2013 HIPAA Omnibus Rule Summary: Privacy, Security, and Enforcement Updates

The 2013 HIPAA Omnibus Rule updated the Privacy, Security, and Enforcement Rules to align with HITECH and GINA. This summary explains what changed and how you can operationalize the updates across breach notification, business associate liability, individual rights, marketing and fundraising, penalties, and compliance deadlines.

Breach Notification Requirements

The rule replaced the prior subjective “harm” test with a presumption that a breach has occurred unless you demonstrate a low probability that protected health information was compromised. A Protected Health Information Breach now triggers a documented risk assessment and, when required, timely notices to affected individuals and regulators.

Risk assessment factors you must document

• Nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, obtaining a satisfactory attestation of destruction or return).

Exceptions and safe harbors

• Good-faith, unintentional access or use by a workforce member within scope of authority with no further improper use.
• Inadvertent disclosure by an authorized person to another authorized person within the same organization (or organized health care arrangement) with no further improper use.
• Good-faith belief the recipient could not reasonably retain the information.
• PHI secured via approved encryption or destruction is not subject to breach notification.

Notification timing and content

• Notify individuals without unreasonable delay and no later than 60 calendar days from discovery.
• Notify HHS and, for incidents affecting 500 or more residents of a state or jurisdiction, the media; incidents under 500 are logged and reported annually.
• Notices must describe what happened, the types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate, and how to contact you.

Business Associate Compliance Obligations

The Omnibus Rule makes business associates directly subject to HIPAA. Business Associate Liability now includes compliance with the Security Rule and key provisions of the Privacy Rule, with OCR enforcement and penalties applying directly to business associates and their subcontractors.

Direct compliance and liability

• Implement administrative, physical, and technical safeguards; perform a risk analysis; and maintain written policies and workforce training.
• Use and disclosure of PHI must follow the agreement and Privacy Rule; minimum necessary applies.
• Report breaches of unsecured PHI to the covered entity without unreasonable delay.

Subcontractors and agreements

• Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are themselves business associates.
• Business associate agreements must include Security Rule compliance, breach reporting duties, downstream obligations to subcontractors, and termination for cause.

Expanded Individual Rights

The Omnibus Rule strengthens your patients’ control over their information, particularly around Electronic Medical Records Access and disclosure limitations.

Electronic access and format

• Individuals have the right to obtain an electronic copy of PHI maintained in an electronic designated record set and to receive it in the requested readily producible format.
• Reasonable, cost-based fees may cover labor for copying and supplies; excessive or per-page fees for electronic copies are not permitted.

Directing records to a third party

• Upon request, you must transmit an individual’s electronic copy to a designated third party (for example, another provider or a personal app) in the format requested if readily producible.

Right to restrict certain disclosures

• When an individual pays a provider in full, out of pocket, and requests it, you must restrict disclosure of that specific service’s PHI to a health plan, unless disclosure is required by law.

Additional updates affecting individuals

• Notices of Privacy Practices must reflect new rights and uses (e.g., restrictions, marketing, sale of PHI, breach notification).
• Genetic information is treated as PHI; most health plans may not use or disclose it for underwriting.
• Protection for decedent PHI lasts 50 years; certain disclosures to involved family or friends are permitted.

Marketing and Fundraising Restrictions

The rule tightens when PHI can be used for outreach. In many cases, PHI Marketing Authorization is now required if any third-party financial remuneration is involved.

Marketing that requires authorization

• Communications about a third party’s product or service that involve direct or indirect payment from that party generally require prior authorization.
• Exceptions: face-to-face communications and promotional gifts of nominal value.

Treatment/operations communications and refill reminders

• Refill reminders and communications about a drug or biologic currently prescribed are permitted without authorization only if any remuneration is limited to reasonable, cost-based payments.

Fundraising rules

• Limited additional PHI (such as department of service or treating clinician) may be used to target fundraising, but every message must include a clear, conspicuous, and non-burdensome opt-out.
• If an individual opts out, you must honor it; you cannot condition treatment or payment on fundraising participation.

Sale of PHI

• Sale of PHI generally requires explicit authorization, with narrow exceptions (e.g., public health or research cost-recovery scenarios permitted by rule).

Enforcement and Penalty Provisions

The Omnibus Rule embeds HITECH’s HIPAA Penalty Structure and expands OCR’s investigation authority, especially for potential willful neglect. Business associates face the same penalty tiers as covered entities.

Civil monetary penalty tiers (per violation)

• Tier 1 – Did not know: $100 to $50,000; annual cap $1,500,000 per violation category.
• Tier 2 – Reasonable cause: $1,000 to $50,000; annual cap $1,500,000.
• Tier 3 – Willful neglect, corrected: $10,000 to $50,000; annual cap $1,500,000.
• Tier 4 – Willful neglect, not corrected: $50,000; annual cap $1,500,000.

OCR may require corrective action plans and monitor sustained compliance. Intentional misuse of PHI can also implicate criminal provisions enforced by the Department of Justice.

Compliance Deadlines and Implementation

The Omnibus Rule took effect on March 26, 2013. The general compliance date was September 23, 2013, when OCR began Compliance Deadline Enforcement. Certain preexisting business associate agreements qualified for a transition period until September 22, 2014.

Action plan to operationalize compliance

• Update breach response to the four-factor risk assessment; maintain documentation for each incident.
• Refresh Security Rule risk analysis; implement or refine safeguards and vendor oversight.
• Amend business associate agreements and cascade obligations to subcontractors.
• Revise Notices of Privacy Practices and intake workflows to support new rights and restrictions.
• Adjust marketing, refill reminder, and fundraising workflows to authorization and opt-out requirements.
• Train your workforce and audit for continuous improvement.

Conclusion

The 2013 Omnibus Rule modernized HIPAA by tightening breach analysis, extending direct obligations to business associates, expanding individual control over data, and clarifying when PHI can be used for outreach. By aligning policies, agreements, and day-to-day practices with these changes, you reduce risk and build trust with the people whose health information you steward.

FAQs

What changes did the 2013 HIPAA Omnibus Rule make to breach notifications?

It created a presumption of breach and replaced the prior “harm” test with a required four-factor risk assessment. Unless you document a low probability that PHI was compromised, you must notify affected individuals and, when applicable, HHS and the media within the rule’s timelines.

How are business associates affected by the omnibus rule?

Business associates—and their subcontractors—are directly subject to HIPAA’s Security Rule and key Privacy Rule provisions. They must implement safeguards, conduct risk analyses, report breaches, flow down obligations to subcontractors, and are subject to OCR enforcement and penalties for noncompliance.

What new individual rights were established in the 2013 rule?

Individuals gained stronger Electronic Medical Records Access (an electronic copy in a requested format when readily producible), the right to have an e-copy sent to a designated third party, and the right to restrict disclosure to health plans for services paid in full out of pocket. Notices of Privacy Practices were also updated to reflect these rights.

What penalties apply for HIPAA violations under the omnibus rule?

The rule adopts a tiered HIPAA Penalty Structure ranging from $100 to $50,000 per violation, with annual caps of $1,500,000 per violation category. Higher tiers apply to willful neglect, and OCR can require corrective action plans in addition to monetary penalties.