Skip to Content

Reminder: The HIPAA “Omnibus Rule” is Now in Effect

on Monday, 30 September 2013 in Health Law Alert: Erin E. Busch, Editor

In January 2013, the Office for Civil Rights published its lengthy final rule (often referred to as the “Omnibus Rule”) updating the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The updates were largely driven by HITECH. The Omnibus Rule changes were effective March 26, 2013, but OCR provided a delayed “compliance date” of September 23, 2013, which has now passed. Covered entities may have until September 23, 2014 to update their Business Associate Agreements if an agreement was in place before January of this year and the agreement has not changed, but otherwise covered entities and business associates should already be applying the HIPAA Privacy and Security Rules as amended. Among the principal changes:


  • The business associate definition was amended to expressly capture subcontractors that act on behalf of business associates and certain HIOs, e-prescribing gateways and other parties that provide data transmission services.

  • Business associates must obtain assurances from their subcontractors comparable to the assurances they give to their covered entities, and required terms of business associate agreements have been changed somewhat.

  • The structured risk analysis for assessing whether PHI has been compromised and data breach notification is required has changed. Covered entities and business associates will be expected to apply the new standards in assessing all potential breach situations.

  • Rules regarding sale of PHI and use or disclosure of PHI for marketing were materially tightened and clarified. Authorization is now expressly required with added content.

  • Covered entities must update their NPPs to include several features, including when authorizations are required and the individual’s right to notice of a breach.

  • Use of genetic information for underwriting purposes is expressly prohibited.

  • Covered entities may continue to disclose PHI to family members or other persons who have been involved in the individual’s health care following the death of the individual, if consistent with their prior role while the individual was alive and not inconsistent with any prior expressed preference of the deceased individual. This is a very welcome change.

  • Individuals have the right to insist that a covered entity not bill their insurer for an episode of care if they notify the covered entity in a timely manner and pay the charge out-of-pocket in full.

There are numerous other changes, some small and some large. The core principles under the Privacy and Security Rules remain the same.

Alex M. “Kelly” Clarke

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500