July 23, 2014

A Comprehensive Summary of the Final Omnibus HIPAA/HITECH Rules

Executive Summary

On January 25, 2013, the Federal Register will publish final omnibus rules written by the U.S. Department of Health and Human Services (HHS) to modify the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.  The modifications implement most of the privacy and security provisions of the HITECH Act and relevant provisions of the Genetic Information Nondiscrimination Act.  While some of the rule changes are not surprising, others are very impactful and will markedly change the obligations imposed on covered entities, business associates and subcontractors.  Some of the more significant provisions are described here, and a comprehensive review of all the key changes is provided in the pdf.  Please feel free to contact us with questions.

Important Deadlines

The compliance deadline for virtually every provision of these rules is September 23, 2013.  A longer period is provided where updates to existing business associate and data use agreements are required; those agreements may not need to be updated until September 22, 2014 provided they are not modified or renewed prior to that date.

Breach Notification

HHS has eliminated the harm threshold that provided notice of a security breach would only be required if the breach posed a significant risk of harm to affected individuals.  It has provided instead that any use or disclosure of protected health information (PHI) that is not permitted by the Privacy Rule will be presumed to be a reportable breach.  Covered entities and business associates can defeat this presumption by conducting a risk analysis using factors articulated by HHS, but the agency has made clear its expectation that impermissible uses and disclosures of readily accessible PHI will likely be a reportable breach.  This change will mean an increase in the number of breaches reported.

Business Associates

Much of the Privacy Rule and all of the Security Rule now apply directly to business associates and their subcontractors.  Business associate agreements are likely to require updates and, in light of breach requirements and increasing compliance reviews, covered entities should enhance their efforts to review business associate compliance and consider appropriate liability protections in their business associate agreements.

Enforcement and Penalties

HHS has retained the high penalty structure currently in effect, meaning that penalties can range from $100 to $50,000 per violation depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis.  Business associates and subcontractors are directly liable for their violations, but covered entities also can be penalized for their violations.  HHS is now required to conduct compliance reviews if willful negligence is indicated following a preliminary review of the facts.

Privacy Requirements

The final rules address multiple privacy issues related to uses and disclosures of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient's care or payment for care, and disclosures of student immunization records.  In addition, individuals have new rights to restrict certain disclosures of PHI to health plans and to request access to electronic PHI (ePHI).  Notices of privacy practices, research authorizations, internal policies, and training programs may require updates to address the rule modifications.

Security Requirements

Business associates and subcontractors must comply with the Security Rule in full.  Given the complexities of achieving Security Rule compliance, business associates and subcontractors should begin efforts now to meet the September 23 compliance deadline.

Genetic Information

To implement the Genetic Information Nondiscrimination Act, HHS has included “genetic information” as a type of health information subject to HIPAA rules, and has imposed restrictions that will prohibit health plans from using genetic information for underwriting purposes.

As with most regulations, the details matter, so we have provided a more comprehensive summary of all the substantive requirements and described in brief how they will impact the regulated community from a practical standpoint.  Please contact us with any questions, and you can sign up for other privacy and information security updates here.

© 2014 Poyner Spruill LLP. All rights reserved.

About the Author

Elizabeth Johnson, Privacy, Information Security Attorney, Poyner Spruill, law

Elizabeth’s practice focuses on privacy, information security, and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecom, utility, technology, consumer goods and client services. Elizabeth has also worked with organizations of various size and scope, ranging from Fortune 100 companies with international reach to local charities.  She was listed among the top privacy professionals in Computerworld’s...


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.