The HIPAA Omnibus Rule mandates changes to the Privacy, Security, Enforcement, and Breach Notification Rules to implement some – but not all – of the privacy provisions required by Subtitle D of the HITECH Act. The HIPAA Omnibus Rule also mandates changes to the Privacy Rule to prohibit health plans from using genetic information for underwriting purposes.
What is the HIPAA Omnibus Rule?
The HIPAA Omnibus Rule is a Rule published in January 2013 that combined four Interim and Proposed Rules into a single Omnibus Rule. The reason for four Rules being combined into one was that the Department of Health and Human Services (HHS) believed it would be easier for covered entities to comply with the relevant sections of one substantial Rule than with four smaller Rules.
It was also the case that the two Interim Rules – one relating to the penalty structure for HIPAA violations and the other to breach notifications – were already in force. The HIPAA Omnibus Final Rule gave HHS the opportunity to fine-tune the existing Interim Rules to address comments from stakeholders and other issues that had been identified since the passage of the HITECH Act in 2009.
What the HIPAA Omnibus Rule Mandates in Greater Detail
The HIPAA Omnibus Rule strengthens the limitations on uses and disclosures of PHI, expands individuals’ rights to restrict disclosures of PHI and gives individuals more access rights to PHI. Because these changes resulted in changes to covered entities’ privacy practices, the HIPAA Omnibus Rule mandates that Notices of Privacy Practices are revised and redistributed.
The HIPAA Omnibus Rule also makes business associates directly liable for HIPAA violations. Previously, business associates were regarded as agents of covered entities; and, if a business associate was responsible for a data breach, the covered entity was considered liable. This changed with the publication of the HIPAA Omnibus Rule mandates – also creating the requirement for covered entities to review the content of their existing Business Associate Agreements.
Changes to the Enforcement and Breach Notification Rules
The finalization of the two Interim Rules confirmed the adoption of a four tier penalty that assessed penalties according to an organization’s degree of culpability, and the criteria that made a breach notifiable. The maximum penalty for a single violation of HIPAA was increased from $100 to $50,000, and the maximum amount an organization could be fined in a year for violations of the same type was increased from $25,000 to $1,500,000. (The figures have been adjusted for inflation since 2016).
The criteria that made a breach notifiable also reversed the “burden of proof”. Prior to the HITECH Act, HHS’ Office for Civil Rights could only take enforcement action against a covered entity if the agency could prove that a data breach had resulted in harm to an individual. Under the revised standards, covered entities had to prove that harm had not occurred or was unlikely to occur (i.e., if the data was encrypted) if not notifying the individual and the agency of a breach.
Other Modifications Mandated by the HIPAA Omnibus Rule
Two other modifications are mandated by the HIPAA Omnibus Rule – the first relating to authorizations for disclosures and the second relating to the use of genetic information. The first change removes selected scenarios from the list of disclosures that required authorization. These include disclosing a child’s immunization status to a school and disclosing PHI of deceased individuals once fifty years has passed since the date of the individual’s death.
The second change prohibits uses and disclosures of PHI by health plans for underwriting purposes to align HIPAA with the Genetic Information Nondiscrimination Act (GINA). Although only relevant to health plans with access to genetic information, because of this change new definitions were added to the HIPAA General Rules and several existing definitions amended – including the definition of health information and, by association, Protected Health Information (PHI).
Why the HIPAA Omnibus Rule was Important
The HIPAA Omnibus Rule was important because many of the changes mandated by the Rule supported the introduction of the Meaningful Use incentive program. For example, had the burden of proof not been reversed, patients may not have been advised if their health information had been breached. This would mean they would only find out about a breach when their PHI was misused, which could limit their future willingness to share sensitive information with healthcare providers.
Patients limiting their willingness to share sensitive information with healthcare providers can result in worse patient outcomes. This not only impacts patients, but hurts organizations financially due to higher readmission rates (and HRRP penalties), lower staff morale (and efficiency), and lower staff retention. So, not only is complying with the HIPAA Omnibus Rule mandated changes important for the sake of “checking the box of compliance”, but there are also indirect costs for non-compliance.