Health Law Alert: HHS Publishes Long-Awaited Final HIPAA Omnibus Rule


On Friday, January 25, 2013, the U.S. Department of Health and Human Services (HHS) published the long-awaited final HIPAA Omnibus Rule, modifying the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA). These Rules present numerous changes that will impact covered entities, including health care providers and health plans, and their business associates.

Key Provisions of the New Rules

  • Requires covered entities to revise and redistribute their Notice of Privacy Practices.
  • Changes the definition of "business associate" to include subcontractors. The definition is also changed to explicitly include patient safety organizations (i.e., organizations performing analysis of patient safety events on behalf of covered entities), health information organizations, e-prescribing gateways and other organizations and persons that facilitate data transmission.
  • Changes the definition of "marketing" and the authorization requirements related to marketing communications, prohibiting the sale of protected health information without individual authorization.
  • Expands the rights of individuals to access their health information and request restrictions on how their health information is used or disclosed.
  • Changes the analysis for determining whether notification of a breach of protected health information is required from a "risk of harm" to a "probability of compromise" analysis.
  • Applies the prohibition against the use and disclosure of protected health information that is genetic information for underwriting purposes to all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply, except with regard to issuers of long-term care policies.

Notably missing from the Rule are provisions relating to how covered entities must respond to individuals requesting an accounting of disclosures made through an electronic health record, which was the subject of a separate Notice of Proposed Rulemaking published on May 1, 2011. This topic will be addressed in future rulemaking.

Compliance Date

The effective date for these final Rules is March, 26 2013. However, covered entities and business associates have until September 23, 2013, to comply with applicable provisions. Covered entities may operate under existing Business Associate Agreements until the contract is up for renewal or until September 23, 2014, whichever is earlier.

Proactive Steps to Take

  • Review and revise your HIPAA policies, including but not limited to policies regarding marketing communications and responding to potential breaches of protected health information.
  • Review and revise your Notice of Privacy Practices so that you are ready to post and distribute your new Notice on or before the September deadline.
  • Review your standard Business Associate Agreement and current agreements to determine whether modifications are required.
  • Develop organization-wide strategies to communicate changes to appropriate front-line staff.
  • Review your HIPAA training modules and education materials.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stinson Leonard Street | Attorney Advertising

Written by:


Stinson Leonard Street on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.