Oracle Information InDepth



Stay Connected

Database Security

Oracle on Twitter Oracle on Facebook Oracle Blog

Identity Management

Oracle Identity Management on Twitter Oracle Identity Management on Facebook Oracle Blog 

October 2013

Subcribe Subscribe Share Forward

Back to the main page

HIPAA Omnibus Rule Is in Effect: Are You Ready?

On September 23, 2013, the HIPAA Omnibus Rule went into full effect, marking the most comprehensive changes to the HIPAA Privacy and Security Rules since they were first implemented in the US in 1996.

“These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider, or one of their business associates," says Leon Rodriguez, director of the Office for Civil Rights at the US Department of Health and Human Services.

To help Oracle’s healthcare customers ready their organizations for the new requirements, law firm Ballard Spahr LLP and the Oracle security team hosted a webcast—now available on demand—titled “Addressing The Final HIPAA Omnibus Rule and Securing Protected Health Information.”

Three Key Changes Affecting Oracle Customers
Oracle security experts have carefully examined the Omnibus rule and have identified what they believe are the three most significant changes for Oracle customers, which include

  • Stricter breach notification requirements. Institutions can no longer determine for themselves if a breach has caused harm. The only way to invoke safe harbor and avoid penalties is via data encryption of electronic protected health information (ePHI).
  • Liability for breaches by business associates. The originator of ePHI now remains responsible for the protection of the data even after it has been handed off to a business associate, including cloud providers. Both criminal and civil penalties could apply. "This has become a chain of custody issue and represents an enormous change," says Ted Sherrill, Oracle senior director of Healthcare Security and Regulatory Solutions.
  • Increased risk of willful negligence. No institution larger than a certain size can claim it is unaware of requirements to protect ePHI. As a result, institutions that do not make attempts to comply with the HIPAA Omnibus rule can be found willfully negligent and suffer increased penalties.
From Data Encryption to Security Inside-Out
As US Health and Human Services leaders have made clear, the encryption of sensitive information within the database is a vital step toward HIPAA compliance, but alone it is not enough—especially as mobile devices continue to proliferate.

"With the increasing pressure to accommodate nontrusted devices and nontrusted network communications, perimeter security is no longer sufficient," explains Sherrill. "To remain compliant, you must pursue a three-pronged approach, which Oracle is uniquely able to deliver, thanks to its inside-out approach to security."
To learn more about the new rule, view the on-demand webcast “Addressing The Final HIPAA Omnibus Rule and Securing Protected Health Information.”
Back to Top

Please send questions or comments to

This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor is it subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

Hardware and Software, Engineered to Work Together

Contact Us | Legal Notices and Terms of Use | Privacy

Oracle Corporation


Oracle Corporation - Worldwide Headquarters, 500 Oracle Parkway, OPL - E-mail Services, Redwood Shores, CA 94065, United States

Your privacy is important to us. You can login to your account to update your e-mail subscriptions or you can opt-out of all Oracle Marketing e-mails at any time.

Please note that opting-out of Marketing communications does not affect your receipt of important business communications related to your current relationship with Oracle such as Security Updates, Event Registration notices, Account Management and Support/Service communications.