The Department of Health and Human Services announced the long-awaited publication of the Omnibus Final Rule. Business Associates and Subcontractors can download a complimentary white paper from Clearwater Compliance to help them on their journey to HIPAA-HITECH compliance.

The Omnibus Final Rule was sent to the Office of Management and Budget in March 2012. Most industry experts expected it to be published in the Federal Register in June 2012. However, HHS issued a news release announcing the Omnibus Final Rule will be published on January 25, 2013. According to the release, the Omnibus Final Rule enhances patient privacy protections, gives individuals new rights surrounding their health information and strengthens the government's abilities to enforce the law.

Download the final omnibus rule here.

“Our team will provide continued analysis over time,” said Bob Chaput, Founder and CEO of Clearwater Compliance. “Meanwhile, take note that ‘risk of harm assessment' becomes ‘assessment of probability that PHI has been compromised,' and subcontractors are now statutorily obligated to comply with the HIPAA Rules.”

“Risk of Harm Assessment” becomes “Assessment of Probability that PHI has Been Compromised”

The exact language of the Omnibus Final Rule states,“…Instead of assessing the risk of harm to the individual, covered entities and business associates must assess the probability that the protected health information has been compromised based on a risk assessment that considers at least the following factors:

(1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(2) The unauthorized person who used the protected health information or to whom the disclosure was made;

(3) Whether the protected health information was actually acquired or viewed; and

(4) The extent to which the risk to the protected health information has been mitigated.

…If an evaluation of the factors discussed above fails to demonstrate that there is a low probability that the protected health information has been compromised, breach notification is required.”

“Subcontractors” Now Statutorily Obligated to Comply

The final rule adopts the proposal to apply the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of “business associate” that a business associate includes a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.”

