8 Ways HIPAA Has Changed with the Omnibus Ruling

In late 2014 NueMD released a study on HIPAA compliance in medical practices and billing companies. The survey indicated that 36% of medical practices weren’t aware there were updates to the HIPAA Law and only 38% were confident that their practice was actively implementing HIPAA compliance.

Total HIPAA Compliance has partnered with NueMD and The Daniel Brown Law Group to break down the Omnibus Law and help medical practices understand more about HIPAA and its implications.

Over the next few weeks we will post a series of blogs on NueMD’s site as well as the Total HIPAA site. There will also be a series of 30–minute webinars where we will drill down some more on the various aspects of HIPAA. Keep an eye out -- we'll be posting details for the webinars on both the NueMD and Total HIPAA websites within the next few weeks.

This first blog is a brief overview of the eight most important changes in 2013 HIPAA Omnibus Rule for medical practices. You can click on the items below to learn more.

  1. Patients can request access to their medical records
  2. Communicating vaccination records to school
  3. Patients paying cash for services can request the info. not be reported to their insurance company
  4. Genetic Information Nondiscrimination Act (GINA)
  5. Encrypting data in transit, rest and in storage is required
  6. New limits on fundraising and disclosure of information
  7. Common Agency Provision
  8. And most importantly increases in the fines and penalties for a Breach and improper use of PHI

Next week we will be talking about The 5 Steps for Adopting a HIPAA Compliance Plan.

1. Patient Access to Medical Records

The new Omnibus Rules gives patients more control over their records than ever before. For example, patients can request access to their medical records and physician practices must comply with the request within 30 days as long as access is not restricted by a court action. In addition, the information must be in the format the patient requests—whether digital or physical. Practices are allowed to charge a nominal fee for copying and clerical work related to the request. 

More stringent state medical record privacy laws take precedence over HIPAA.  For example, in California, medical practices must supply a patient’s medical records within 15 days, and the law sets the copying fee at 25 cents per page, plus a nominal clerical fee. 

2. Communicating Vaccination Records to Schools

The Omnibus Ruling has made it easier for your practice to share vaccination records with schools. You are now allowed to release this information directly to the school with a written or verbal release from the student’s parent or guardian. If you receive a verbal request, make sure you notate the time, day, and with whom you spoke, and include this in the patient file. You may want to have the parent or guardian sign a release the next time they are in the office.

3. Respecting Your Patient’s Request to Keep Personal Health Information From Insurance Companies When Paying Cash

If a patient pays cash at the time of service and requests that you not release information relating to the service to their insurance company, you are required to comply. For example, if you have a patient with an STD who receives treatment at your office, pays in cash, and says they do not want that information released to their insurance company, you are required to honor that request. Failure to do this is considered a breach of HIPAA’s Privacy Rule since the patient has not authorized the release of this information.

However the information pertaining to the service will remain part of the patient’s medical record and cannot be withheld from other healthcare providers for purposes of treatment. Also, in this example, practices still must comply with state and federal laws about disclosing the information about the STD to the proper agencies.

4. Genetic Information Nondiscrimination Act (GINA)

The 2013 Rule modifies the HIPAA Privacy Rules to conform to the Genetic Information Nondiscrimination Act of 2008 (GINA). GINA generally prohibits employers from making employment decisions based on a worker’s genetic information and from health plans from using genetic information for underwriting purposes.  

The changes made by the HIPAA Omnibus Rule adopt GINA’s definition of “genetic information” into HIPAA and clarify that certain screening tests are included in this definition of genetic information.  Importantly, the new Rules include “genetic information” in the HIPAA definition of health information. Therefore, providers must treat genetic information the same as a patient’s other Protected Health Information. 

5. Encrypting Data in Transit, Rest or Storage

Prior to the HITECH Act, encryption of data was optional; that is no longer the case. You are required to encrypt a patient’s Protected Health Information in all forms. This means all emails, backups, Electronic Health Record Systems, desktop computers, tablets, mobile devices on your network, etc., must have a minimum of 128-bit encryption.

Warning: Text messages are never a secure method for transmitting information! (We will go into more details on encryption in later blogs.)

6. New Limits on Fundraising and Disclosure of Information for Marketing

This is a tricky area, and you need to make sure you confer with legal counsel before proceeding with any fundraising or sharing information for marketing efforts.

According to HIPAA, you are allowed to share the following information with a Business Associate or institutionally related foundation without a release:

  1. Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth;
  2. Dates of health care provided to an individual;
  3. Department of service information;
  4. Treating physician;
  5. Diagnosis outcome information; and
  6. Health insurance status.

When it comes to communicating marketing opportunities or marketing information to your patients, you are not permitted to send patients these kinds of communications unless they have signed a clearly labeled document granting permission. There also must be an easy way for patients to opt out of receiving future communications, and you must make a reasonable effort to remove them from any lists they opt out of.

Finally, you can never condition treatment on a patient’s agreement to receive marketing materials or to donate to a charity. 

7. Common Agency Provision

The Omnibus Rule now holds your Business Associates and their Subcontractors to the same Privacy and Security Standards required of Covered Entities. This means they are subject to the same fines and penalties as Covered Entities.

There is an extra wrinkle that makes providers responsible for the HIPAA compliance of their Business Associates and their Subcontractors.  Any issues your Business Associates have with regard to their HIPAA compliance could result in your practice being audited and possibly fined. It’s important to do your due diligence before contracting with any Business Associates. Some of the largest fines assessed against Covered Entities that we have seen resulted from a HIPAA breach by the Business Associate of a Covered Entity. 

Here is an example of a Breach by two separate Business Associates (BA) that resulted in a fine for both Stanford Hospital and the BAs. The total fine was $4 million. $3.3 million is being picked up by the Business Associates, which means Stanford Hospital is still stuck with a $700K fine. The moral of the story – audit those Business Associates BEFORE doing business!

8. Fines and Penalties

The fines associated with a HIPAA Violation are as follows:


Each Violation

Maximum Penalty Per 
Violation in Calendar Year

Did Not Know1

$100 – $50,000

$1.5 million

Reasonable Cause2

$1,000 – $50,000

$1.5 million

Willful Neglect-Corrected3

$10,000 – $50,000

$1.5 million

Willful Neglect – Not Corrected4


$1.5 million

1Did Not Know – You were trying to be HIPAA Compliant, and had an issue that you would not or could not have reasonably known about.

2Reasonable Cause – You were trying to be HIPAA Compliant, you had an issue you should have known about, or reasonably should have known about.

3Willful Neglect Corrected – You ignored HIPAA, had an issue and were caught. You corrected the issue within 30 days.

4Willful Neglect Not Corrected ­– You ignored HIPAA, you were caught, and you chose not to fix the issue.

There are additional changes made to HIPAA in the Omnibus Rule that are applicable to other groups as well as medical practices. We focused this discussion on the most important changes for medical practices.

Come back and visit us next week, where we will talk about The 5 Steps for Adopting a HIPAA Compliance Plan.

Jason Karn's picture

Jason Karn


Jason Karn is the Director of IT at Total HIPAA Compliance and has been active in HIPAA training since the inception of the 2013 HIPAA Rules. He is a co-author of all Total HIPAA 2.0 training for Agents and Brokers, Employers, BA/Subcontractors, Medical Providers and Dental Providers. He is a regular speaker, blogger and a significant Twitter influencer on all things HIPAA. Jason is also an accomplished opera singer and has performed across the US and Europe. Follow Jason on Twitter @TotalHIPAA.

comments powered by Disqus