According to the HIPAA Omnibus Final Rule of 2013: Compliance Checklist

The HIPAA Omnibus Final Rule of 2013 updated the Privacy, Security, Breach Notification, and Enforcement Rules and expanded direct liability to Business Associates. It took effect March 26, 2013, with a general compliance date of September 23, 2013, plus a limited transition period for certain legacy agreements.

Use this compliance checklist to operationalize the rule’s requirements across your policies, contracts, risk management program, and workforce training. Integrate related elements such as Business Associate Agreements, the Notice of Privacy Practices, and the Breach Notification Rule into a coordinated governance framework.

Business Associate Agreement Requirements

The rule makes Business Associates and their subcontractors directly accountable for safeguarding PHI and meeting the Security Rule. Your Business Associate Agreements (BAAs) must set clear, enforceable obligations and align with daily operations.

• Define permitted and required uses/disclosures of PHI, applying the minimum necessary standard.
• Require compliance with the Security Rule (administrative, physical, and technical safeguards) for ePHI.
• Mandate prompt reporting of breaches and security incidents to the covered entity without unreasonable delay and within defined timeframes.
• Flow down obligations to subcontractors by executing BAAs that mirror these restrictions.
• Enable access, amendment, and an accounting of disclosures, including electronic copies where applicable.
• Commit to making books and records available to HHS for Enforcement Rule Investigations.
• Address termination: return or destroy PHI, or extend protections if destruction is infeasible.
• Authorize termination for material breach and document sanctions where appropriate.
• Retain executed BAAs and related documentation for at least six years.

Action items: inventory all Business Associates, update BAA templates, set internal breach-reporting clocks (e.g., 10 days), track subcontractors, and confirm ongoing Security Rule compliance through risk analyses and remediation.

Privacy Policy Updates

Revise your Notice of Privacy Practices (NPP) and internal policies to reflect new rights and restrictions introduced by the Omnibus Rule. Provide clear, easy-to-understand language to patients and plan members.

• Include a statement about the individual’s right to be notified following a breach of unsecured PHI under the Breach Notification Rule.
• Explain restrictions on marketing and the sale of PHI, noting that certain uses require PHI Marketing Authorization.
• Describe the right to restrict disclosure to a health plan when the individual pays in full out of pocket for an item or service.
• Disclose fundraising practices and provide a clear, simple opt-out mechanism.
• Document that immunization records may be disclosed to schools with documented permission.
• State that genetic information will not be used or disclosed for underwriting purposes, aligning with the Genetic Information Non-Discrimination Act.

Action items: update your NPP, redistribute when required, align workforce training, and synchronize patient-facing materials and portal content with policy changes.

Breach Notification Obligations

The rule presumes an impermissible use or disclosure is a breach unless you can demonstrate a low probability of compromise through a documented risk assessment. Build this analysis into your incident response.

• Conduct a four-factor assessment: (1) the nature and extent of PHI; (2) the unauthorized person; (3) whether the PHI was actually acquired or viewed; (4) the extent to which the risk has been mitigated.
• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, using the required content and delivery methods.
• Notify HHS, and for breaches affecting 500 or more individuals in a state or jurisdiction, notify prominent media outlets.
• For breaches affecting fewer than 500 individuals, submit an annual report to HHS within 60 days of the end of the calendar year.
• Require Business Associates to notify you promptly so you can meet your deadlines; set stricter timelines in BAAs when needed.
• Leverage encryption and destruction per HHS guidance to qualify for “safe harbor” when feasible.
• Maintain incident logs, investigation notes, risk assessments, notification letters, and mitigation records.

Enforcement Rule Provisions

OCR may initiate complaint-driven or proactive compliance reviews. The Enforcement Rule establishes tiered Civil Monetary Penalties tied to your level of culpability and cooperation, with higher tiers for willful neglect.

