Summary of Final Omnibus HIPAA/HITECH Rules

No time read all 563 pages of the US Department of Health and Human Services Office for Civil Rights’ HIPAA/HITECH Omnibus Rule? Here’s a summary of key points:

Effective Date:

“The Enforcement Rule changes are effective on March 26, 2013. The additional 180 days afforded for most of the provisions in the Final Rule apply only to modified standards or implementation specifications.” (Ober|Kaler)

Breach Standards:

“In a somewhat surprising development, the Omnibus Rule materially revises the definition of a ‘breach,’ which seems to make breach notification more likely. The HITECH Act requires covered entities and business associates to provide notification following discovery of a breach of unsecured PHI. Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA privacy rule that ‘compromises the security or privacy’ of the PHI unless an exception applies… The Omnibus Rule amends the definition of breach to clarify that the impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach and breach notification is necessary unless a covered entity or business associate can demonstrate, through a documented risk assessment, that there is a low probability that the PHI has been compromised.” (Davis Wright Tremaine)

Business Associates:

“The extensive omnibus regulations … [e]xpand the scope and impact of the Privacy and Security Rules on business associates. Anyone providing services to a health plan, health care clearinghouse, or health care providers who receives or generates protected health information (PHI) may be subject to these expanded provisions. Previously, most business associates were subject to the Privacy and Security Rules only through a business associate agreement with the covered entity. The HITECH Act extended the application of HIPAA’s enforcement provisions to business associates directly, and it established an independent requirement that business associates implement many of the Security Rule’s administrative safeguards.” (Ogletree Deakins)

Business Associate Agreement:

“Up until the 2013 amendments, a CE was required to obtain from a [Business Associate (BA]) ‘satisfactory assurances’ through ‘documentation’ that it was appropriately safeguarding PHI. This meant that [Covered Entities (CEs)] were required to enter into [Business Associate Agreements (BAAs] with all BAs. With the expansion of the definition of a BA under the 2013 amendments, there must also be a BAA between BAs and BA Subcontractors. Thus, in addition to the BAA between the CE and its BA, the BA must enter into a BAA with any BA Subcontractor. Furthermore, the BA Subcontractor must enter into a BAA with its subcontractor.” (Duane Morris)


“HHS may conduct a formal compliance review (when prompted by media reports or reports by state or other federal agencies) or an investigation when the preliminary review in response to a complaint or other inquiry reveals culpability less than willful neglect. HHS must initiate a formal investigation when a party appears to have exhibited willful neglect. The Final Rule no longer requires the Secretary to exhaust all informal resolution efforts before moving directly to a Civil Monetary Penalty (‘CMP’). The Final Rule establishes four tiers of CMPs based on culpability levels: ‘reasonable diligence,’ ‘reasonable cause,’ and two separate tiers that correspond to ‘willful negligence.’” (Ropes & Gray)


“[The final rules] implement new enforcement of the tiered penalty structure established by the HITECH Act. The regulations maintain the structure established in interim final regulations in 2009. Depending on the degree of knowledge that the covered entity had or should have had regarding the violation, penalties for each violation range between $100 (did not know or have reason to know) and $50,000 (willful neglect without correction), with a maximum penalty for a given year of $1,500,000 for any violations of the same requirement or prohibition.” (Ogletree Deakins)


“The definition of ‘marketing’ has been modified to encompass treatment and health care operations communications to individuals about health-related products or services if the covered entity receives financial remuneration in exchange for making the communication from or on behalf of the third party whose product or service is being described. A covered entity must obtain an individual’s written authorization prior to sending marketing communications to the individual.” (Dinsmore & Shohl)


“HHS offered some welcome news to health care providers by expanding the use and disclosure of PHI for fundraising purposes. Previously, a covered entity could use or disclose only demographic information and dates of service for fundraising. A longstanding complaint among health care providers has been that these limits do not allow appropriate targeting of fundraising efforts. In response, HHS expanded the categories of PHI that may be used and disclosed for fundraising to also include department of service, treating physician, outcome information, and health insurance. Accordingly, a health care provider seeking to raise funds for a new cancer center can target its efforts to oncology patients who had positive outcomes.” (Davis Wright Tremaine)

Sale of Protected Health Information:

“The Final Rule defines sale of PHI as ‘a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.’ Disclosure includes granting access directly or through licenses or lease agreements. Remuneration, for this purpose, includes in-kind value. In the case of a transfer for public health purposes, the remuneration can be a cost-based fee to cover the costs of preparing and transmitting the data. A similar limitation applies to research. Cost-based fees, however, may include direct and indirect costs, so long as there is no profit factor. Disclosures for treatment and payment activities are exempted, to make it clear that these activities do not constitute a sale.” (Ober | Kaler)

Genetic Information:

“The Rule modifies the HIPAA Privacy Rule to prohibit most health plans from using or disclosing genetic information for underwriting purposes. For the most part, the Rule adopts the substantive requirements and definitions that were included in the proposed GINA rule published in October 2009.” (Foley & Lardner)

Deceased Patients:

“Originally, HIPAA protections applied to an individual’s PHI forever. The Omnibus Rule now states that, once you’ve been dead for 50 years, your PHI is no longer subject to HIPAA protections. Also, HIPAA originally prevented a health care provider from communicating with a patient’s family members once the patient died. While the patient is alive, friends and family may be ‘involved in the care’ of the individual, and a covered entity may disclose PHI to them, at its discretion, to the extent of their involvement in the individual’s care. However, once the patient dies, the friends and family are no longer ‘involved in the care.’ The Omnibus Rule allows a provider to continue providing information to friends and family under the same rules that were in place prior to the patient’s death.” (Jackson Walker)

Finally, here’s a handy 13-page “HIPAA Omnibus Rule Reference Chart” from Mintz Levin.

The updates:

Further reading:

Find more HIPAA law news on JD Supra>>