{"id":10227,"date":"2024-07-12T09:59:29","date_gmt":"2024-07-12T08:59:29","guid":{"rendered":"https:\/\/futuramo.com\/blog\/?p=10227"},"modified":"2024-07-12T09:59:50","modified_gmt":"2024-07-12T08:59:50","slug":"what-the-hipaa-omnibus-rule-changed-for-healthcare-companies","status":"publish","type":"post","link":"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/","title":{"rendered":"What the HIPAA Omnibus Rule Changed for Healthcare Companies"},"content":{"rendered":"\n<p>Nowadays, it seems that in every industry, regulatory guidelines are constantly evolving. New threats emerge all the time, business practices change, and technology forces governance groups to rethink how they can protect consumers and secure their data. HIPAA, perhaps the most important regulatory mandate <a href=\"https:\/\/futuramo.com\/blog\/optimizing-your-practice-a-deep-dive-into-innovative-software-solutions\/\">for healthcare companies<\/a> and service providers, has evolved numerous times through the years.<\/p>\n\n\n\n<p>Since the Health Insurance Portability and Accountability Act was <a href=\"https:\/\/aspe.hhs.gov\/reports\/health-insurance-portability-accountability-act-1996\">first established in 1996<\/a>, it has been refined, upgraded, and adjusted with various new rules. The <a href=\"https:\/\/www.paubox.com\/blog\/what-is-hipaa-omnibus-rule\">HIPAA Omnibus Rule<\/a>, introduced in 2013 by the Department for Health and Human Services, is one of the most significant updates so far.&nbsp;<\/p>\n\n\n\n<p>But what exactly is this rule, and how does it affect healthcare teams and their business associates? Here\u2019s everything you need to know.&nbsp;<\/p>\n\n\n\n<h2 id=\"what-is-the-hipaa-omnibus-rule\">What Is the HIPAA Omnibus Rule?<\/h2>\n\n\n\n<p>The Omnibus Rule was established to help consolidate and clarify various aspects of HIPAA\u2019s guidelines, such as the privacy rule, security rule, and breach notification rule.&nbsp;<\/p>\n\n\n\n<p>On a broad level, it asked healthcare professionals and companies to alter their Business Associate Agreements, ensure third parties were complying with HIPAA\u2019s security rules, and adjust their approach to communicating with patients about potential breaches.&nbsp;<\/p>\n\n\n\n<p>The HIPAA Omnibus Rule is part of a long line of improvements to HIPAA guidelines. While HIPAA\u2019s privacy rules came into force in 2003, the regulations have continued to evolve since.&nbsp;<\/p>\n\n\n\n<p>In the early 2000s, technology evolved, reshaping how healthcare companies collect patient data and work with specialists to deliver services. The healthcare industry has also moved from paper records to health information technology, which led to a new range of threats.&nbsp;<\/p>\n\n\n\n<p>In 2009, Congress passed the HITECH Act to extend the definition of \u201cBusiness Associate\u201d and bring new entities into the HIPAA landscape.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This Act also increased penalties for HIPAA violations, while boosting privacy protections, and adding new restrictions for the use of electronic PHI in marketing activities. By 2013, the Department of Health and Human Services needed to simplify HIPAA compliance, while balancing clinical and economic health, leading to the creation of the Omnibus Rule.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 id=\"the-major-changes-created-by-the-omnibus-rule\">The Major Changes Created by the Omnibus Rule<\/h2>\n\n\n\n<p>The HIPAA Omnibus Rule has led to numerous changes in how healthcare companies can safely and securely use software and technology, and how they should store and protect data. Here are some of the biggest changes initiated by the rule.&nbsp;<\/p>\n\n\n\n<h3 id=\"evolutions-in-patient-access-and-control\">Evolutions in Patient Access and Control<\/h3>\n\n\n\n<p>The Omnibus Rule provides patients with more rights to determine how organizations can use their healthcare information.&nbsp;<\/p>\n\n\n\n<p>It also ensures individuals can request access to electronic copies of their Protected Health Information at any time. Today, failure to provide patients with this information is considered a \u201ccritical compliance failure.\u201d&nbsp;<\/p>\n\n\n\n<p>The rule also changed guidelines related to the disclosure of electronic PHI, establishing that covered entities must follow any requests made by patients not to disclose their PHI to healthcare service providers.