Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

So, you missed the HIPAA Omnibus Rule deadline. Now what?

Next week marks two months since the deadline passed for compliance with the new HIPAA Omnibus Rule, and I thought it'd be a good time to check in to see how you're progressing.

Everyone has everything buttoned up, right? Ready for an audit? No, not exactly? Well, then, you better get moving - as you could face harsh fines of up to $50,000 per violation, with additional penalties based on negligence levels.

First, a primer: If you're not familiar with the Omnibus Rule, it was announced in January by the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights and sets forth requirements for every organization that deals with protected health information, commonly known as PHI. No longer is the burden for HIPAA privacy and security placed solely on covered entities, such as doctor's offices and hospitals, but is now extended to their business associates, such as billing providers or claims processors.

And that's a big deal, considering 58 percent of health care breaches - and some of the largest ones that have been publicly reported - are the fault of third-parties, according to the nonprofit Health Information Trust Alliance (HITRUST).

The Omnibus Rule officially took effect in March, but covered entities, business associates and business associates' subcontractors were given a 180-day grace period to comply with the new requirements. That date came and passed on Sept. 23.



Pilot audits already are underway, but now that the deadline has passed, more targeted audits were expected to begin in late October. If an organization that handles sensitive patient information is found to be out of compliance with the rule, they could face steep fines.

The Omnibus Rule - which implements the various provisions enacted by the Health Information Technology for Economic and Clinical Health Act (HITECH) - was designed to give HIPAA more "teeth" by increasing privacy protection requirements, providing patients with new rights to their health information and bolstering federal enforcement abilities.

The actual rule is no light read. Including comments by the Office of Civil Rights, the rule checks in at 563 pages long.

But, instead of parsing through the law itself, allow me to highlight some of the notable changes. The following is not a comprehensive list of all modifications to the law, but underscores some key considerations for patients and any organization handling PHI.

For Covered Entities, Business Associates and Subcontractors

  1. New definitions of business associates and subcontractors mean they may now be held directly liable for HIPAA compliance, making updated agreements between these businesses - covered entity with business associate and business associate with subcontractor - more indispensable than ever.
  2. Enforcement capabilities have been enhanced for HIPAA violations due to "willful neglect."
  3. A tiered civil money penalty structure increases potential fines.
  4. Covered entities must revise and redistribute Notice of Privacy Practices (NPP) to patients to reflect Omnibus changes.
  5. The "harm threshold" triggering breach notification requirements is replaced by new objective considerations.
  6. All covered entities, business associates and subcontractors must select a security official to be responsible for HIPAA, and their responsibilities must be assigned and documented.

For Patients

  1. Limitations have been strengthened on the use and disclosure of protected health information (PHI) for marketing and fundraising.
  2. The sale of PHI is prohibited without individual authorization.
  3. Individuals now have the right to request, and receive, electronic copies of their health information
  4. Requirements for PHI use and disclosure authorization have been modified to facilitate research and disclosure of child immunization proof to schools, and to enable access by family members to information of deceased relatives.
  5. The Office of Civil Rights, as part of HHS, and state attorneys general can pursue civil and criminal cases against covered entities, business associates and their individual employees.

In summary, the expansion of patient rights and broader liability for violations each translate into an increased burden on organizations that handle PHI. 

It is covered entities, business associates and subcontractors that must manage the appropriate use and disclosure of information. And in the case of improper use and disclosure, it is covered entities, business associates and subcontractors that are held responsible for misconduct.

HIPAA has come a long way since its inception in 1996, and it's finally got some serious teeth now. HIPAA came to be as part of an effort to ensure businesses allow individuals to maintain insurance coverage when changing jobs.

Seventeen years later, in addition to insurance portability, HIPAA regulates how PHI is handled to make sure those who should - and only those who should - actually have access to their information.  

If you have any questions about HIPAA rules, drop me a line at and I'll be happy to get back to you.

Good luck!

Christoffer Brown is a solutions development specialist on the Compliance and Risk team at Trustwave.

Latest Trustwave Blogs

Unlock the Power of Your SIEM with Co-Managed SOC

Security information and event management (SIEM) systems play a pivotal role in cybersecurity: they offer a unified solution for gathering and assessing alerts from a plethora of security tools,...

Read More

Trustwave SpiderLabs: LockBit 3.0 Ransomware Most Common Malware Used to Attack the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Trustwave’s Observations on the Recent Cyberattack on Aliquippa Water Treatment Plant

The attack last week on the Municipal Water Authority in Aliquippa, Penn., that gave threat actors access to a portion of the facility’s pumping equipment has spurred the Cybersecurity &...

Read More