Navigating the Complexities of Omnibus Rule HIPAA Compliance

Meeba Gracy

Meeba Gracy

Mar 06, 2024

HIPAA Omnibus Rule

Every year, a large number of data breaches happen in the US healthcare system. This puts the privacy of millions of patients at risk. And it is found most of the mishaps happen among business associates.

Now, this is worrying! This is why the federal government got aggressive and implemented the Omnibus Rule in HIPAA certification.

In this article, we discuss what the Omnibus Rule is and the new changes you need to be aware of.

Let’s dive in…

What is the Omnibus Rule of HIPAA?

The goal of the Omnibus Rule HIPAA is to harmonize all previously passed regulations into one cohesive rule made up of tighter security protocols that are easy to understand and comply with. The HIPAA Omnibus rule became effective in 2013.

All healthcare entities have had to become familiar with its provisions and failure to comply resulted in serious legal and financial implications.

The HIPAA Omnibus Rule is a landmark achievement for protecting the confidential health information of consumers in the digital era. 

The final Omnibus Rule was created as a more stringent measure to protect the vital health information of patients and to provide them access to their own health records. This is in response to The Health Information Technology for Economic and Clinical Health (HITECH Act).

This rule put more responsibility on the shoulders of service providers and employers, the new rule strengthened existing policies, consequently increasing data security and most importantly, providing individuals the necessary access to retrieve their coveted health records.

Meet our compliance experts

Join our Compliance Q&A

Fastrack your audit with on demand guidance.

What is the Purpose of HIPAA Omnibus Rules?

HIPAA Omnibus Rule

The Omnibus Final Rule was born out of a need to protect confidential patient information that has been entrusted to health care providers and their business partners. 

The regulations of this law update and expand upon the provisions of the HIPAA’s Privacy, Security, Enforcement, and Breach Notification Rules. It also provides individuals with additional rights concerning their protected health information by allowing them to request copies of their medical information and also get an overview of how their personal data may have been shared or used.

What are the new changes in the HIPAA omnibus rules?

The HIPAA Omnibus Rule demands healthcare professionals to alter their Business Associate Agreements, verify that Business Associates are complying with the HIPAA Security Rule, and receive assurances of updated Notice of Privacy Practices.

HIPAA Omnibus Rule changes

Here are the changes in detail:

Breach Notification

The era of reporting significant security breaches has changed dramatically with HHS’s new approach to breach notification. Prior to the Omnibus Rule, only a breach of 500 or more customers’ data necessitated an official notification alert; any lesser number was disregarded.

However, the new changes require businesses to report a breach to any impermissible use or disclosure of Protected Health Information (PHI) regardless of the number of people it has affected.

This change is likely to result in a spike of reported security breaches.

To ensure that this presumption is accurate, covered entities and business associates should practice a rigorous risk analysis. By doing so, the businesses can prevent an unnecessary deduction that HHS clearly expects will result in more breaches being reported.

HIPAA Omnibus Rule and Business Associates

According to this rule, Privacy Rules and Security Rules enforcement must now be directly applied to business associates, who provide assistance to healthcare entities, and their subcontractors. 

Clearly, existing business associate agreements will require an update by those affected so as to comply with the new requirements that have resulted from this change. 

Moreover, covered entities are urged to improve their review processes for measuring the compliance of business associates and apply liability protections within business associate contracts.

Marketing restrictions

The HIPAA Privacy Rule has been amended by the Omnibus Rule to create tighter restrictions on the use of PHI for marketing purposes. For instance, if a third party, such as a pharmaceutical company, is compensating a covered entity for any given communication while promoting its own product, then patient authorization is required. This empowers individuals to control how their PHI is used.

Reasonable disclosures

Allowing quick and efficient release of student immunization records to schools is key in ensuring the health and safety of students is given paramount importance while complying with state laws. Reasonable disclosure has made the process of sharing student immunization information with schools very simple. 

Now, covered entities have the ability to release immunization records with documented agreement from a parent or guardian. This helps streamline communication between healthcare organizations and educational institutions as required by state law.

Genetic information

The Genetic Information Nondiscrimination Act in 2008 shields individuals from discrimination due to their genetic make-up. The Omnibus Rule ensures protections by incorporating this sensitive information into HIPAA’s privacy regulations.


The HIPAA Omnibus Rule has made great strides in simplifying consent requirements for research participation. This change allows single forms to cover multiple studies that previously would have required multiple forms. Also, researchers now have a method to obtain prospective consent for future studies. These updates serve as a milestone for guiding the safe collection of PHI.


The Omnibus Rule created strict guidelines in place to ensure that organizations who commit violations face serious consequences. The penalties can reach up to $1.5 million per identical violation type per year. While this may seem harsh, this rule serves to maintain trust between consumers and organizations while deterring businesses or entities from undertaking reckless behavior which could endanger consumer privacy and data security. 

Privacy Changes

The Omnibus Rule is a critical piece in addressing the security and privacy of PHI. It attempts to answer numerous important questions surrounding the use of PHI, including: 

  • The use of PHI in marketing and fundraising materials or events
  • The selling of PHI without express consent from a patient
  • Student immunization record disclosures
  • Patient rights regarding disclosure of their PHI to health plans
  • An individual’s ability to access their ePHI. 

It’s safe to say that the use of PHI in any circumstances outside of health is stringent here.

Find out how Sprinto is helping organizations become and stay HIPAA-Certified

As a cloud-hosted business associate, compliance with Omnibus rule HIPAA is critical to your success and growth. Sprinto provides the ideal platform to keep up with the regular requirements of keeping your business in line with these regulations. 

Automated processes make sure your rules and security protocols are constantly updated to deliver expected performance, Thus enabling you attain complete overall compliance.

The in-app features allow you to monitor safeguards, manage vendors and subcontractors, as well as provide in-built HIPAA training for staff members. 

Also, a real-time dashboard view of your compliance status is available at all times. Get in touch today to find out how Sprinto can help you get compliant and stay secure!


What is the primary purpose of the omnibus rule?

Omnibus rules strengthen the security of sensitive health data, particularly in digital formats, and to grant patients greater access to their personal medical details, the Omnibus rule HIPAA was recently instituted.

When was omnibus rule passed?

On January 17, 2013, the HHS released the Omnibus Rule that merged and superseded four earlier proposed rules and interim final rules. This rule came into effect on March 26th of the same year.

How long is the omnibus rule?

The Omnibus Rule is designed to ensure HIPAA protection lasts for up to 50 years following the death of an individual. Additionally, this rule allows covered entities more freedom when disclosing a decedent’s PHI with those who were involved in caring and paying for them prior to their passing.

Meeba Gracy

Meeba Gracy

Meeba, an ISC2-certified cybersecurity specialist, passionately decodes and delivers impactful content on compliance and complex digital security matters. Adept at transforming intricate concepts into accessible insights, she’s committed to enlightening readers. Off the clock, she can be found with her nose in the latest thriller novel or exploring new haunts in the city.

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.