Know How: Alert


Highlights of Omnibus HIPAA Regulations



Stay up-to-date with industry knowledge!


The long-awaited omnibus HIPAA regulations (“Omnibus Rule”) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) are now in effect.  Highlights of the Omnibus Rule include the following: 

  • Effective Date/Compliance Date/Transition Provision. The Omnibus Rule became effective on March 26, 2013. Generally, the compliance deadline is September 23, 2013.  The Omnibus Rule includes a transition provision that, in certain circumstances, allows Covered Entities and Business Associates (as well as Business Associates and Business Associate Subcontractors) to continue to operate under existing Business Associate Agreements (BAAs) for an additional year beyond the compliance deadline. 

  • Subcontractors.  Under the Omnibus Rule, the definition of a Business Associate includes Subcontractors that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a Business Associate. As a result, there must be a Business Associate Agreement entered into by Business Associates and their Subcontractors.  

  • Direct Liability of Business Associates. The Omnibus Rule extends direct liability to Business Associates, including Subcontractors, for compliance with certain requirements of the HIPAA Privacy Rule and with the HIPAA Security Rule.  

  • Covered Entities’ Liability for Activities of Business Associates.  Under the Omnibus Rule, Covered Entities could be liable for Business Associates’ activities if the Business Associates were acting as an agent of the Covered Entity.  In addition, Business Associates could be liable for the activities of their Subcontractors if the Subcontractors were acting as an agent of the Business Associate. That determination will be based on the federal common law of agency. 

  • Breach Notification Rule. The Breach Notification Rules have changed.   Under the Omnibus Rule, the previously used harm standard has been removed and the risk assessment has been modified to require Covered Entities and Business Associates to assess the probability that PHI has been compromised by considering four factors.  Unlike the old test, the new test imposes a presumption of notification unless there is a low risk of the probability that PHI has been compromised.  HHS has stated that it will provide further guidance on this issue. 

  • Minimum Necessary Standard and Business Associates. The Minimum Necessary Standard now applies directly to Business Associates, including Subcontractors, when using or disclosing PHI or when requesting PHI from a Covered Entity. 

  • Other Changes.  The Omnibus Rule made various other changes covering topics including, but not limited to, sales of PHI, decedents’ PHI, and fundraising. 

  • The text of the Omnibus Rule can be found at 78 Federal Register 5566.  HHS has posted sample BAA language on its website (


This Alert is a periodic publication of Steptoe & Johnson PLLC and should not be construed or relied upon as legal advice or legal opinion on any matter.  The content is intended for general information purposes only.  You should consult with your own lawyer for legal advice or a legal opinion on the specific facts and circumstances of your own situation.  For further information about this Alert, please contact Steptoe & Johnson PLLC.

You are receiving this email because of your relationship with Steptoe & Johnson PLLC.  You may unsubscribe if you no longer wish to receive our emails.