HHS Issues Final Omnibus Rule for Privacy and Security of Health Information

January 17, 2013, the US Department of Health and Human Services (HHS) issued a final omnibus rule modifying the Health Insurance Portability and Accountability Act (HIPAA)  privacy, security, and enforcement rules and to implement statutory amendments to the Health Information and Technology for Economic and Clinical Health (HITECH) Act.

Some of the major changes include the following:

  • Confirms business associates (BAs) and the BA’s subcontractors are directly liable for compliance with certain portions of the HIPAA Privacy and Security Rules’ requirements.  If BAs and their subcontractors do not comply they will be subject to HIPAA penalties.
  • Strengthens the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization.
  • Expands individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Requires modifications to, and redistribution of, a covered entity’s (CEs) notice of privacy practices.
  • Modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  • Adopts the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
  • The final rule retains the revised penalty structure as implemented by the interim final rule for violations occurring on or after February 18, 2009:
Violation Category

Each   Violation

All Such   Violations of an Identical Provision in Calendar Year

Did Not Know

$100 –   $50,000


Reasonable Cause

$1,000 –   $50,000


Willful Neglect-Corrected

$10,000 –   $50,000


Willful Neglect-Not Corrected



Per HHC Office for Civil Rights Director Leon Rodriquez, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented…These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Per the final omnibus rule the costs in complying with the rule are estimated to be between $114 million and $225.4 million in the first year of implementation and approximately $14.5 million annually thereafter. Costs associated with the rule include: (i) costs to HIPAA CEs of revising and distributing new notices of privacy practices to inform individuals of their rights and how their information is protected; (ii) costs to CEs related to compliance with breach notification requirements; (iii) costs to a portion of BAs to bring their subcontracts into compliance with BA agreement requirements; and (iv) costs to a portion of BAs to achieve full compliance with the Security Rule.  The$14.5 million annual costs do not include yearly monitoring and maintenance to stay compliant with the rules, the $14.5 million is the estimated cost related to breach notification requirements.

The new rules take effect on March 23, 2013.  Covered entities and BAs have until September 23, 2013 to comply with the applicable requirements of the final rule.

The final rule may be viewed at https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf.

HC Healthcare Consulting staff includes CPAs, certified coders and consultants Certified in Healthcare Compliance that are available to provide expert assistance with our HIPAA Privacy and Security implementation efforts in addition to your ongoing compliance needs.

DISCLAIMER:  This post contains only summary information and highlights; it should be read in conjunction with the full article or document provided as a link.  Any advice or recommendations given is general and specific questions should be directed to professional counsel.

Recent Posts






Ready to discuss your project with us?