it goes. In a way, you could look at it as a chain of custody that includes two main groups:

Covered entities

These are the institutions that are directly involved in the delivery and payment of healthcare services. They are responsible for ensuring that PHI and ePHI is protected throughout their operations. 

Examples include:

• Hospitals
• Healthcare providers (doctors, dentists, etc.)
• Health plans (insurance companies)
• Clearinghouses (organizations that process healthcare claims)

Business associates

These are organizations that perform functions on behalf of covered entities and also have access to PHI and ePHI. 

A few examples are:

• Cloud providers
• IT vendors
• Medical billing companies
• Third-party administrators

Subcontractors who handle PHI on behalf of business associates also need to closely follow HIPAA’s strict protocols. This contractual requirement guarantees that everyone remains accountable and upholds the minimum necessary standard to keep patient data safe from unauthorized access and breaches.

Key Updates Introduced by the HIPAA Omnibus Rule

As healthcare data breaches keep rising—affecting millions in the past 24 months alone—the need for tighter regulations to safeguard sensitive patient information is evident. 

The amendments introduced by the HIPAA Omnibus Rule reflect the growing need to address vulnerabilities and bolster these protections. 

Some of the most relevant updates that appear in this legislation include:

Patient rights expansion:

People are increasingly proactive about their healthcare and rightfully demand more visibility into their personal health data. 

The final Omnibus rule mandates that covered entities must comply with patients’ requests for electronic copies of their records. This requirement reinforces transparency and empowers individuals to manage their health data more effectively.

Stronger business associate agreements (BAAs)

The contracts between covered entities and vendors handling PHI and ePHI now require more stringent provisions. This change helps guarantee that business associates adhere to HIPAA regulations and greatly reduces the risk of data mishandling. 

Specifically, the rule imposes direct liability on business associates for compliance with certain HIPAA provisions to further safeguard protected information.

Breach notifications

Covered entities must now take more accountability and notify affected individuals within 60 days of discovering a breach involving unsecured PHI. 

Additionally, they are required to inform the Department of Health and Human Services (HHS) and, in certain cases, the media. 

This enhanced notification protocol aims to improve transparency and offer timely communication. The goal here is to allow patients whose information has been exposed to take necessary precautions to protect themselves.

Marketing and PHI restrictions

The Omnibus Rule limits the ability of covered entities and their business associates to use protected information for marketing purposes without explicit patient consent. 

This includes prohibiting its sale without authorization. This adjustment seeks to protect patient privacy and make sure that their data is not exploited for commercial gain without their full acknowledgment and permission.

Breach Notification Rule: What Changed?

The HIPAA Omnibus Rule has notably expanded the definition of what constitutes a breach. Now, any unauthorized access, use, or disclosure of unprotected PHI is presumed to be one. 

That is, unless you can demonstrate a low probability that this information has been compromised. This helps make sure that even minor incidents are thoroughly evaluated.

Risk assessment plays a crucial role in this process.

Instead of automatically reporting all breaches, you must determine whether there is a low probability of compromise based on factors like:

• The nature of the PHI
• Who accessed it
• Whether it was viewed or acquired
• The extent to which the risk to the PHI has been mitigated
• The likelihood that the PHI could be re-identified

Assessments must be documented thoroughly so that you can justify your decision to avoid unnecessary notifications when necessary—all while still complying with HIPAA requirements. 

When a breach occurs, covered entities, associates, and subcontractors must act quickly and methodically to mitigate the damage. Implementing audit trails to track all access to sensitive data and establishing robust compliance reporting mechanisms are critical steps to maintain transparency and accountability throughout the process.

💡Make it easy: The logging and monitoring capabilities of StrongDM can streamline your breach notification endeavors. They provide real-time visibility into data access and usage to help you identify potential risks early and minimize the chance of undetected breaches. This supports compliance reporting as well, making it easier for you to respond promptly and effectively.

Business Associate Agreements (BAAs): Strengthened and Essential

Post Omnibus rule, BAAs must clearly define the business associate’s obligation to protect PHI, report breaches promptly, and implement appropriate safeguards to maintain data security. 

These contracts must also outline the specific actions the business associate will take to assist covered entities in responding to breaches and complying with HIPAA's requirements. 

As mentioned earlier, the legislation made business associates and their subcontractors directly liable for non-compliance, along with the covered entities that hire their services. 

Because of their direct involvement in handling PHI, these entities can now also face civil and criminal penalties if they fail to meet HIPAA standards.

💡Make it easy: At StrongDM, we help maintain compliance by ensuring only authorized personnel access specific PHI through role-based access. Our easy-to-manage auditing provides a clear record of data access, enabling you to spot irregularities and address potential compliance issues.

Enhanced Security and Privacy for PHI

As previously stated, the Omnibus Rule expands patient rights to give them more control over their electronic health records. This includes the ability to request copies in electronic formats and limit data sharing, which requires yet another layer of protection. 

Encryption and secure access are both best practices for securing ePHI under Omnibus Rule standards. 

Some include:

• Multi-factor authentication (MFA): This security process, as the name states, requires users to provide two or more verification factors to gain access to a system. It enhances protection beyond just a username and password.
• Regular audit logs: You can use detailed records of all activities within your system to track and review who accessed what data and when. This helps you identify and respond to security incidents much easier.
• Rutinary user access reviews: Implementing periodic evaluations of user access permissions enables you to offer appropriate credentials based on people’s roles and responsibilities. It also lets you adjust or revoke access as needed.

💡Make it easy: With StrongDM, you can make secure access management for healthcare data much easier. Our platform provides an easy way to enforce MFA and monitor access through detailed logs.

Increased Penalties for Non-Compliance

The Omnibus Rule introduced a tiered penalty structure, where fines are imposed based on the level of negligence. Penalties range from $100 to $50,000 per violation, with a maximum annual cap of $1.5 million for repeat violations. The severity increases with unaddressed violations and willful neglect.

In 2023 alone, several significant penalties were enforced under HIPAA. 

For example, American Medical Response faced a $115,200 fine for a Right of Access failure, while Essex Residential Care was fined $100,000 for similar issues. 

💡Make it easy: With secure access and audit tools, StrongDM helps simplify compliance to help you avoid incurring costly fines like these.

Ensuring Compliance With the HIPAA Omnibus Rule

Staying compliant with the HIPAA Omnibus Rule requires you to remain attentive and proactive. You can start with regular risk assessments to identify vulnerabilities and go from there. This will let you guarantee that all potential threats to ePHI are addressed. 

Don’t forget to update your BAAs to include stringent compliance requirements. 

Similarly, revise breach response protocols to include swift notification procedures and detailed documentation practices.

Do keep in mind that auditing and monitoring are crucial for maintaining continuous compliance. That’s why you must conduct access control reviews and incorporate enhanced data handling practices into your policies.

Lastly, you should implement real-time monitoring to detect any unauthorized access or potential breaches as they occur. This will allow for immediate response and mitigation when needed.

💡Make it easy: At StrongDM, we can help you streamline compliance with these capabilities and more. Our tools allow you to manage user access efficiently, track all activities, and generate compliance reports effortlessly to meet HIPAA requirements. And avoid potential violations.

Protecting Healthcare Data in 2024 and Beyond

As healthcare evolves, so do the risks. Staying compliant with the HIPAA Omnibus Rule is non-negotiable. StrongDM provides a seamless solution for healthcare organizations to manage access and avoid breaches. If you want to see how we can help your organization follow HIPAA regulations, book a demo today.