The HIPAA Omnibus Rule

HIPAA rules and regulations were significantly updated and more clearly defined through the passage of the HIPAA Omnibus Rule, also known as the HIPAA final rule.  The final rule bolsters the privacy and security rules for protected health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

As of January 27, 2013, this overhauled version of the HIPAA compliance laws were put into place, giving the HITECH act more teeth in terms of imposing consequences for failure to comply with HIPAA.  The Omnibus Rule was intended to better protect patient privacy through additional regulations and by implementing audits with associated fines for being found negligent in complying with HIPAA regulations.

The Omnibus Rule includes important alterations of the original HIPAA rules, providing more detailed and clearer instructions to specify in a more detailed and clearer manner what is required in order for a covered entity to be considered HIPAA compliant.

The largest change to the original HIPAA regulations regards who is required to maintain HIPAA compliance.  Based on the Omnibus final rule, in addition to covered entities, all business associates, defined as anyone who creates, stores, uses or discloses protected health information on behalf of a covered entity as well as anyone who subcontracts to business associates.

The specific details of the exact nature of HIPAA compliance requirements for business associates and subcontractors is not as clear cut as the HIPAA compliance rules as defined for covered entities.

Given the number of changes and updates specified in the Omnibus final rule, it is important to review this document to ensure everyone responsible for being HIPAA compliant understands for what they will be held accountable.