What the Health and Human Services (HHS) Department calls its HIPAA Omnibus Rule should be finalized by the end of summer, Farzad Mostashari, the national coordinator for Health IT, announced this past week.

The rule, which combines four separate provisions, was submitted on March 23 to the Office of Management and Budget (OMB) for a required review, which could take up to 90 days, or longer if OMB has questions.

After OMB sends the rule back, with or without suggestions, the HHS Office for Civil Rights (OCR) will prepare the final rule to be published in the Federal Register.

The HIPAA (Health Insurance Portability and Accountability Act) Omnibus Rule incorporates:

  • Changes to HIPAA privacy and security rules required under the HITECH (Health Information Technology for Economic and Clinical Health) Act;
  • New data breach enforcement and penalty requirements;
  • Final regulations related to HITECH's breach notification rule; and
  • Changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act (GINA).

Mostashari said the final rule will extend all provisions to covered entities, their business associates, and all subcontractors.