Strengthening Patient Privacy and Security
The HIPAA Omnibus Rule is a federal regulation that strengthened patient privacy protections, increased healthcare organizations’ responsibilities for safeguarding health information, and expanded patients’ rights regarding their medical records.
Implemented in 2013, the Omnibus Rule updated existing HIPAA Privacy, Security, Enforcement, and Breach Notification Rules to address modern healthcare technology, electronic records, and the growing use of third-party service providers. It is one of the most significant updates to HIPAA since the law was originally enacted.
What Is the HIPAA Omnibus Rule?
The Omnibus Rule expanded the privacy and security protections that apply to Protected Health Information (PHI) and clarified how healthcare organizations, business associates, and their subcontractors must protect patient information. The rule was designed to:
- Enhance patient privacy rights
- Increase accountability for organizations handling health information
- Strengthen breach notification requirements
- Improve transparency regarding the use of patient information
- Establish stronger enforcement and penalties for noncompliance
Expanded Patient Rights
One of the primary goals of the Omnibus Rule was to provide patients with greater control over their health information.
Greater Access to Medical Records
Patients have the right to obtain copies of their medical records, including electronic records when available. Healthcare providers must generally provide requested records within timeframes established by applicable law and may only charge reasonable fees permitted by law.
Restrictions on Certain Insurance Disclosures
If a patient pays for a healthcare service entirely out of pocket and requests that the information not be disclosed to their health plan for payment or healthcare operations purposes, healthcare providers are generally required to honor that request unless disclosure is otherwise required by law. This provision gives patients greater control over sensitive healthcare information.
Enhanced Rights Regarding Authorizations
Patients have greater control over uses and disclosures that are not otherwise permitted by HIPAA. Healthcare organizations generally must obtain a patient’s written authorization before:
- Using information for certain marketing purposes
- Selling protected health information
- Making certain disclosures not otherwise authorized by law
Stronger Breach Notification Requirements
The Omnibus Rule established stricter requirements regarding privacy and security breaches. A breach generally occurs when protected health information is accessed, used, disclosed, or acquired in a manner not permitted by HIPAA.
When a breach of unsecured protected health information occurs, healthcare organizations may be required to:
- Investigate the incident
- Assess the risk of compromise
- Notify affected individuals
- Notify government agencies
- Notify the media in certain large-scale incidents
Healthcare organizations must take reasonable steps to mitigate the effects of any breach and prevent future occurrences.
Increased Accountability for Business Associates
Healthcare organizations frequently work with outside vendors and service providers that assist with operations. Examples include:
- Electronic health record vendors
- Billing companies
- Cloud storage providers
- Information technology vendors
- Practice management companies
- Data processing services
The Omnibus Rule significantly expanded the responsibilities of these organizations. Business associates and many subcontractors became directly responsible for complying with certain HIPAA requirements and may be held directly liable for violations. This change helps ensure that patient information remains protected even when handled by third parties.
Enhanced Protection of Electronic Health Information
As healthcare increasingly relies on electronic systems, the Omnibus Rule reinforced requirements for safeguarding electronic protected health information. Healthcare organizations are expected to implement reasonable safeguards designed to:
- Protect patient information from unauthorized access
- Prevent improper disclosure of information
- Maintain the integrity of health records
- Ensure information remains available when needed for patient care
These safeguards may include administrative, physical, and technical security measures.
Restrictions on Marketing and Sale of Health Information
The Omnibus Rule strengthened limitations on how health information may be used for commercial purposes. Generally:
- Protected health information cannot be sold without patient authorization.
- Certain marketing communications require patient authorization.
- Patients must be informed about how their information may be used.
These protections help ensure that health information is not improperly used for financial gain.
Increased Penalties for Violations
The Omnibus Rule strengthened HIPAA enforcement and increased potential penalties for noncompliance. Organizations and individuals that fail to comply with applicable privacy and security requirements may face:
- Civil monetary penalties
- Corrective action requirements
- Government investigations
- Compliance monitoring
- Other legal consequences authorized by law
Penalties may increase depending on the severity of the violation and whether the organization knew or reasonably should have known that a violation occurred.
What the Omnibus Rule Means for Patients
The HIPAA Omnibus Rule provides patients with stronger privacy protections and greater transparency regarding how their health information is used. Patients benefit from:
- Greater control over their health information
- Expanded access to medical records
- Stronger breach notification protections
- Improved accountability among healthcare providers and vendors
- Increased restrictions on marketing and sales of health information
- Enhanced security safeguards for electronic health records
These protections are intended to help ensure that healthcare information remains private, secure, and used only for appropriate purposes.
APNS’s Commitment to Privacy
APNS is committed to protecting the privacy, confidentiality, and security of patient information. We strive to comply with applicable federal and state privacy laws, maintain appropriate safeguards for patient information, and continuously evaluate our privacy and security practices to support the trust our patients place in us.
Patient privacy is a fundamental component of quality healthcare and an essential part of our commitment to professional and ethical medical practice.
For further information, visit the U.S. Department of Health & Human Services – HIPAA Omnibus Rule Summary.