What is the HIPAA Omnibus Final Rule of 2013?

History of Laws Leading Up to Omnibus

Policymaking in the United States can feel quite confusing, so before explaining the final Omnibus Rule, it’s essential to define a few terms and describe what came before.

The U.S. Department of Health and Human Services (HHS) has a department called the Office for Civil Rights. This department enforces all civil rights laws, conscience and religious freedom laws, HIPAA privacy (passed into law in 1996), and patient safety, to name a few.1,2

In 2009, former U.S. President Obama passed the American Recovery and Reinvestment Act in response to the recession.3 This included the Health Information Technology for Economic and Clinical Health (HITECH) Act.4 This was important for numerous reasons.

HITECH further bolstered HIPAA laws regarding protecting patient information online, increased the minimum penalty amount for each violation, and set a maximum amount of $1.5 million for all violations of an identical provision in a calendar year.4

In 2013, however, HHS felt it was necessary to merge HIPAA and HITECH, modify the rules for reporting breaches under HITECH, and fortify the genetic information nondiscrimination act (GINA). These changes were summarized into one document called the Omnibus Final Rule of 2013. 4

Why Did OCR Pass the Omnibus Final Rule?

The Federal Register goes into great detail as to why HIPAA needed more regulatory action: 4

  • To strengthen the privacy and security of electronic health records (EHR).
  • Increase flexibility and decrease the burden on regulatory entities.
  • Better harmonize other laws already in place (HIPAA vs. HITECH).
  • Reduce costs.
  • Reduce the impact and number of times the regulated entities must undertake certain compliance activities.

The Four Parts of the Omnibus Final Rule

The Omnibus final rule contains four parts or significant provisions: 4

1. Modify HIPAA privacy, security, and enforcement rules mandated by the HITECH Act

Essentially, HHS merged the HITECH Act with HIPAA. This provision made business associates of covered entities directly liable for compliance with HIPAA requirements. This includes subcontractors or anyone downstream that handles PHI. It prohibited the sale of protected health information (PHI) and restricted the use of PHI for marketing and fundraising purposes.

People now have the right to request their electronic medical documents, which tightened what entities can release to insurance companies about a treatment plan if the patient paid in cash in full.

The Omnibus Final Rule modified the requirements to research child vaccination and how this information is shared with schools while adding provisions addressing enforcement of noncompliance with HIPAA rules.

2. Increased and tiered the civil money penalty structure initially outlined in the HITECH Act

Violation Category

Each Violation Fine

Violations of an identical provision in a calendar year (max penalty)

Did not know, not willful neglect

$100 - $50,000

$1.5 million

Reasonable cause

$1,000 - $50,000

$1.5 million

Willful neglect, but corrected

$10,000 - $50,000

$1.5 million

Deliberate neglect and not corrected


$1.5 million

The OCR noted that the penalties would be determined on a case-by-case basis to avoid harming smaller businesses. The sentence could be reduced or waived entirely if the organization makes a reasonable effort to correct the violation. The OCR emphasized that the goal here is to ensure that violations do not recur or impede access to care, not necessarily gouge an entity.

3. Outlined a more objective harm threshold for the breach notification rules

Healthcare providers are now required to report any breach, even if they aren’t harmful. Before, entities only had to report violations if they presented significant harm to over 500 people. Nothing can be shared without the patient’s consent and written permission.

This most certainly resulted in many more breaches being reported and forced business entities to retrain their workforce staff. Entities had to update their policies and procedures.

4. Prohibited entities from disclosing/using someone’s genetic information when determining whether to give them coverage/benefits

The language included any group health plan, insurance carrier, Medicare, Medicaid, supplemental policies, long-term care policies, welfare, veteran’s healthcare programs, and the Indian Health Service program.

Entities had 180 days to implement the Omnibus Final Rule. It strengthened and expanded privacy in light of widespread electronic health systems and online platforms. HHS also wanted the public to trust the healthcare system, as many commentators voiced concerns over hacking and online crime. With genetic technology rapidly advancing, it was critical to update the laws governing who, what, and how entities could share genetic information. 

Enroll in HIPAA Training Online Today

For information on how to stay HIPAA compliant, sign up for one of our HIPAA courses or head to the US Department of Health and Human Services (HHS) website.


  1. Omnibus HIPAA Rulemaking. HHS.gov. Content last reviewed Sept 13, 2019. Retrieved Jan 4, 2023, from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html.
  2. OCR About Us. HHS.gov. Content last reviewed Sept 12, 2022. Retrieved Jan 4, 2023, from https://www.hhs.gov/ocr/about-us/index.html.
  3. American Recovery and Reinvestment Act of 2009. Federal Communications Commission. Retrieved Jan 4, 2023, from https://www.fcc.gov/general/american-recovery-and-reinvestment-act-2009.
  4. HITECH Act Enforcement Interim Final Rule. HHS.gov. Last updated June 16, 2017. Retrieved Jan 4, 2023, from https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html.
  5. Federal Register, Vol. 78, No. 17. Jan 25, 2013. Dept of HHS. Retrieved Jan 4, 2022, from https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf.