HITECH Omnibus Rule Compliance Begins Today

The deadline for healthcare providers and other HIPAA-covered entities to become compliant with the HITECH Omnibus Rule begins today, Sept. 23. The new regulations, formally called the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act,” greatly alter the way many HIM professionals must do their jobs to maintain the privacy and security of health records and other protected health information.

The HITECH Omnibus Rule strengthens privacy and security protections by:

  • Extending compliance with HIPAA to business associates and their subcontractors
  • Establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes
  • Prohibiting the sale of protected health information without appropriate authorization
  • Expanding individual rights to electronically access one’s protected health information (PHI)
  • Providing easier access to immunization records by a school
  • Removing HIPAA Privacy Rule protections for PHI of an individual deceased for more than 50 years
  • Prohibiting the use of genetic information for underwriting purposes
  • Finalizing breach notification requirements
  • Expanding individuals’ rights to obtain restrictions on certain disclosures of protected health information to health plans if services are paid for out of pocket


AHIMA-Developed Compliance Resources Available

AHIMA has developed an analysis of the Omnibus Rule, available on the AHIMA website here. Best practices for implementing the various sections of the Omnibus Rule have also been featured in the Journal of AHIMA’s “ARRA on the Job” column and in various Practice Briefs. These articles are available in the HIM Body of Knowledge here.

Relevant Practice Briefs include:

  • A HIPAA Security Overview
  • Breach Risk Assessment Best Practices
  • HIPAA Privacy and Security Training
  • Notice of Privacy Practices
  • Patient Access and Amendment to Health Records
  • Retention and Destruction of Health Information
  • ROI for Marketing and Fundraising
  • Sanction Guidelines for Privacy and Security Violations
  • Securing Wireless Technology for Healthcare
  • Security Risk Analysis and Management: An Overview
  • Security Audits of Electronic Health Information
  • The 10 Security Domains


The Journal of AHIMA website also features several articles on how to best meet compliance with the Omnibus Rule.

For example, one of the most troublesome last-minute compliance tasks is updating business associate relationships. In his Journal of AHIMA website article “Deadline Ahead: Last-Minute HIPAA Business Associate Compliance,” author Stephen Wu provides tips for updating business associate agreements to become compliant with the HITECH Omnibus Rule.

In addition, the request for restrictions requirement is discussed in Mary Butler’s website article “HIM Frontlines: Implementing HITECH-HIPAA ‘Request For Restrictions’ Requirement.”

The full version of the HITECH Omnibus Rule is available for reference here.


1 Comment

  1. The Omnibus Rule is set for us to exchange information, to store information, and explain patient safety, as well as other things

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!