One Year of HIPAA Omnibus Rule Compliance

The HIPAA Omnibus Rule compliance deadline was six months ago, with the introduction of the legislation taking place around this time last year. HIPAA-covered entities have now had a full year to bring their policies and procedures up to date with the amendments made by the Omnibus update.

Unfortunately for the healthcare industry, while the changes introduced by the new HIPAA Rule clarified a number of aspects of the legislation, data breaches have continued to rise. The Department of Health and Human Services’ Office for Civil Rights (OCR) must be informed of any data breaches involving PHI, and breach reports are posted on its website.

The OCR “Wall of Shame” – as it is often referred – shows that in spite of increased HIPAA regulations, Covered Entities (CEs) continue to suffer data breaches. In many cases, this is due to a failure of HIPAA Omnibus Rule compliance.

The anniversary of the introduction of the Omnibus Rule is a suitable time to take stock of how the year has progressed, how the new policies have worked in practice and where organizations are in terms of compliance with HIPAA regulations.

This is not just advisable to protect against data breaches and implement some new best practices. Failure to ensure full compliance with HIPAA regulations is likely to have a significant financial cost. The OCR is planning its second round of HIPAA-compliance audits, and they are expected to commence in approximately six months. Organizations have now effectively been given a year to ensure compliance, and now their policies and procedures are to be closely scrutinized.

This does not give organizations six months to ensure HIPAA Omnibus rule compliance and make sure all aspects of the Security Rule, Privacy Rule and Breach Notification Rule have been incorporated into policies and procedures. Action must be taken now.

If a CE – or a Business Associate – suffers a security breach in which PHI is compromised, an investigation will invariably be launched. If it is discovered that the breach was the result of a HIPAA violation, substantial financial penalties can be issued. The Office for Civil Rights can issue fines of up to $1.5 million per violation – per year – and the Federal Trade Commission, Department of Personnel Affairs Department of Justice and state attorney generals can also investigate breaches and issue fines for violations.

If you want to ensure HIPAA Omnibus Rule compliance, it is essential that you put an action plan in place.

Privacy, Security and HIPAA Omnibus Rule Compliance

  1. Develop a HIPAA-compliance plan incorporating all aspects of HIPAA rules and ensure policies are developed to protect PHI and patient privacy.
  2. Ensure those policies are put into practice and become routine. Train the staff on HIPAA rules and hospital procedures and ensure that these rules are followed. Take prompt action if violations are discovered.
  3. Revise policies and procedures regularly to ensure continued compliance, in particular when new technology is adopted and after any material change in regulations.
  4. Conduct an annual risk assessment, preferably using an external security company specializing in HIPAA security risk assessments.
  5. Document all actions taken to secure PHI as well as all staff training sessions. Ensure Business Associate Agreements are signed and maintained. Conduct regular internal audits to check for continued compliance.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of