Skip to main content

Stratis Health Twitter Stratis Health LinkedIn Stratis Health YouTube
Lock, keyboard and mouse

Section Links


HIPAA Omnibus Rule of 2013

Omnibus header

“The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age.”

quote bubble- Kathleen Sebelius
HHS Secretary

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was published that created provisions to HIPAA privacy and security regulations. The majority of the HITECH regulation focused on changes with the HIPAA privacy regulations; however, changes were also added to the requirements for breach notification and to the business associates liabilities and business associate agreements. On January 25, 2013, the HIPAA Omnibus Rule was published in the Federal Register, which created the final modifications to the HIPAA privacy and security rule. The Omnibus Rule also created changes for enforcement, breach notification rules, and the Genetic Information Nondiscrimination Act (GINA). The Omnibus Rule of 2013 did not address the provisions for accounting of disclosures, minimum necessary guidance, and distribution of monetary penalties to individuals impacted.

The major components of the HIPAA Omnibus Rule of 2013 address:

  • Business associates’ liability and requirement changes
  • Marketing and protected health information
  • Sale of protected health information
  • Compound authorizations for research, and authorizing for future research studies
  • Decedents and protected health information
  • Disclosures to decedent’s protected health information to family members and others involved in decedent’s care
  • Disclosure of immunization information to schools
  • Fundraising and protected health information
  • The need to update and distribute the notice of privacy practices
  • Patients’ right to restrict protected health information to a health plan
  • Access to protected health information in electronic formats
  • Breach notification rule updates
  • Genetic information is considered protected health information and underwriting impacts

The rule was published in the Federal Register on January 25, 2013. The new regulations went into effect on March 26, 2013, and the compliance date for the new regulations was September 23, 2013.

Tools and Resources

Department of Health and Human Resources HIPAA Omnibus Rule. Important changes have been made to the HIPAA Privacy and Security Rule. Business associates and their subcontractors have new liability, and HIPAA covered entities have new requirements. U.S. Department of Health and Human Services. (3-minute video)

Analysis of the HIPAA Omnibus Rule of 2013. AHIMA’s analysis of the Omnibus Rule of 2013 reviewing analysis of the Federal Register’s January 25, 2013 Omnibus Rule’s changes. AHIMA. (39-page PDF).

Analysis of the HIPAA Omnibus Rule of 2013. Analysis of the Omnibus Rule of 2013 reviewing analysis of the Federal Register’s January 25, 2013 Omnibus Rule’s changes. IDExperts. (8-page PDF)

Checklist for Complying with the HITECH Omnibus Rule. A checklist of all the requirements and actions necessary to comply with the changes under the HIPAA Omnibus Rule. Alston & Bird. (3-page PDF)

Checklist for Complying with the HITECH Omnibus Rule. A checklist of all the requirements and actions necessary to comply with the changes under the HIPAA Omnibus Rule. Harris Beach. (1-page PDF)

This Privacy & Security portal was originally developed by the Regional Extension Center for Minnesota and North Dakota. REACH, co-led by Stratis Health, was federally funded through the Office of the National Coordinator, Department of Health and Human Services.