<\/p>\n\n\n\n<h3 id=\"updating-breach-notifications\">Updating Breach Notifications<\/h3>\n\n\n\n<p>One major change initiated by the Omnibus rule influences how healthcare companies and other covered entities inform patients about potential data breaches. In the past, to <a href=\"https:\/\/futuramo.com\/blog\/can-your-organization-balance-compliance-and-new-security-strategies\/\">remain compliant<\/a>, companies only had to send notifications to patients if there was a risk of harm being caused to more than 500 individuals. The new rule makes the number of records impacted by a breach irrelevant.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Organizations need to ensure they can prove that security incidents didn\u2019t compromise a patient\u2019s private data, or they need to submit a breach notice. For instance, if an employee accidentally fell victim to a scam that gave an outside entity access to an email system, the entity would need to prove the emails were encrypted and unreadable, or submit a breach notice.&nbsp;<\/p>\n\n\n\n<p>Notably, the Omnibus Rule also introduced a new four-stage process for risk assessment, intended to streamline incident responses, and immediately inform covered entities whether they need to inform regulators and individuals of breaches.&nbsp;<\/p>\n\n\n\n<h3 id=\"selling-phi-and-marketing-restrictions\">Selling PHI and Marketing Restrictions<\/h3>\n\n\n\n<p>Thanks to the Omnibus Rule, all HIPAA-compliant organizations now need to obtain written, explicit consent from individuals before they sell healthcare data to any other party.&nbsp;<\/p>\n\n\n\n<p>Individuals also have the right to prevent parties from selling their personal health information. Although organizations can still sell PHI with consent, they need to make it clear that they do this in their privacy policies.<\/p>\n\n\n\n<p>Additionally, the Omnibus Rule likewise requires explicit consent from patients to use personal health information in marketing operations. Providers can\u2019t simply provide patient details to pharmaceutical companies or device manufacturers without consent, and they can\u2019t use PHI to drive their marketing strategies without the consent of their patients.<\/p>\n\n\n\n<h3 id=\"genetic-information-research-and-reasonable-disclosures\">Genetic Information, Research, and Reasonable Disclosures<\/h3>\n\n\n\n<p>The Omnibus Rule combines HIPAA regulations with the Genetic Information Non-discrimination Act (GINA), introduced in 2008. This law shields individuals from being discriminated against by providers based on their genetic makeup, meaning that covered entities can\u2019t use genetic data about a patient to make decisions about pricing or insurance coverage.&nbsp;<\/p>\n\n\n\n<p>Elsewhere, the 2013 HIPAA update has made it easier in some ways for companies to collect data for research and analysis purposes. For instance, healthcare organizations can obtain consent for research participation in multiple studies using a single form. Researchers also have a method in place for obtaining \u201cprospective\u201d consent for future studies.&nbsp;<\/p>\n\n\n\n<p>Additionally, the Omnibus Rule also introduced the concept of \u201creasonable disclosure,\u201d which means that healthcare providers can more easily share student immunization information with schools, with agreement from a parent or guardian.&nbsp;<\/p>\n\n\n\n<h3 id=\"changes-in-regulatory-fines\">Changes in Regulatory Fines<\/h3>\n\n\n\n<p>Finally, the Omnibus Rule introduced a new four-tier system of penalties for those who violate HIPAA guidelines. When deciding on penalties, the Office for Civil Rights now needs to take into account:&nbsp;<\/p>\n\n\n\n<ul><li>How long the violation lasted<\/li><li>The number of affected individuals<\/li><li>The impact of the violation on patient privacy and safety<\/li><\/ul>\n\n\n\n<p>HIPAA currently caps annual penalties at $1.5 million for each different type of violation, which has significantly increased the largest penalty companies can be given.&nbsp;<\/p>\n\n\n\n<h2 id=\"managing-the-changes-created-by-the-omnibus-rule\">Managing the Changes Created by the Omnibus Rule<\/h2>\n\n\n\n<p>Ultimately, complying with the new standards implemented by the Omnibus Rule is mandatory for all Business Associates and healthcare companies (or covered entities). Even though it was enacted over a decade ago, the patchwork nature of regulatory frameworks has left many healthcare organizational leaders overwhelmed and confused.&nbsp;<\/p>\n\n\n\n<p>To be fully HIPAA compliant, you\u2019ll need to:<\/p>\n\n\n\n<ul><li><strong>Carefully assess security and privacy practices. <\/strong>Reconcile consent processes to reflect the requirements of the Omnibus Rule, and ensure patients are informed of their rights.