• Understand the four penalty tiers: unknowing; reasonable cause; willful neglect corrected; willful neglect not corrected.
• Prepare for document requests, interviews, and site visits during Enforcement Rule Investigations.
• Expect corrective action plans, monitoring, or settlement agreements where systemic gaps are identified.
• Maintain required documentation (policies, risk analyses, training logs, BAAs, incident records) for at least six years.
• Demonstrate continuous improvement through periodic risk analyses, remediation, and governance oversight.

Marketing and PHI Sale Restrictions

Marketing communications that involve financial remuneration from a third party generally require prior PHI Marketing Authorization. Limited exceptions exist, such as face-to-face communications and promotional gifts of nominal value, and certain medication refill reminders where only reasonable, cost-based remuneration is received.

• Distinguish treatment/healthcare operations communications from marketing; when remuneration is involved, obtain a valid authorization that clearly states the compensation.
• Define and document “reasonable cost-based” payments for permitted medication adherence communications.
• Prohibit the sale of PHI without an authorization, recognizing narrow exceptions (e.g., public health, research with cost-based remuneration, and certain operational transactions).
• Track and audit remunerated communications to ensure disclosures match the individual’s authorization.
• Update policies, training, and vendor controls to prevent unauthorized marketing or sale of PHI.

Genetic Information Rule Compliance

The Omnibus Rule incorporates the Genetic Information Non-Discrimination Act by prohibiting health plans from using or disclosing genetic information for underwriting purposes. “Genetic information” includes test results and family medical history.

• Eliminate any collection or use of genetic information for underwriting decisions, including rates and eligibility.
• Filter genetic data from underwriting workflows and data feeds; apply role-based access controls.
• Update the NPP to reflect the prohibition and educate staff on handling genetic information.
• Evaluate vendor and actuarial processes to ensure compliance and document controls.

Decedent Information Access

PHI remains protected for 50 years after an individual’s death. You may disclose PHI to a decedent’s personal representative or to family and others involved in the individual’s care or payment prior to death, unless inconsistent with known expressed preferences.

• Verify authority of personal representatives and document proof of identity.
• Disclose only the minimum necessary to persons involved in care or payment prior to death.
• Honor known preferences the individual expressed regarding post-mortem disclosures.
• Define procedures for requests that arise after the 50-year protection period ends.
• Log disclosures and retain records consistent with HIPAA documentation requirements.

Conclusion

Operationalize the HIPAA Omnibus Final Rule of 2013 by aligning BAAs, updating your Notice of Privacy Practices, tightening breach response, and enforcing restrictions on marketing, PHI sales, and genetic information. Build a defensible program through risk analysis, training, vendor oversight, and rigorous documentation.

By treating these elements as a single, integrated compliance system, you reduce risk, protect patients, and demonstrate due diligence under the Privacy, Security, Breach Notification, and Enforcement Rules.

FAQs

What are the key requirements for Business Associate Agreements under the 2013 Rule?

BAAs must specify permitted/required uses of PHI; require Security Rule safeguards; mandate breach and incident reporting without unreasonable delay; flow down obligations to subcontractors; support access, amendment, and accounting; permit HHS access to records for investigations; address termination with return/destruction of PHI; authorize termination for material breach; and require documentation retention for at least six years.

How did the breach notification standards change with the Omnibus Rule?

The rule presumes a breach unless a documented four-factor assessment shows a low probability of compromise. You must notify affected individuals without unreasonable delay and no later than 60 days, notify HHS (and the media for large breaches), and maintain thorough incident documentation. Business Associates are directly responsible for notifying covered entities promptly.

What penalties apply for noncompliance with HIPAA Omnibus Rule?

OCR applies tiered Civil Monetary Penalties based on culpability, ranging from unknowing violations to willful neglect not corrected. Outcomes can include corrective action plans, monitoring, and financial settlements, with higher penalties for systemic failures or lack of cooperation during investigations.

How does the rule address marketing and sale of PHI?

Marketing that involves financial remuneration generally requires a PHI Marketing Authorization that discloses the compensation. Certain communications (e.g., face-to-face, nominal gifts, and limited refill reminders with cost-based payments) are exceptions. The sale of PHI is prohibited without an authorization, subject to narrow exceptions such as public health or research with cost-based remuneration.