The Omnibus Rule Has Made Several Key Changes to the HIPAA Privacy and Security Act.

What is the HIPAA Omnibus Rule?

On March 26, 2013 the long-awaited, Health Information Portability and Accountability Act’s (HIPAA) Omnibus Rule went into effect, giving HIPAA Covered Entities and HIPAA Business Associates until September 23, 2013 to achieve compliance under its new provisions.

Expanding on the federal guidelines established in the original 1996 version of HIPAA, there are several standout features which are of significant importance for those interacting in any way with Protected Health Information (PHI) or relying on 3rd Party Vendors to store such critical patient data. The first thing to note is that the definition of a “business associate” has now been revised. The Omnibus Rule expanded the “business associate” to include the following:

HIPAA Omnibus Rule Defined

  1. Any downstream subcontractor that creates, receives, maintains or transmits PHI on behalf of the business associate, even if that relationship is indirect
  2. Health information organizations, e-prescribing gateways, or other persons that provide data transmission services to a covered entity that require routine access to PHI
  3. Any person that offers personal health record to individuals on behalf of a covered entity

In addition to the definition expansion of a “business associate”, a business associate’s obligations and liability has also been expanded in the following ways:

  1. Business associates and their subcontractors are directly liable for compliance with the HIPAA Privacy and Security Rules
  2. Business associates and their direct subcontractors must establish a compliant Business Associate Agreement (BAA) throughout the entire chain of the information flow
  3. Business Associate Agreements must be updated to include new provisions

The HIPAA Omnibus Rule has also modified the policies to increase the penalties for not acting in compliance or for any actions that result in breaches of PHI. To add to this, these changes enable Health and Humans Services (HHS) to immediately enforce penalties rather than allow the violator time to remediate any issues. Monetary penalties can be given up to $1.5 million for all violations of an identical HIPAA requirement in a calendar year.

For more information on the HIPAA Omnibus Rule and our HIPAA Compliant Hosting Services, contact OnRamp today!