(This post is the first in a series of six that will examine the federal “Omnibus” HIPAA Rule, released January 18, and effective March 26. All covered entities and business associates must be in compliance by September 23, 2013.)

HIPAA privacy and security regulations have been with us for almost 13 years, and subjected to many refinements and updates. During the same period, new federal rules have evolved with provisions that paralleled, expanded on, or otherwise interacted with HIPAA.

So, pulling together a new “omnibus” Rule intended to clean up a rather complicated mess makes sense.The Department of Health and Human Services has done just that, by combining features of  four existing component rules. It also has taken this new rule-making opportunity to expand HIPAA’s reach and strengthen HHS powers.

The HIPAA Clean Up: First, here is how HHS has effectively combined HIPAA with four other federal rules. The new omnibus rule includes:

• Final provisions that expand the HIPAA Privacy, Security and Enforcement Rules, as mandated in the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. HITECH was a major element of the American Recovery and Reinvestment Act of 2009 (ARRA), commonly known as the Economic Stimulus Package.
• The final rule on Breach Notification for Unsecured Protected Health Information, which changes significant elements of the 2009 Interim Rule.
• The final HIPAA Enforcement Rule, which expands HHS’ enforcement powers, again, as proposed in the HITECH Act.
• The final rule modifying the HIPAA Privacy Rule, as mandated by the Genetic Information Nondiscrimination Act (GINA) of 2008.

The Expansion of HIPAA: Many healthcare professionals still don’t understand that the omnibus HIPAA Rule is not just  563 pages of regulatory reorganization. The Rule, in fact presents extensive revisions in HIPAA privacy and security requirements that  are major and far-reaching. The text of the lengthy document is necessarily complex, given its regulatory intentions, but it is possible to identify at least three broad themes embodied in the new rule:

• HHS gives patients and their rights central priority, within its long-term vision of an integrated health care environment where HITECH’s “Meaningful Use / MIPS” of electronic health records will be fully realized.

• On the other hand, the obligations of covered entities under HIPAA have expanded. In a dramatic turnabout, business associates and their sub-contractors are now subject to many of these obligations, including paying penalties.

• HHS has assumed greater reach in enforcement powers and overall authority. It has reduced the level of regulated entities’ discretion in identifying breaches and has amplified breach notification requirements.

Part 2 of this series will delve into the major impacts of the Omnibus HIPAA Rule. Stay tuned. In Part 3 and beyond, we’ll cover specifics of all major changes in HIPAA Privacy and Security requirements.