HIPAA Omnibus Rule: Understanding The Final Rule

In the first half of 2025, hacking accounted for 77.6% of all large healthcare data breaches. As well as 96.8% of breached medical records. About 20% of data breaches were due to unauthorized access/disclosure incidents.

Ensuring health information stays safe is still important to businesses. Both covered entities and business associates hold this responsibility. Everyone has a role to play when it comes to HIPAA compliance. A standard upheld by the Department of Health and Human Services (HHS).

The Health Insurance Portability and Accountability Act (HIPAA) sets standards to protect and monitor the disclosure of protected health information (PHI). Since its inception in 1996, the law has seen changes to its rules and structure throughout the years. One of the more recently added rules being the HIPAA Omnibus Rule. A rule enforced by the Office for Civil Rights (OCR).

Today we will learn more about what the HIPAA Omnibus Final Rule is. Plus, the role it plays in healthcare compliance. And how it can help you avoid costly HIPAA violation penalties.

What are the Different HIPAA Rules?

First, let's go over some HIPAA basics. There are a collection of different enforcement rules that all businesses must follow. This includes health care providers, health plans, and their business associates.

Essentially, if you work with sensitive information, you need to pay attention! These rules include the following:

  • The HIPAA Privacy Rule. This rule set standards across the nation for protecting personal health records. This applies to covered entities. Such as health plans, health care clearinghouses, and health care providers.

  • The HIPAA Security Rule. Focuses on the availability, security, and confidentiality of electronic protected health information (ePHI). 

  • The HIPAA Enforcement Rule. This rule establishes the standards for governing the compliance responsibilities of covered entities and business associates. 

  • The Breach Notification Rule. Requires covered entities and BAs to provide notification following a data breach. The Federal Trade Commission enforces these specific breach notification provisions.

  • The Omnibus Rule. The Final Omnibus Rule builds off of the Enforcement Rule. It strengthens the privacy and security of sensitive health information.

Let's dive further into how the Omnibus Rule added onto security and privacy. To both physical and electronic health information.

What Does the Omnibus Rule Cover?

Think of the Omnibus Rule of January 2013 as a supplemental order. The proposed rule helps to implement measures passed in the The Health Information Technology for Economic and Clinical Health Act (HITECH) Act. The Omnibus Rule also finalizes the Breach Notification Rule, and adds standards to include the Genetic Information Nondiscrimination Act (GINA) Act's requirements.

Entities and their business associates complying with HIPAA must follow these rules covered by the new HIPAA Omnibus Rule:

  • Business associates are liable for HIPAA compliance through business associate agreements. 

  • New restrictions placed on uses and disclosure of PHI. Such as through marketing and fundraising. Prohibited unless the patient authorizes it.

  • Expanded patients rights by allowing them to block disclosure of PHI to health plans if paid out of pocket. Can now also request electronic copies of their health information.

  • Covered entities must update their privacy notices to reflect the new rights and rules. The Notice of Privacy Practices must be available upon request.

  • Authorization rules now support research efforts and allow schools to obtain immunization proof. Also, allows family members to receive a decedent’s records.

  • Adopts the HITECH tiered civil penalty structure. Includes "willful neglect" of HIPAA compliance under punishable offenses.

  • States that organizations must assume the occurrence of a breach unless they can prove otherwise. This replaces the old "harm threshold".

  • Includes genetic information protection. Health plans can no longer use genetic information for underwriting. 

This new rule has had a lasting effect on HIPAA compliance standards. Let's look at how the interim final rule has changed how businesses operate today.

HIPAA Compliance After the HIPAA Omnibus Rule

The existing HIPAA Privacy and Security Rules gained a stronger sense of patient protection under the Omnibus Rule. As well as sharper enforcement of HIPAA policies and an expanded scope when it comes to compliance.

By changing the security and privacy landscape completely, the Omnibus Rule makes it clear that staying compliant is no longer a "check the box" process. It is an ongoing need for constant vigilance against cyber threats and updated policies with existing business associates.

There is now a sense that compliance is no longer just about reactive damage control. Instead, post-Omnibus HIPAA compliance focuses on proactive risk management. 

Preventing HIPAA Violations Through the Omnibus Final Rule

The modifications to the HIPAA Privacy Rule, among the others, focuses on closing the gaps in the provisions at the time. For instance, unclear liability when it came to vendors and business associates used to cost organizations millions in fines. The Omnibus rule clarifies now these major requirements when it comes to preventing HIPAA violations:

  • Updating Business Associate Agreements.

  • Tightening PHI use restrictions.

  • Updating Notice of Privacy Practices.

  • Adopt the idea of "guilty until proven innocent" for possible breaches.

Small oversights can trigger massive data breaches. Resulting in fines or even jailtime. Healthcare organizations that prioritize their compliance must also realize that these breaches aren't just the result of hackers. It can be due to a lack of internal training, too.

How Does Regular HIPAA Training Help Maintain Compliance?

Regular HIPAA training helps you and your team stay on top of compliance standards. Having your organization keep up on compliance training yearly is a great place to start. Even the strongest procedures and policies are useless unless your team knows them! 

Security protections for health information cast a wide net. Whether it be a hospital, a private practice, or a health plan organization. Anyone who has interactions with PHI is liable for their own HIPAA training. 

Of course, you can take training through a third party company. Such as a Governance, Risk, and Compliance focused organization. These businesses often offer e-learning services. These solutions offer useful training tools so that your company stays compliant. If your practice ever faces legal trouble in the face of a breach, you're covered. You can rest assured that your investment in this type of program counts as a defense. 

Why Do Compliance Mistakes Still Cost Millions?

Health care organizations continue to miss the mark when it comes to HIPAA standards. Sometimes, these HIPAA fines can reach a maximum of $2,134,831 per violation! This sort of blunder doesn't just hurt the bank either./ It also erodes patient trust and damages professional reputations.

It's obvious that failing to meet the provisions of the HIPAA Rules can be detrimental. And now the Omnibus Rule requires business associates of covered entities to face the same scrutiny. Effective in 2013, anyone with access to private health information that doesn't follow compliance standards can face serious consequences.

Here are some of the most common HIPAA mistakes you and your team should avoid at all costs:

  • Snooping on sensitive patient records.

  • Not performing a regular company-wide risk analysis.

  • Failure to handle clear security risks.

  • Lack of risk management processes.

  • Denying a patient access to their medical records. Or not giving it to them on time.

  • Failure to enter into a compliant business associate agreement.

  • Lacking enough ePHI access controls.

  • Not issuing a breach notification within the 60-day deadline. 

  • Improperly disposing of PHI.

Yet, through regular training, you can avoid these simple mistakes. Ongoing education keeps compliance at the forefront of your organization. It helps you better reduce human error. Foster a sense of confidence among your team. And finally, let your clients know that their privacy comes first.