Ensuring HIPAA compliance: A closer look at the Omnibus Rule

February 24, 2015

Businesses from lawyers and accountants to web hosting firms now find themselves subject to the data privacy and security requirements of the Healthcare Information Portability and Accountability Act (HIPAA) if they have healthcare organizations (HCOs) as partners or customers and create, receive, maintain or transmit protected health information. The main reason for this is the HIPAA Omnibus Rule.

It’s more important than ever for businesses to ensure they’re compliant with HIPAA regulations, as the consequences can be steep. The fines that can result if the privacy and security of protected health information (PHI) are compromised are higher than ever, and the updated regulations provide for increased incentive for government enforcement agencies to take action against violators.

Understanding the HIPAA Omnibus Rule
The original HIPAA legislation was passed by the U.S. Congress and signed by President Clinton in 1996. HIPAA set forth new terminology and Electronic Data Interchange (EDI) code sets for efficiently transmitting patient data. It also laid the groundwork for fundamental data security and privacy protections for PHI.

On January 25, 2013, the U.S. Department of Health and Human Services (HHS) issued the Omnibus Rule, modifying the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. In general, the updated rules expand the obligations of physicians and other healthcare providers to protect PHI. However, the most dramatic business change as a result of the Omnibus Rule is the impact on a number of individuals and companies who are now considered “Business Associates.”

HIPAA initially only directly regulated “Covered Entities” — health plans, healthcare clearing houses, and healthcare providers — that transmit health information electronically, as well as their vendors who had access to PHI. But the Omnibus Rule expanded the definition of a Business Associate to include vendors who “create, receive, maintain, or transmit” PHI on behalf of a Covered Entity.

Simply put, the intent of the Omnibus regulations is to impose the same level of protection on all PHI, regardless of in whose custody it resides. In the past, HHS only had direct recourse to Covered Entities; today, each entity that comes in contact with PHI has direct accountability, regardless of how far down the chain of custody that provider may be.

How Carbonite helps
Even prior to the Omnibus Rule, Carbonite managed all PHI mindful of its obligations to its Covered Entity customers, and in compliance with the applicable HIPAA requirements. Under the new regulations, Carbonite regards itself as performing the functions of a Business Associate and will enter into Business Associate Agreements, leveraging the administrative, physical, and technical safeguards to facilitate our Covered Entity customers’ ability to maintain a HIPAA-compliant infrastructure.

Carbonite’s Pro and Server solutions
The security, confidentiality and integrity of customer information are core to the Carbonite solution. As a result, Carbonite was at the forefront of compliance with the regulatory change.

Carbonite’s Pro and Server solutions are designed to meet the privacy and security safeguards as well as the notification requirements of HIPAA. At Carbonite, we understand that finding the right cloud backup solution is particularly important in the healthcare industry because it is intensely regulated, with numerous compliance requirements at the federal, state and local level. With the potential for damage to reputations and steep financial and other penalties for non-compliance, it is critical to choose the right backup solution and trusted partner to facilitate HIPAA compliance.

Business Associate Agreement
For Covered Entities that use Carbonite to back up PHI, Carbonite will enter into a Business Associate Agreement to provide the contractual assurances required by HIPAA regulations, such as breach notification.

The bottom line is that Carbonite is committed to supporting your HIPAA compliance efforts even as rules and regulations change over time. Learn more about how Carbonite supports HIPAA compliance.


  • Solutions