The Omnibus Rule: Major Changes

May 31, 2013 | Health Services

On January 17, 2013, the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) released the final Omnibus Rule (“Omnibus Rule” or “Final Rule”) amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.  As described by HHS OCR Director Leon Rodriguez, “[t]his final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”  

The importance of compliance with the Omnibus Rule has never been greater.  During 2011-2012, HHS conducted an Audit Pilot Program to measure the efforts of 115 covered entities’ compliance with the HIPAA regulations.  Based on the results of the program, HHS developed an Audit Protocol that contains the requirements to be assessed by covered entities and business associates through performance audits.  In light of the success of the Audit Pilot Program, it is expected that HHS will continue to develop and expand this program leading to an increase in audits of covered entities and business associates. 

The Omnibus Rule became effective March 26, 2013, and compliance is required by September 23, 2013.  This alert outlines the major changes enacted in the Final Rule.[1] 

Breach Notification

The Omnibus Rule changed the breach standard from a “significant risk of harm” to a “probability that data was compromised” standard.  The prior standard focused on whether the incident created a significant risk of financial, reputational or other harm to determine reportability. This standard did not create a presumption that a breach occurred.  

Under the Omnibus Rule, unauthorized access, use or disclosure is presumed to be a breach unless the covered entity determines that there was a low probability the protected health information (“PHI”) had been compromised.  This change will likely lead to increased reporting by covered entities and business associates. 

The criteria to assess whether a breach occurred is as follows: 

a)      The nature and extent of PHI (including identifiers and the likelihood of re-identification of the individual);

b)      The identity of the unauthorized person who used the PHI or to whom disclosure was made;

c)      Whether PHI was actually acquired or viewed (can be determined through a forensic analysis); and

d)     The extent to which the risk to PHI has been mitigated. 

Notice of Privacy Practice

The Omnibus Rule required covered entities to include numerous changes to their Notice of Privacy Practices. All covered entities must include the following: 

a)      A statement that the following uses and disclosures will be made only with authorization from the individual:

i)        Uses and disclosures for marketing purposes;

ii)      Uses and disclosures that constitute the sale of PHI; and

iii)    Most uses and disclosures of psychotherapy notes (if the covered entity maintains psychotherapy notes).

b)      A general statement that all uses and disclosures not described in the notice also require written authorization;

c)      A statement that the covered entity is required by law to notify affected individuals following a breach of unsecured PHI;

d)     A provision that notifies patients of the right to opt-out of fundraising communications; and

e)      A statement about an individual’s right to restrict disclosures of PHI to health plans if an individual has paid for the services out of pocket and in full. 

The revised notice must be distributed to new patients and made available to existing patients upon request.  Additionally, it must be posted both to the provider’s website and in a prominent location on the premises.

Business Associates:

The Omnibus Rule expanded the definition of business associate to include subcontractors that perform functions for or provide services to a business associate if the subcontractor creates, receives, maintains or transmits PHI on behalf of the business associate.  All business associates and their subcontractors must comply with the HIPAA Security Rule standards.  Business associates are required to develop comprehensive written HIPAA policies, procedures and agreements with covered entities and subcontractors specifying the provisions required by the HIPAA Privacy and Security Rules. 

The “minimum necessary” standard was also extended to business associates and their subcontractors.  These entities are required to “make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” 

New business associate agreements must comply with the Omnibus Rule by September 23, 2013.  If a business associate agreement complied with the pre-Omnibus rule, parties have 1 additional year, or until September 22, 2014, to bring their agreements into compliance.  If the business associate agreements have not been renewed or modified between March 26, 2013 and September 23, 2013, the agreement will be deemed compliant until the date the business associate agreement is renewed or modified or until September 22, 2014, whichever is earlier.


Prior to the enactment of the Omnibus Rule, covered entities were permitted to send communications to patients about the products and services of third parties, as long as these communications were for purposes of treatment or to recommend alternative therapies.  The covered entity was not obligated to receive a patient’s written authorization for such communications, even where the covered entity received remuneration from the third party whose products/services were the subject of the communications. 

The Final Rule significantly modified this by requiring authorization for all treatment and health care operation communications where the covered entity received financial remuneration for making the communication from the third party whose product or service was being marketed.  The patient authorization must state that the covered entity received remuneration. 

The exceptions to the marketing requirement are: 

a)      Refill reminders or other communications about drugs or biologic currently prescribed to individuals, but only if any financial remuneration received by the covered entity for making the communication is reasonably related to the covered entity’s cost of making the communication.  Only labor, supplies and postage may be included in the cost;

b)      Face-to-face communications even if remuneration is received from a third party or a promotional gift of nominal value is provided by the covered entity (telephone communications are not face to face communications);

c)      Communications promoting health in general that do not promote a product or service from a particular provider; and

d)     Communications about government and government-sponsored programs. 

