2013 HIPAA Omnibus Final Rule: Breach Notification, BA Agreements, and Enforcement

Breach Notification Standards

The 2013 HIPAA Omnibus Final Rule reshaped the Breach Notification Rule by creating a presumption that any impermissible use or disclosure of Protected Health Information (PHI) is a breach unless you can demonstrate a low probability that the PHI has been compromised. This standard replaces the prior “harm” test and focuses on objective, documented analysis.

Notification duties apply only when Unsecured PHI is involved—meaning PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, through strong encryption or proper destruction). If PHI is secured, a report is generally not required, but you must still investigate and document the incident.

Covered entities and business associates should treat every privacy or security incident as a potential breach, promptly contain it, and complete a written assessment. Thorough documentation supports compliance and demonstrates diligence to regulators.

Four-Factor Risk Assessment

To determine whether there is a low probability of compromise, you must evaluate and document all Risk Assessment Factors. Each factor should be analyzed on its own and then weighed together to reach a reasoned conclusion.

The four factors

• Nature and extent of PHI involved: Identify the types of identifiers, clinical details, financial data, or sensitive categories, and consider the likelihood of re-identification.
• Unauthorized person: Assess who used or received the PHI (e.g., a workforce member, another covered entity, or an unknown actor) and what that person can realistically do with it.
• Whether PHI was actually acquired or viewed: Determine if the data was merely exposed or was in fact accessed, downloaded, or read.
• Extent of mitigation: Evaluate steps taken to reduce risk, such as confirming destruction, obtaining a recipient’s reliable attestation of non-use, or quickly recovering the information.

Applying the analysis

Document your methodology, evidence, and decision. If the combined factors do not clearly support a low probability of compromise, you must proceed with breach notification. Repeatable procedures and contemporaneous notes are critical to defend your conclusion.

Business Associate Agreement Requirements

The Omnibus Rule makes business associates directly liable for HIPAA compliance and expands who qualifies as a business associate (any entity that creates, receives, maintains, or transmits PHI on your behalf). Your Business Associate Agreement (BAA) must reflect these obligations and flow down to all relevant vendors.

Essential BAA terms

• Require HIPAA Security Rule Compliance, including risk analysis, safeguards, and workforce training.
• Limit uses and disclosures to what the Privacy Rule permits and what your contract authorizes, honoring the minimum necessary standard.
• Mandate prompt breach and security incident reporting, with details sufficient for you to meet notification deadlines.
• Obligate business associates to ensure all subcontractors agree to the same restrictions and conditions through a written BAA.
• Support individual rights (access, amendments, and accounting) and cooperate with investigations by the regulator.
• Require return or destruction of PHI at termination where feasible and allow termination for material breaches.

Subcontractor Compliance Mandates

Subcontractors that create, receive, maintain, or transmit PHI for a business associate are themselves business associates under the Omnibus Rule. You must build a verifiable chain of trust that extends beyond first-tier vendors.

• Execute BAAs with every downstream subcontractor handling PHI and flow down all privacy, security, and breach obligations.
• Perform risk-based due diligence and ongoing monitoring (e.g., security questionnaires, evidence of safeguards, and corrective action tracking).
• Define incident escalation paths so subcontractors notify your business associate and you without delay.

Breach Reporting Obligations

Once a breach of Unsecured PHI is discovered, individuals must be notified without unreasonable delay and no later than 60 calendar days after discovery. “Discovery” occurs on the first day the breach is known or should reasonably have been known through due diligence.

Who you must notify

• Affected individuals: Use first-class mail or email if the individual has consented. Provide substitute notice if contact information is insufficient.
• HHS/OCR: For breaches affecting 500 or more individuals in a state or jurisdiction, notify contemporaneously with individual notice. For fewer than 500, log and submit to HHS annually.
• Media: If 500 or more individuals in a state or jurisdiction are affected, notify a prominent media outlet.

What notices must include

• A brief description of the breach, including dates of the breach and discovery.
• The types of PHI involved (e.g., names, diagnoses, treatment, Social Security numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods for questions (toll‑free number, email, or postal address).

Business associates’ role

Business associates must notify the covered entity without unreasonable delay and within 60 days of discovery, supplying all known affected individuals, data elements involved, and any mitigation performed so the covered entity can complete required notifications.

Enforcement Penalties and Tiered Structure

The Omnibus Rule implements a Tiered Penalty Structure for civil monetary penalties, applied per violation, with an annual cap of up to $1.5 million per violation category. Penalties consider the nature and extent of the violation, resulting harm, and your compliance posture.

The four tiers

• Tier 1 – Unknowing: You did not know and would not have known with reasonable diligence; $100 to $50,000 per violation.
• Tier 2 – Reasonable Cause: You should have known; $1,000 to $50,000 per violation.
• Tier 3 – Willful Neglect, Corrected: Violation due to willful neglect but corrected within the required period; $10,000 to $50,000 per violation.
• Tier 4 – Willful Neglect, Not Corrected: Not corrected within the required period; $50,000 per violation, up to the annual cap.

OCR prioritizes investigations where there is willful neglect, patterns of noncompliance, or large-scale breaches. Demonstrable, sustained compliance efforts can mitigate penalty exposure.

HIPAA Security and Privacy Rule Implications

The 2013 HIPAA Omnibus Final Rule strengthens operational expectations under both the Security and Privacy Rules. You must prove ongoing HIPAA Security Rule Compliance through documented risk analysis, risk management, access controls, audit logging, and workforce training.

Encryption and proper destruction are emphasized because they prevent incidents from becoming reportable by avoiding Unsecured PHI. Align encryption with recognized standards, monitor ePHI across systems and vendors, and test your incident response plan regularly.

Privacy Rule updates reinforce minimum necessary, restrict marketing and sale of PHI without authorization, and expand individual rights, including timely electronic access and the right to restrict disclosures to a health plan when services are paid out‑of‑pocket in full. BAAs and vendor oversight are now central privacy controls rather than peripheral paperwork.

Conclusion

The Omnibus Rule pivots breach analysis to a documented four-factor test, elevates the Business Associate Agreement as a core compliance instrument, extends mandates to subcontractors, and enforces a clear Tiered Penalty Structure. By securing PHI, tightening vendor governance, and executing the Breach Notification Rule with discipline, you reduce risk and prove accountability.

FAQs

What is the new breach notification standard under the 2013 HIPAA Omnibus Rule?

The rule presumes a breach whenever PHI is used or disclosed impermissibly unless you demonstrate, via a documented four-factor analysis, a low probability that the PHI was compromised. If the PHI was not Unsecured PHI (for example, it was strongly encrypted), notification is generally not required.

How must business associates comply with breach reporting requirements?

Business associates must investigate, mitigate, and notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach. They must provide details on affected individuals, the types of PHI involved, and actions taken so the covered entity can complete all required notifications.

What are the increased penalties for HIPAA violations?

Civil penalties follow a four-tier structure ranging from $100 to $50,000 per violation, with up to $1.5 million per violation category in a calendar year. Willful neglect that is not corrected draws the highest penalties and often triggers formal investigation.

How does the four-factor risk assessment determine breach status?

You evaluate: (1) the nature and extent of PHI involved, (2) the unauthorized person, (3) whether the PHI was actually acquired or viewed, and (4) the extent of mitigation. If these Risk Assessment Factors do not collectively support a low probability of compromise, you must treat the event as a reportable breach.