Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            HIPAA Myth #1: "There are Four HIPAA Rules"

            Modified on Tue, 09 Apr 2024 at 04:59 PM

            A Google search of "What are the rules of HIPAA" will frequently turn up the result of "there are four rules."   The rules will be stated as: 1) The Privacy Rule. 2) The Security Rule. 3) The Breach Notification Rule. 4) The "HIPAA Omnibus Rule."

            The "Omnibus Rule" is a "Rule" in that it sets forth legal obligations. It is a rule in the sense that it is the product of a required rulemaking process (just as there is a required process for a bill to become a law, the is a required process for a proposed rule to become a final rule, a/k/a regulation."

            But it is not accurate to state that the Omnibus Rule is a rule in that the Omnibus Rule regulates new substance or subject matter that HIPAA did not previously regulate.

            There are three substantive (topic) areas of HIPAA: Privacy, Security, and Breach Notification. The HIPAA law, passed in 1996, directed the Secretary of Health and Human Services to create regulations to ensure the privacy and security of PHI.In the years that followed, HHS did just that. It created a Privacy Rule and a Security Rule.

            HIPAA did not call for a breach notification rule. A law known as the HITECH Act, passed in 2009, did; the law directed the Secretary to create a rule requiring notification of individuals, HHS, and in some instances, the media, when there has been a breach of unsecured PHI.

            These three rules, Privacy, Security, and Breach Notification, form the totality of the substance of the HIPAA regulations. The Omnibus "Rule" simply amended portions of the Breach Notification Rule, and portions of the Privacy Rule, to implement certain HITECH Act requirements. The Omnibus Rule did not create new topics to be regulated by HIPAA. It simply amended existing rules.

            In other contexts, rules that simply modify existing rules are not thought of as "new rules." Take the Internal Revenue Code, the law that created the rules governing federal income taxation. These rules change quite frequently. Existing rules cover filing deadlines, who is subject to them, what can be deducted, what credits can apply, and so forth - and these rules are amended every year, if not more frequently. This does not mean that a "new rule" is created" each time there is an amendment.

            A brief example is instructive. In February of 2023, the IRS amended its rules regarding who must e-file. Does this mean that a new rule (we'll call it "The E-Filing Rule of 2024") has been issued? No, not in the sense that the IRS is regulating a new subject. No one speaks of IRS regulations as "The IRS regulations of 2023 regarding e-filing." People call the IRS regulations, "IRS regulations."








            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0