<\/li><li><strong>Update Business Associate Agreements. <\/strong>BAAs should require all associates to follow the latest HIPAA security rules, and must cover all relevant privacy rules.&nbsp;<\/li><li><strong>Improve risk assessment policies.<\/strong> Business leaders will need to implement four-step risk assessment plans for PHI exposure, and amend their notification policies.&nbsp;<\/li><li><strong>Train employees.<\/strong> Update training and implement new strategies for detecting breaches. Educate both employees and associates on HIPAA rule requirements.<\/li><li><strong>Aduit marketing agreements.<\/strong> Revisit patient marketing consent agreements and contracts with third-parties, and end any non-compliant collaborations.<\/li><\/ul>\n\n\n\n<h2 id=\"make-sure-you-follow-the-hipaa-omnibus-rule\">Make Sure You Follow the HIPAA Omnibus Rule<\/h2>\n\n\n\n<p>The HIPAA Omnibus Rule has introduced new requirements to both covered entities and business associates alike. Failure to adhere to them could put organizations at risk of significant fines, reputation damage, and loss of patient trust. Make sure your strategy aligns with these updates, and ensure you\u2019re staying current with new policies and rules as they emerge.<\/p>\n","protected":false},"excerpt":{"rendered":"Nowadays, it seems that in every industry, regulatory guidelines are constantly evolving. New threats emerge all the time,&hellip;\n","protected":false},"author":2,"featured_media":10229,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"csco_singular_sidebar":"","csco_page_header_type":"","csco_page_load_nextpost":"","csco_post_video_location":[],"csco_post_video_url":"","csco_post_video_bg_start_time":0,"csco_post_video_bg_end_time":0},"categories":[119,1339,2256,2585],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v18.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>HIPAA Omnibus Rule: Key Changes and Compliance Guidelines<\/title>\n<meta name=\"description\" content=\"Learn about the significant changes introduced by the HIPAA Omnibus Rule, including patient access, breach notifications, and marketing restrictions.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HIPAA Omnibus Rule: Key Changes and Compliance Guidelines\" \/>\n<meta property=\"og:description\" content=\"Learn about the significant changes introduced by the HIPAA Omnibus Rule, including patient access, breach notifications, and marketing restrictions.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/\" \/>\n<meta property=\"og:site_name\" content=\"Helping teams work better \u2014 insights on productivity, collaboration, marketing, and the tools that make it happen | Futuramo Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-12T08:59:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-12T08:59:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2024\/07\/20374.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2000\" \/>\n\t<meta property=\"og:image:height\" content=\"1335\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Futuramo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/futuramo.com\/blog\/#website\",\"url\":\"https:\/\/futuramo.com\/blog\/\",\"name\":\"Helping teams work better \u2014 insights on productivity, collaboration, marketing, and the tools that make it happen | Futuramo Blog\",\"description\":\"Exploring Innovation, Effectiveness, and Creativity Across Industries \",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/futuramo.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#primaryimage\",\"url\":\"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2024\/07\/20374.jpg\",\"contentUrl\":\"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2024\/07\/20374.jpg\",\"width\":2000,\"height\":1335,\"caption\":\"Image by pressfoto on Freepik\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#webpage\",\"url\":\"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/\",\"name\":\"HIPAA Omnibus Rule: Key Changes and Compliance Guidelines\",\"isPartOf\":{\"@id\":\"https:\/\/futuramo.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#primaryimage\"},\"datePublished\":\"2024-07-12T08:59:29+00:00\",\"dateModified\":\"2024-07-12T08:59:50+00:00\",\"author\":{\"@id\":\"https:\/\/futuramo.com\/blog\/#\/schema\/person\/98b5eca5abfaece04786f8a04ec93902\"},\"description\":\"Learn about the significant changes introduced by the HIPAA Omnibus Rule, including patient access, breach notifications, and marketing restrictions.\",\"breadcrumb\":{\"@id\":\"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/futuramo.