The HIPAA Omnibus Rule of 2013 mandated major updates to the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Enforcement Rule, and HIPAA Breach Notification Rule by implementing Health Information Technology for Economic and Clinical Health Act requirements, expanding direct compliance obligations and liability for Business Associates and their subcontractors, tightening rules on marketing and the sale of protected health information, strengthening individual rights, and revising the breach standard to require notification unless a documented risk assessment shows a low probability that protected health information was compromised.
The rule made Business Associates directly liable for compliance with applicable provisions of the HIPAA Security Rule and certain provisions of the HIPAA Privacy Rule, and it treated subcontractors that create, receive, maintain, or transmit protected health information on behalf of a Business Associate as Business Associates under HIPAA. Business associate agreements required updates to reflect these responsibilities and to address downstream handling of protected health information.
The rule revised breach analysis by removing the prior harm-focused approach and establishing a presumption that an impermissible use or disclosure of unsecured protected health information constitutes a breach unless the covered entity or Business Associate demonstrates a low probability of compromise through a risk assessment. The assessment factors include the nature and extent of the protected health information involved, the unauthorized person, whether the information was actually acquired or viewed, and the extent of mitigation.
The rule added tighter controls on the use and disclosure of protected health information for marketing and fundraising and established conditions and authorization requirements related to remuneration and the sale of protected health information. It also strengthened individual rights by supporting access to electronic copies of protected health information in designated record sets and by reinforcing the right to restrict disclosures to a health plan for services paid out of pocket in full when the restriction request meets regulatory conditions.
The rule incorporated statutory changes that strengthened enforcement by adopting the tiered civil money penalty structure and clarifying enforcement authority and obligations across regulated entities.