ChartRequest Logo

+1 (888) 895-8366

What is the HIPAA Omnibus Final Rule?

Omnibus Final Rule

When crafting the Omnibus Final Rule, HHS wanted to incorporate provisions of the HITECH Rule into HIPAA to boost business associate accountability. Additionally, they aimed to revise inconvenient rules and close gaps left by the previous rules.

Before we dive into the Omnibus Final Rule, here’s a brief HIPAA overview.


The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to improve the safety and privacy of medical information following the advent of electronic health records (EHR). Before this, there weren’t federal laws to regulate the protection and exchange of medical records.

Instead, these were fairly lawless times in this regard. While most healthcare providers would act reasonably, there were plenty of issues. For example, patients couldn’t always get copies of their medical records. Their employers, however, could acquire them via their health insurance provider. 

This changed when The Department of Health and Human Services (HHS) intervened by creating HIPAA. This defined important terms like protected health information (PHI) and set regulatory baselines for how medical information can be disclosed.

It’s difficult to estimate the number of people impacted by medical record breaches. Without protections to safeguard medical information, personal issues could easily become public.

While HIPAA helped herald a new era of medical record exchange, it wasn’t perfect. Since passing HIPAA, HHS has worked diligently to improve and adapt it to the ever-changing nature of the healthcare industry.

To accomplish this goal, they created additional rules and regulations, which you can read more about by clicking the links below:

Privacy Rule – 2002

Security Rule – 2005

Breach Notification Rule – 2009


The Omnibus Final Rule was passed into law in 2013, shortly after the HITECH Act. This rule made several updates to existing HIPAA rules to improve the privacy of patients and the accountability of professionals who handle medical records. 

Click here to learn more about the HITECH Act.

The updates to HIPAA brought on by the Omnibus Final Rule can be separated into 3 categories:

  1. Accountability Enhancements
  2. Privacy Improvements
  3. Miscellaneous Updates


For much of HIPAA’s existence, the regulations largely only applied to covered entities. A covered entity is a professional who directly handles medical treatment, billing, or other operations. This includes healthcare providers, health plans, pharmacies, and more.

This presented a major flaw, however, as business associates were not held to the same standards. To fix this, HHS broadened the definition of business associates.

Business associates are the professionals that create, receive, maintain, and/or transmit protected health information (PHI) on behalf of a covered entity. This list includes lawyers, consultants, 3rd party professionals, and more.

This lack of cohesion across HIPAA regulations meant that records were generally less secure as soon as providers released them. Additionally, if these records were mishandled and/or breached, the covered entity was often held liable.

The HITECH Act set the foundation for business associates and their subcontractors to face the same HIPAA regulations and penalties. It wasn’t until the Omnibus Rule, however, that this update could be enforced.

Today, business associates and covered entities alike can face steep penalties for HIPAA violations. These penalties are determined by the number of individuals affected, the length of noncompliance, and the individual’s culpability.

HIPAA penalties are separated into a four-tiered penalty structure.

Tier 1 – Lack of Knowledge: The responsible party was unaware of the breach and couldn’t have detected the breach using reasonable due diligence. Penalties range from $100-$50,000 per violation with an annual limit of $25,000 for repeat violations.  Tier 2 – Reasonable Cause: The responsible party should have noticed the breach by using reasonable due diligence. Penalties range from $1,000-$50,000 per violation with an annual limit of $100,000 for repeat violations.  Tier 3 – Willful Neglect: The responsible party chose to neglect HIPAA rules and/or PHI breaches. Penalties range from $10,000-$50,000 per violation with an annual limit of $250,000 for repeat violations.  Tier 4 – Uncorrected Willful Neglect: The responsible party neglected HIPAA rules and/or PHI breaches and didn’t fix their noncompliance within 30 days of discovery. Penalties cost $50,000 per violation with an annual limit of $1,500,000 for repeat violations.
The penalties for non-compliance can be devastating if violations are handled poorly.

With the potentially devastating nature of HIPAA compliance, the Omnibus Final Rule has driven greater accountability for business associates. This not only holds these professionals to a higher standard, but it protects healthcare organizations and patients from avoidable breaches.


Before HIPAA, patients didn’t have much control over or access to their medical information. Additionally, there weren’t many provisions stopping healthcare providers from sharing it without just cause. The HIPAA Privacy Rule expanded on patient rights in regard to their medical information, but even that wasn’t perfect.

The Omnibus Final Rule expanded further upon these provisions in an effort to shore up existing gaps in protection. These privacy expansions include the following updates:

  • Covered entities need patient authorization to send patients marketing communications if they’re paid for sending them.
  • With parent/guardian authorization, covered entities can more easily share immunization records with schools.
  • The definition of “protected health information” now includes genetic information.
  • Covered entities now need patient authorization before selling PHI outside these two exceptions:
    • Research purposes that only reimburse the cost to prepare and transmit records
    • Some public health purposes
  • Expanded patients’ rights to request electronic copies of their medical records
  • Required covered entities to modify and redistribute their individual notices of privacy practices.
  • Sharing of PHI in the treatment of a patient or during payment for their care
  • Patient’s rights to restrict disclosure of their PHI to health plans 


The administrative burden of HIPAA compliance unfortunately can slow down informed patient care. That’s why one goal of the Omnibus Final Rule was to reduce the administrative burden of compliant record exchange.

One way HHS accomplished this goal was by simplifying the authorization process for research. Now, researchers only need one authorization form per study. Additionally, patients can provide “prospective consent” so researchers can use their information in future studies without additional authorization.

Omnibus also revised a HITECH Act provision that required covered entities to treat any improper PHI disclosure as a breach. Instead, a four-part risk assessment is mandatory to determine the risk of PHI breaches and the success of mitigation efforts.


ChartRequest ensures compliance with all federal and state regulations relevant to the exchange of medical, imaging, and billing records. Like HHS, we aim to mitigate exhausting administrative labor to reduce burnout and simplify the exchange of information.

We help healthcare providers, patients, legal professionals, insurance plans, government agencies, and more across the United States get records fast. Our full-service partners’ average turnaround time is just 2 business days. Compare that to the 30-60 days you could wait with traditional methods.

We accomplish this by automating as much of the process as possible and streamlining the rest. By making compliant exchange simple, healthcare providers can release records faster without the worry of unintentional breaches causing massive penalties.

Do you want to see how ChartRequest can simplify the exchange of electronic health records to guarantee Omnibus Rule compliance? Click here to create your account.

Learn about how our 5 tips for reducing burnout in healthcare can improve staff retention and ensure a great patient experience.
Computer Laptop
Medical records are a crucial aspect of healthcare, providing healthcare providers with comprehensive information about a patient’s medical history. If you’re still keeping records on
Retrieving Client Medical Records
Learn how care coordination software can help your hospital improve the patient experience, reduce overhead costs, and increase revenue.
Information Blocking
The Cures Act information blocking exceptions enable healthcare providers to adjust or decline certain medical records requests.
Accounting Disclosures
An accounting of disclosures is more complicated than one may think, so we've assembled a guide for healthcare providers to navigate accounting requests.
Law Firm
On November 28, 2022, the Substance Abuse and Mental Health Services Administration (SAMHSA) released a Notice of Proposed Rulemaking in collaboration with HHS through OCR.