DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the structure and form of the HIPAA regulations. These regulations can be found at Title 45, Part 164 of the United States Code of Federal Regulations. Title 45 is "Public Welfare." Part 164 is "Security and Privacy." Part 164 has three subparts, Subpart C, Subpart D, and Subpart E. Subpart C contains the HIPAA Security Rule. Subpart D contains the HIPAA Breach Notification Rule. Subpart E contains the HIPAA Privacy Rule. These three rules are contained in these three subparts. The "Omnibus Rule," issued in 2013, is not a "stand-alone" rule, but rather simply modifies these three existing rules.
What is the "Omnibus Rule"?
A Google search of "What are the rules of HIPAA" will frequently turn up the result of "there are four HIPAA rules." The rules will be stated as: 1) The Privacy Rule. 2) The Security Rule. 3) The Breach Notification Rule. 4) The "HIPAA Omnibus Rule."
There are three substantive (topic) regulatory components governing HIPAA privacy, security, and breach notification: The HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.
The so-called "Omnibus Rule" is the name given to a series of regulations issued in 2013 that simply amended portions of the Privacy, Security, and Breach Notification Rules.The Omnibus Rule did not create new topics previously unregulated by HIPAA; it simply amended existing rules.
What is the "HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy"?
Likewise, the the "HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy," issued in 2024, was not a "new" Privacy Rule, a "separate" Privacy Rule. This rule (before it was vacated in 2025 by court order) simply amended the HIPAA Privacy Rule, in some instances adding requirements to the Privacy Rule.
What is the "HITECH Rule"?
There is no such thing as the "HITECH Rule." There is the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009). The HITECH Act has been amended. HHS modified the Privacy, Security, and Breach Notification Rules upon after the amendments become law. The "Omnibus Rule" itself is an example of such a modification. That modification is the Omnibus Rule.
The HITECH Act was amended in 2021. The amendment directed the HHS Secretary to consider whether covered entities and business associates had developed "recognized security practices." In 2022, HHS issued a Request for Information (RFI). In the RFI, HHS solicited public comment on how covered entities and business associates understand and are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and other implementation issues they are considering or would like OCR to clarify for the public and stakeholders through potential guidance or rulemaking." 87 FR 19834. "Rulemaking" means "issuing regulations." To date (8/25), there has not been any rulemaking with respect to the 2021 HITECH Act amendment.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article