2013 HIPAA Omnibus Rule Requirements: Business Associates, Breach, and Privacy

The 2013 HIPAA Omnibus Final Rule took effect on March 26, 2013, with a compliance deadline of September 23, 2013. It reshaped how you and your vendors handle Protected Health Information by expanding Business Associate obligations, tightening the Breach Notification Rule, and reinforcing Security Rule Safeguards under enforceable Civil Monetary Penalties.

This guide explains what changed and what you must do to sustain Privacy Rule Compliance, update Business Associate Agreements, and operationalize Risk Assessment Procedures across your program.

Business Associate Liability

The Omnibus Rule makes business associates (BAs) directly liable under HIPAA. If a vendor creates, receives, maintains, or transmits PHI for you, they must now comply with key Privacy and Security requirements, not just contract terms. Cloud hosts, data processors, health information exchanges, and similar vendors typically meet this definition.

Direct responsibilities for business associates

• Implement the full Security Rule Safeguards (administrative, physical, and technical) for ePHI.
• Use and disclose PHI only as permitted by HIPAA and the applicable Business Associate Agreement.
• Provide breach notification to the covered entity without unreasonable delay.
• Support individual rights (such as access to PHI) as directed by the covered entity.
• Disclose records to HHS during investigations and maintain required documentation.
• Flow down equivalent protections to subcontractors that handle PHI.

Subcontractor Compliance

Any subcontractor of a BA that creates, receives, maintains, or transmits PHI is itself a BA and must comply with HIPAA. You must ensure your vendors require their downstream vendors to meet the same standards, creating an unbroken chain of protection.

Practical steps

• Map PHI data flows to identify every subcontractor with access to PHI.
• Execute written BAAs with subcontractors before sharing PHI; include breach reporting, safeguard, and termination terms.
• Perform risk-based due diligence and monitor performance (e.g., attestations, audits, or corrective action plans).
• Limit PHI to the minimum necessary for each subcontractor’s role.

Business Associate Agreements

The Omnibus Rule updates required BAA content and timelines. A compliant BAA establishes permissible uses/disclosures, mandates Security Rule Safeguards, and sets clear breach reporting duties. It also compels subcontractor compliance and defines how PHI is returned or destroyed at termination.

Core BAA elements

• Permitted and required uses/disclosures of PHI, aligned with minimum necessary.
• Administrative, physical, and technical safeguards for ePHI, plus workforce training.
• Prompt reporting of breaches and security incidents, with cooperation on investigation and mitigation.
• Obligation to ensure subcontractors agree to identical restrictions and protections.
• Support for individual rights (access, amendment, and disclosures tracking as applicable).
• Right of HHS to access relevant records; return or destruction of PHI at contract end.
• Termination rights if the BA materially breaches HIPAA obligations.

Key dates

• New or modified BAAs: compliant by September 23, 2013.
• Transition rule: certain pre–January 25, 2013 BAAs could remain in place until renewal/modification or no later than September 22, 2014.

Breach Notification Standards

The Omnibus Rule adopts a “presumption of breach” unless you can demonstrate a low probability that PHI was compromised. You must document a risk assessment and, when a breach occurs, provide timely notices to affected individuals and regulators.

Risk Assessment Procedures

• Nature and extent of PHI involved (types, sensitivity, and likelihood of re-identification).
• Unauthorized person who used the PHI or to whom the disclosure was made.
• Whether PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated.

Notification requirements

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• Media: if a breach affects more than 500 residents of a state or jurisdiction.
• HHS: contemporaneously for breaches affecting 500+ individuals; otherwise, log and report annually.
• Content: what happened, PHI types involved, steps individuals should take, your mitigation actions, and contact information.

Encrypting PHI consistent with recognized standards can render data “secured,” taking incidents outside the Breach Notification Rule if encryption keys are not compromised.

Privacy Rule Implementation

The Omnibus Rule updates core Privacy Rule Compliance duties. You must revise policies and Notices of Privacy Practices and train your workforce accordingly.

Notable privacy changes

• Right to restrict disclosures to a health plan when an individual pays out-of-pocket in full.
• Stronger limits on marketing and prohibitions on the sale of PHI without specific authorization.
• Updated Notice of Privacy Practices reflecting breach notification, marketing, and sale restrictions.
• Clarified disclosures (e.g., immunizations to schools with agreement) and 50-year protection for decedent PHI.
• Genetic information treated as PHI; health plans generally may not use or disclose it for underwriting purposes.

Security Rule Enforcement

Security Rule Safeguards are now enforceable against both covered entities and business associates. You must implement a living security program tied to your risks and technologies, with documented decisions and continuous improvement.

Core safeguards and practices

• Risk analysis and risk management, reviewed at least annually and upon major changes.
• Access controls, authentication, encryption, and transmission security for ePHI.
• Audit controls, activity reviews, and incident response procedures.
• Device/media controls, secure disposal, and contingency planning.
• Vendor oversight, sanctions for violations, and ongoing workforce training.

Penalties and Enforcement Procedures

OCR enforces the Omnibus Rule through investigations, audits, corrective action plans, and Civil Monetary Penalties. Penalties follow a tiered model based on culpability, with maximums of up to $50,000 per violation and up to $1.5 million per year per violation category, subject to adjustment.

Expect OCR to assess the nature and extent of violations, the volume and sensitivity of PHI involved, mitigation efforts, your history, and the effectiveness of your compliance program. Timely breach response and well-documented risk management can substantially reduce exposure.

Conclusion

The 2013 Omnibus Rule broadened who must comply, raised the bar for safeguarding PHI, and made breach response more rigorous. By tightening BA oversight, updating BAAs, executing disciplined risk assessments, and strengthening Privacy and Security controls, you can meet the rule’s requirements and reduce regulatory and operational risk.

FAQs.

What new responsibilities do business associates have under the 2013 HIPAA Omnibus Rule?

Business associates are directly liable for HIPAA compliance. They must implement Security Rule Safeguards, use/disclose PHI only as permitted, notify the covered entity of breaches, support individual rights as directed, cooperate with HHS, and ensure their subcontractors sign BAAs and follow equivalent protections.

How did the Omnibus Rule change breach notification requirements?

It created a presumption of breach unless a documented four-factor risk assessment shows a low probability of compromise. Notices to individuals must go out without unreasonable delay and no later than 60 days, with additional reporting to HHS and, for large incidents, to the media.

What penalties exist for non-compliance with the Omnibus Rule?

OCR can require corrective action and impose Civil Monetary Penalties on a tiered scale, up to $50,000 per violation and $1.5 million per year per violation category, depending on the level of culpability and mitigating or aggravating factors.

When must covered entities have compliant business associate agreements in place?

New or modified BAAs had to be compliant by September 23, 2013. Certain grandfathered BAAs executed before January 25, 2013 could continue until renewal or modification, but no later than September 22, 2014.