Sale of PHI

The Omnibus Rule adopted HITECH’s prohibition against the sale of PHI.  The Final Rule added express prohibitions on covered entities and business associates receiving direct or indirect remuneration in exchange for the disclosure of PHI, unless they first obtained patient authorization or an exception applied. 

The Final Rule requires patient authorization for virtually any sale of PHI. Patient authorizations for the sale of PHI must specifically state that the covered entity is receiving remuneration in exchange for the PHI and whether the PHI can be further exchanged for remuneration by the recipient.  Unlike marketing, this prohibition was not limited to financial remuneration. 

The exceptions for the sale of PHI are: 

a)      Disclosures for public health purposes;

b)      Certain disclosures for research purposes (if remuneration is limited to a reasonable, cost-based fee to prepare and transmit the PHI);

c)      Disclosures for treatment of the individual and payment purposes;

d)     Disclosures for the sale, transfer, merger or consolidation of all or part of a covered entity and related due diligence;

e)      Disclosures pursuant to services rendered by a business associate under a business associate agreement at the request of the covered entity (or activities that a subcontractor undertakes on behalf of the business associate) if the only remuneration provided from the covered entity to the business associate is for performance of such activities;

f)       Disclosures to provide individuals with access to their PHI or an accounting of disclosures;

g)      Disclosures required by law, even though there may be a transfer of compensation as a result of these types of disclosures (e.g., copying fee for medical records, a cost-based fee for an accounting, service fees under business associate agreement); and

h)      Any other disclosures permitted by and in accordance with the HIPAA Privacy Rule if the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI. 


The original Privacy Rule permitted covered entities to use or disclose only an individual’s demographic information and dates of health care services for fundraising communications. 

The Final Rule significantly expanded the types of PHI that may be used or disclosed for fundraising purposes.  The Omnibus Rule extended this to include department of service, treating physician and outcome.  This allows entities to better target their solicitations, particularly with respect to service-line–specific campaigns.  

The covered entity must provide each individual a “clear and conspicuous” notice of the right to opt out of fundraising communications.  Covered entities have flexibility in deciding the appropriate opt-out method for fundraising communications.  However, the method must not be unduly burdensome. Additionally, the covered entity may determine a method for the individual to opt back in. 

Childhood Immunizations

Under the original Privacy Rule, covered entities were required to obtain written authorization before disclosing student immunization information. 

The Final Rule permits a covered entity to disclose proof of immunization to a school where the school is required by law to have such information prior to admitting the student. While written authorization will no longer be required for disclosure, covered entities must obtain either written or oral agreement from a parent or guardian (or from the individual, if the individual is an adult or emancipated minor) to document the agreement. However, a signature is not required, which allows covered entities the flexibility to determine the standard for appropriate documentation. 

Individual Rights: 

Restrict Disclosure to Health Plans:  Under the old rule, individuals could request restrictions on the use or disclosure of their PHI for treatment, payment and health care operation purposes, as well as for disclosures to family members and certain other permitted purposes. However, covered entities were not required to agree to such requests for restrictions. 

The Final Rule changed this by providing that a covered entity mustcomply with an individual’s request to restrict disclosure to a health plan if: (1) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law and (2) the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full. The covered entity will be required to develop methods to notate in the patient’s record PHI that has been restricted from disclosure in order to avoid an inadvertent release. 

Access to PHI: The Omnibus Rule increased the rights of individuals to access their PHI.  A covered entity is now required to provide access to PHI in the electronic form and format requested by the individual, if readily producible, or if not readily producible then in a readable electronic form and format as agreed to by the parties.  If the parties cannot agree to the format, the information must be provided as a hard copy. An individual may receive his or her PHI through an unencrypted email only if the requesting individual is advised of the risk and still requests that form of transmission. 

Timing: Under the previous regulations, a request for access had to be approved or denied, and if approved, access or a copy of the information provided, within 30 days of the request. In cases where the records requested were only accessible from an off-site location, the covered entity had an additional 30 days period to respond. In extenuating circumstances where access could not be provided within these timeframes, thecovered entity had a one-time 30-day extension if the individual was notified of the need for the extension within the original timeframes. 

The Omnibus Rule continued the requirement that a covered entity must allow access to PHI within 30 days and the ability for a covered entity to request an additional one-time 30-day extension under extenuating circumstances.  However, the Final Rule removed the additional 30-day timeframe for PHI not maintained or accessible onsite.  Therefore, all PHI, regardless of where it is stored, must be provided within 30 days from the request for access unless extenuating circumstances extend that timeframe an additional 30 days.

[1]   For the complete Omnibus Rule please visit or 78 Fed. Reg. 5566.


Share this article:

Related Publications

Get legal updates and news delivered to your inbox