by Kapua Iao
Article filed in

What is the HIPAA Omnibus Rule?

by Kapua Iao

HIPAA Act logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients.

Understanding HIPAA is essential for covered entities and their business associates as they balance HIPAA compliance with patient care and protected health information (PHI) security.

Since its enactment, the U.S. Department of Health and Human Services (HHS) has established various additions and amendments that ensure even more protections and responsibilities. In this post, we’ll take a closer look at the Omnibus Rule (2013).

So what does the Omnibus Rule add to HIPAA and why is such the rule necessary? And how can Paubox Email Suite and HIPAA compliant email aid a healthcare provider’s compliance to Omnibus?

A HIPAA summary

HHS created HIPAA to improve healthcare standards and combat PHI fraud and abuse.

SEE ALSOWhat is HIPAA? Or is it HIPPA?

The Office for Civil Rights (OCR) regulates and enforces the act, which consists of five sections (or titles). Most referenced is Title II as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form.

Included are several later rules:

  • Privacy Rule (2003): covers the protection of PHI as well as compliance standards
  • Security Rule (2005): sets required security standards to protect ePHI
  • Enforcement Rule (2006): sets the rules for enforcing HIPAA and penalizing uncompliant organizations
  • HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
  • Breach Notification Rule (2009): sets the procedures for reporting breaches

And of course, the Omnibus Rule. Sometimes, it is known as the Final Omnibus or even Omnibus Final Rule.

RELATED: Understanding and implementing HIPAA rules

Generally, HIPAA asserts that covered entities must make a concerted effort to prevent data breaches and protect patients’ PHI. If not, they may face an OCR audit and HIPAA violation.

The Omnibus Rule

In general, the Omnibus Rule updates the earlier HIPAA rules and HITECH Act. So rather than being new, Omnibus strengthens and impacts what is already in place.

It aims to further safeguard patient privacy and PHI in a digital world. This of course includes electronic health records (EHR).

SEE ALSO: HIPAA amendment incentivizes cybersecurity best practices

The idea is to enhance confidentiality and security while also increasing accountability to healthcare providers.

Reporting breaches

Under the Breach Notification Rule, organizations must report breaches that affect 500 individuals or more. The Omnibus Rule modifies this.

RELATED: What to do after you violate HIPAA

Organizations must presume that all unauthorized PHI use or disclosure is a breach and must be reported as such. And after reporting, the organization must use a risk assessment to prove that the breach did not compromise PHI.

SEE ALSO: New version of HHS Security Risk Assessment Tool released

This change has led to an increase in the number of breaches reported.

Individual rights and protections

Omnibus also improved patient privacy protections, giving individuals more control of their PHI. Patients must provide (in most cases) explicit consent for healthcare organizations to disclose PHI for:

Marketing Fundraising
Selling Sharing
Research

SEE ALSO: Permitted use and disclosure of protected health information (PHI) under HIPAA

Moreover, Omnibus further ensures that individuals have a right of access to their EHR and PHI. In fact, OCR ramped up its HIPAA Right of Access Initiative in 2020.

Business associate liability

While the HITECH Act made business associates directly liable for their own compliance, Omnibus solidified enforcement. And one of the ways it did this was by broadening the definition to include any and all entities that work with PHI.

In other words, business associates are subject to most provisions of the Security and Privacy Rules. OCR can now audit and fine business associates directly for noncompliance.

SEE ALSO: HIPAA Privacy Rule for business associates

It is necessary to note that OCR may still penalize covered entities for business associate breaches. What this should lead to, then, is a better vetting system for third-party vendors.

Other changes

Here are some additional pertinent modifications to HIPAA. The Omnibus Rule:

  • Prohibits most health plans from using or disclosing genetic information (i.e., GINA Act) for underwriting purposes.
  • Allows covered entities to disclose immunization/vaccination records if required by state law and consent is received.
  • Incorporates the increased and tiered penalty structure provided by the HITECH Act.

Ultimately, the modifications made by Omnibus should encourage covered entities to update privacy notices, internal policies, and access authorization.

Furthermore, it should make organizations ensure that employee training is up to date.

Omnibus and email communication

And one final aspect of HIPAA that Omnibus modifies is email communication. Patients can email their own PHI to a healthcare provider.

SEE ALSO: Does the HIPAA Privacy Rule allow healthcare providers to communicate with patients through email?

However, in order for healthcare organizations to maintain HIPAA compliance, they must ensure that any emails containing PHI are encrypted. They must leverage strong outbound email security in order to send HIPAA compliant email.

RELATED: How to send HIPAA compliant email

This is exactly what Paubox Email Suite does by encrypting all outgoing messages by default.

In a nutshell, our solution is secure as well as simple to use as it easily integrates with other platforms like Google Workspace and Microsoft 365. Paubox Email Suite makes it certain that you can electronically communicate with your patients.

And it also makes it certain that you can remain compliant with HIPAA and its amendments, including the Omnibus Rule.

Try Paubox Email Suite for FREE today.