Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

What is the HIPAA Omnibus rule?

What is the HIPAA Omnibus rule?

The HIPAA Omnibus Rule is a set of regulations consolidating and strengthening previous HIPAA provisions. Its primary objective is to streamline the compliance process for healthcare entities and their business associates while improving the security and privacy of patients' protected health information (PHI). The Omnibus Rule aims to coordinate and simplify HIPAA compliance regulations by enforcing stricter security protocols.

Read also: How to know if you’re a business associate


The purpose of the HIPAA Omnibus Rule

The Omnibus Rule was introduced to address the growing concerns regarding the privacy and security of patient data. It builds upon the existing HIPAA privacy, security, enforcement, and breach notification rules, expanding individuals' rights concerning their PHI. The rule allows individuals to request copies of their medical information, gain insights into how their data is shared, and exercise greater control over the use of their PHI.

Go deeper: 

What is the HIPAA Privacy Rule?

What is the HIPAA Security Rule?


Key changes in the HIPAA Omnibus Rule

The HIPAA Omnibus Rule brought changes that healthcare professionals and organizations must adhere to:


Breach notification

Previously, healthcare entities were only obligated to report breaches affecting 500 or more individuals. However, under the new rule, any impermissible use or disclosure of PHI must be reported, regardless of the number of affected individuals. This change aims to increase transparency and ensure that all breaches are properly addressed.


Business associate requirements

The rule requires updates to existing business associate agreements to ensure compliance with the new requirements. Covered entities are also encouraged to enhance their review processes for measuring business associate compliance and incorporate liability protections within the contracts.


Marketing restrictions

The Omnibus Rule imposes tighter restrictions on marketing activities involving patient data to give individuals greater control over the use of their PHI. For instance, patient authorization is required if a covered entity receives compensation from a third party for promoting a product or service. 


Reasonable disclosures

Facilitating the efficient exchange of student immunization records between healthcare organizations and educational institutions is important to ensure students' health and safety. The Omnibus Rule introduces reasonable disclosure, allowing covered entities to release immunization records with documented agreement from a parent or guardian. 


Genetic information protection

The Genetic Information Nondiscrimination Act (GINA) of 2008 protects individuals from discrimination based on their genetic information. The Omnibus Rule incorporates GINA's provisions into HIPAA's privacy regulations, ensuring the safeguarding of genetic data and preventing any misuse or discrimination.


Research consent requirements

The Omnibus Rule simplifies the consent requirements for research participation. Under the new rule, researchers can use single consent forms to cover multiple studies, reducing the administrative burden previously associated with obtaining consent for each study separately. 



The Omnibus Rule establishes strict guidelines and penalties for HIPAA violations. Organizations found in violation may face penalties of up to $1.5 million per identical violation type per year. These penalties serve as a deterrent for reckless behavior that could compromise patient privacy and data security.

Read also: Understanding HIPAA violations and breaches 



What is the primary purpose of the Omnibus Rule?

The primary purpose of the Omnibus Rule is to strengthen the security of sensitive health data, particularly in digital formats, and grant patients greater access to their medical information.


When was the Omnibus Rule passed?

The Omnibus Rule was released by the Department of Health and Human Services (HHS) on January 17, 2013, and became effective on March 26th of the same year.


How long does the Omnibus Rule protect HIPAA data?

The Omnibus Rule ensures that HIPAA protection extends for up to 50 years following an individual's death. It also allows covered entities more flexibility in disclosing a decedent's PHI to those involved in their care and payment before their passing.

Related: HIPAA Compliant Email: The Definitive Guide

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.