CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

So, you missed the HIPAA Omnibus Rule deadline. Now what?

Next week marks two months since the deadline passed for compliance with the new HIPAA Omnibus Rule, and I thought it'd be a good time to check in to see how you're progressing.

Everyone has everything buttoned up, right? Ready for an audit? No, not exactly? Well, then, you better get moving - as you could face harsh fines of up to $50,000 per violation, with additional penalties based on negligence levels.

First, a primer: If you're not familiar with the Omnibus Rule, it was announced in January by the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights and sets forth requirements for every organization that deals with protected health information, commonly known as PHI. No longer is the burden for HIPAA privacy and security placed solely on covered entities, such as doctor's offices and hospitals, but is now extended to their business associates, such as billing providers or claims processors.

And that's a big deal, considering 58 percent of health care breaches - and some of the largest ones that have been publicly reported - are the fault of third-parties, according to the nonprofit Health Information Trust Alliance (HITRUST).

The Omnibus Rule officially took effect in March, but covered entities, business associates and business associates' subcontractors were given a 180-day grace period to comply with the new requirements. That date came and passed on Sept. 23.



Pilot audits already are underway, but now that the deadline has passed, more targeted audits were expected to begin in late October. If an organization that handles sensitive patient information is found to be out of compliance with the rule, they could face steep fines.

The Omnibus Rule - which implements the various provisions enacted by the Health Information Technology for Economic and Clinical Health Act (HITECH) - was designed to give HIPAA more "teeth" by increasing privacy protection requirements, providing patients with new rights to their health information and bolstering federal enforcement abilities.

The actual rule is no light read. Including comments by the Office of Civil Rights, the rule checks in at 563 pages long.

But, instead of parsing through the law itself, allow me to highlight some of the notable changes. The following is not a comprehensive list of all modifications to the law, but underscores some key considerations for patients and any organization handling PHI.

For Covered Entities, Business Associates and Subcontractors

  1. New definitions of business associates and subcontractors mean they may now be held directly liable for HIPAA compliance, making updated agreements between these businesses - covered entity with business associate and business associate with subcontractor - more indispensable than ever.
  2. Enforcement capabilities have been enhanced for HIPAA violations due to "willful neglect."
  3. A tiered civil money penalty structure increases potential fines.
  4. Covered entities must revise and redistribute Notice of Privacy Practices (NPP) to patients to reflect Omnibus changes.
  5. The "harm threshold" triggering breach notification requirements is replaced by new objective considerations.
  6. All covered entities, business associates and subcontractors must select a security official to be responsible for HIPAA, and their responsibilities must be assigned and documented.

For Patients

  1. Limitations have been strengthened on the use and disclosure of protected health information (PHI) for marketing and fundraising.
  2. The sale of PHI is prohibited without individual authorization.
  3. Individuals now have the right to request, and receive, electronic copies of their health information
  4. Requirements for PHI use and disclosure authorization have been modified to facilitate research and disclosure of child immunization proof to schools, and to enable access by family members to information of deceased relatives.
  5. The Office of Civil Rights, as part of HHS, and state attorneys general can pursue civil and criminal cases against covered entities, business associates and their individual employees.

In summary, the expansion of patient rights and broader liability for violations each translate into an increased burden on organizations that handle PHI. 

It is covered entities, business associates and subcontractors that must manage the appropriate use and disclosure of information. And in the case of improper use and disclosure, it is covered entities, business associates and subcontractors that are held responsible for misconduct.

HIPAA has come a long way since its inception in 1996, and it's finally got some serious teeth now. HIPAA came to be as part of an effort to ensure businesses allow individuals to maintain insurance coverage when changing jobs.

Seventeen years later, in addition to insurance portability, HIPAA regulates how PHI is handled to make sure those who should - and only those who should - actually have access to their information.  

If you have any questions about HIPAA rules, drop me a line at and I'll be happy to get back to you.

Good luck!

Christoffer Brown is a solutions development specialist on the Compliance and Risk team at Trustwave.

Latest Trustwave Blogs

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More

Effective Cybersecurity Incident Response: What to Expect from Your MDR Provider

Companies engage with a managed detection and response (MDR) provider to help ensure they detect cyber threats before they do any damage. The "response" part of the MDR moniker is key to that effort,...

Read More

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More