The HIPAA Omnibus Rule 2013 mandated changes to Parts 160 and 164 of the HIPAA Administrative Simplification Regulations to implement modifications to the Enforcement, Security, Breach Notification, and Privacy Rules required by the HITECH Act.
In addition, the HIPAA Omnibus Rule 2013 made further changes to the Privacy Rule to address events that were hampering efficiency in the healthcare system and to prohibit health plans from using genetic information to calculate risks and premiums.
Enforcement Measures Mandated by the Omnibus Rule
Possibly the most significant change the HIPAA Omnibus Rule 2013 mandated was a new four-tiered penalty structure and new HIPAA violation penalties. Previously, there was one penalty level for violations attributable to willful neglect for which the maximum penalty was $100 per violation up to a maximum of $25,000 per year.
The new penalty structure assigned minimum and maximum penalties depending on the level of culpability, and increased the maximum penalty for willful neglect to $50,000 per violation up to a maximum of $1.5 million per year per violation type. Since 2016, the penalties for HIPAA violations have been adjusted annually to account for inflation.
The Direct Liability of Business Associates
Prior to the publication of the HIPAA Omnibus Rule 2013, business associates had been regarded as agents of covered entities. This meant that, when a data breach occurred, the covered entity that the business associate was performing a service for or on behalf of was considered liable for the data breach even though it was out of their control.
The HIPAA Omnibus Rule 2013 changed how business associates were regarded and made them directly liable for HIPAA compliance. This change meant that covered entities had to review existing Business Associate Agreements and amend any that could be interpreted as absolving business associates from liability in the event of a data breach.
The Impact on the Security and Breach Notification Rules
Now that business associates were directly liable for HIPAA violations, this meant they had to comply with the Security and Breach Notification Rules and any applicable standards of the Privacy and General Administrative Rules. The impact on the Security Rule was mostly changes in terminology and an expansion of standard §164.314 (“Organizational Requirements”) to cover new regulations for Business Associate Agreements.
The change to the Breach Notification Rule was more significant. Standard §164.410 (“Notification by a Business Associate”) was expanded considerably to define the procedures when a business associate notified a covered entity of a data breach. A further standard (§164.414 – “Burden of Proof”) was also amended to require that covered entities and business associate can prove all notifications are made in a timely manner.
What did the HIPAA Omnibus Rule 2013 Mandate in the Privacy Rule?
For the Privacy Rule, the HIPAA Omnibus Rule mandated a swathe of changes. These included prohibiting the sale of PHI without an authorization, giving individuals the option to opt out of marketing and fundraising communications, and removing some of the occasions when it was necessary to obtain an authorization before using or disclosing PHI. Individuals were also given increased rights to restrict disclosures of PHI and obtain electronic copies of PHI.
These changes meant that covered entities would have to change certain privacy practices, and amend their Notices of Privacy Practices as a result. However, rather than apply the “material change” Privacy Rule standard for redistributing Notices of Privacy Practices, the HIPAA Omnibus Rule 2013 excused healthcare providers from redistributing new Notices of Privacy Practices to – and obtaining acknowledgements from – existing patients.
Will There be a HIPAA Omnibus Rule in 2024?
It is getting increasingly likely there will be a HIPAA Omnibus Rule 2024 due to the volume of Notices of Proposed Rulemaking and Requests for Information recently published by HHS Office for Civil Rights. Some of the proposals being considered include aligning HIPAA more closely with 45 Part 2 regulations for substance use disorder records, introducing attested uses and disclosures for reproductive health information, and making changes to the Privacy Rule to accommodate CMS’ Interoperability program.
In addition, HHS recently published a “Healthcare Sector Cybersecurity Strategy” that will lead to new Security Rule standards based on Cybersecurity Performance Goals. HHS has said it will approach Congress to request that the penalties for Security Rule violations are increased, while it may also be the case that compliance with the new Security Rule standards becomes a condition of participation in Medicare and Medicaid programs. You can find out more about the proposed HIPAA changes in this article or by speaking with a HIPAA compliance advisor.