The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.

The Coalfire Blog

Long-awaited HIPAA Omnibus Rule is Unveiled

January 21, 2013, Andrew Hicks, Managing Principal, Coalfire

Bookmark and Share

Andrew Hicks

As of January 17, 2013, the HIPAA Omnibus Rule has finally been released by the Department of Health and Human Services (HHS), which will modify the HIPAA privacy, security, and enforcement rules.  The package of regulations, in regard to this long-overdue HIPAA Omnibus Rule, will officially be posted on the Federal Register on January 25, 2013 and will be put into effect on March 26, 2013.  Covered entities and business associates will have until September 23, 2013 to comply with the new regulations.

The release of the HIPAA Omnibus Rule not only indicates that healthcare data security and patient privacy is serious business, but that the HHS is staying on top of the industry and technology, and that they are actively monitoring and enforcing the requirements.   

The newly released HIPAA Omnibus Rule means that there will be changes in applying many security and privacy requirements to business associates and their subcontractors.  This new version will also clarify requirements for when a breach must be reported to authorities, and will include a rule that spells out that using genetic information for insurance underwriting purposes is a privacy violation under HIPAA, as well as discriminatory under the Genetic Information Non-Discrimination Act.

In a nutshell, the HIPAA Omnibus Rule is comprised of four major rules.  These rules include:

  • Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.

  • Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.

  • A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.

  • A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.

While the changes are going to be impactful, Coalfire will be updating its existing healthcare guidance, methodology, and audit services to ensure that clients are meeting the new requirements.  Through these updates, Coalfire will be able to assist covered entities and business associates with complying with the new regulations and will make the transition into the new HIPAA regulations as easy as possible.

<< Go Back

Blog post currently doesn't have any comments.

Post Topics