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What the HIPAA Omnibus Rule Changed for Healthcare Companies\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/futuramo.com\/blog\/#\/schema\/person\/98b5eca5abfaece04786f8a04ec93902\",\"name\":\"Futuramo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/futuramo.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2021\/11\/Futuramo_avatar-96x96.png\",\"contentUrl\":\"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2021\/11\/Futuramo_avatar-96x96.png\",\"caption\":\"Futuramo\"},\"url\":\"https:\/\/futuramo.com\/blog\/author\/adminek\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HIPAA Omnibus Rule: Key Changes and Compliance Guidelines","description":"Learn about the significant changes introduced by the HIPAA Omnibus Rule, including patient access, breach notifications, and marketing restrictions.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/","og_locale":"en_US","og_type":"article","og_title":"HIPAA Omnibus Rule: Key Changes and Compliance Guidelines","og_description":"Learn about the significant changes introduced by the HIPAA Omnibus Rule, including patient access, breach notifications, and marketing restrictions.","og_url":"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/","og_site_name":"Helping teams work better \u2014 insights on productivity, collaboration, marketing, and the tools that make it happen | Futuramo Blog","article_published_time":"2024-07-12T08:59:29+00:00","article_modified_time":"2024-07-12T08:59:50+00:00","og_image":[{"width":2000,"height":1335,"url":"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2024\/07\/20374.jpg","type":"image\/jpeg"}],"twitter_card":"summary","twitter_misc":{"Written by":"Futuramo","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/futuramo.com\/blog\/#website","url":"https:\/\/futuramo.com\/blog\/","name":"Helping teams work better \u2014 insights on productivity, collaboration, marketing, and the tools that make it happen | Futuramo Blog","description":"Exploring Innovation, Effectiveness, and Creativity Across Industries ","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/futuramo.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#primaryimage","url":"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2024\/07\/20374.jpg","contentUrl":"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2024\/07\/20374.jpg","width":2000,"height":1335,"caption":"Image by pressfoto on Freepik"},{"@type":"WebPage","@id":"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#webpage","url":"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/","name":"HIPAA Omnibus Rule: Key Changes and Compliance Guidelines","isPartOf":{"@id":"https:\/\/futuramo.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#primaryimage"},"datePublished":"2024-07-12T08:59:29+00:00","dateModified":"2024-07-12T08:59:50+00:00","author":{"@id":"https:\/\/futuramo.com\/blog\/#\/schema\/person\/98b5eca5abfaece04786f8a04ec93902"},"description":"Learn about the significant changes introduced by the HIPAA Omnibus Rule, including patient access, breach notifications, and marketing restrictions.","breadcrumb":{"@id":"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/futuramo.com\/blog\/what-the-hipaa-omnibus-rule-changed-for-healthcare-companies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/futuramo.com\/blog\/"},{"@type":"ListItem","position":2,"name":"What the HIPAA Omnibus Rule Changed for Healthcare Companies"}]},{"@type":"Person","@id":"https:\/\/futuramo.com\/blog\/#\/schema\/person\/98b5eca5abfaece04786f8a04ec93902","name":"Futuramo","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/futuramo.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2021\/11\/Futuramo_avatar-96x96.png","contentUrl":"https:\/\/futuramo.com\/blog\/wp-content\/uploads\/2021\/11\/Futuramo_avatar-96x96.png","caption":"Futuramo"},"url":"https:\/\/futuramo.com\/blog\/author\/adminek\/"}]}},"_links":{"self":[{"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/posts\/10227"}],"collection":[{"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/comments?post=10227"}],"version-history":[{"count":1,"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/posts\/10227\/revisions"}],"predecessor-version":[{"id":10228,"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/posts\/10227\/revisions\/10228"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/media\/10229"}],"wp:attachment":[{"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/media?parent=10227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/categories?post=10227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/futuramo.com\/blog\/wp-json\/wp\/v2\/tags?post=10227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}