How to respond to the Final Omnibus HIPAA Rule

March 2013
  • Print-friendly version
How to respond to the Final Omnibus HIPAA Rule

At a glance

The Final HIPAA Omnibus Rule calls for changes to privacy and security requirements that healthcare organizations should address, especially where current practices and processes could be less effective and expensive to build and maintain, inviting risk.

Organizations that simply address the Final Omnibus HIPAA Rule without taking into account the other privacy and security requirements are at risk of creating a patchwork of processes and controls that will ultimately prove less effective and unnecessarily expensive to build and maintain.

The Final HIPAA Rule has a number of significant changes, and among other things:

  • strengthens and expands the scope of the HIPAA privacy and security rules
  • increases penalties for HIPAA violations
  • extends potential liability and requirements for business associates and subcontractors
  • enhances patient privacy protections and requires mandatory changes to Notices of Privacy Practices, which have specific redistribution requirements
  • creates a new presumption that a reportable compromise has occurred under HIPAA’s federal notification law for breaches of protected health information (PHI) unless a new, specific assessment can demonstrate "little probability."