Beginner's Guide to the HIPAA Omnibus Rule: What It Is, What Changed, and How to Comply

HIPAA Omnibus Rule Overview

The HIPAA Omnibus Rule strengthened how you must protect Protected Health Information (PHI) by updating the Privacy Rule, Security Rule, and Breach Notification Rule. It ties together the HITECH Act and the Genetic Information Non-Discrimination Act (GINA), expanding individual rights and clarifying when authorization is required for uses like marketing and the sale of PHI.

The rule applies to covered entities (health care providers, health plans, and clearinghouses) and to business associates and their subcontractors. If you create, receive, maintain, or transmit PHI on behalf of a covered entity, you are within scope and must implement safeguards, document your practices, and be prepared to demonstrate compliance.

To get compliant, focus on practical fundamentals that map to HIPAA’s standards and the Omnibus refinements:

• Complete an enterprise-wide risk analysis and implement risk management under the Security Rule.
• Update Business Associate Agreements so they capture Omnibus requirements and flow down to subcontractors.
• Revise your Notice of Privacy Practices to reflect new rights and restrictions.
• Harden technical safeguards (encryption, access controls, audit logging) and strengthen administrative and physical safeguards.
• Train your workforce on new patient rights, breach assessment, and minimum necessary use of PHI.
• Stand up an incident response and Breach Notification Rule process with clear timelines and documentation.

Expanded Business Associate Liability

The Omnibus Rule makes business associates directly liable for compliance with the Security Rule and parts of the Privacy Rule. Subcontractors that handle PHI for a business associate are also treated as business associates, extending accountability across your vendor chain.

Business Associate Agreements must do more than name a vendor—they must define permissible uses and disclosures, require appropriate safeguards, address breach reporting, and mandate the return or destruction of PHI at termination. They must also ensure obligations flow down to subcontractors.

Operationally, you should inventory all business associates, update agreements, and verify that each partner can meet Security Rule requirements, support individual rights (such as access to electronic PHI), and provide timely incident reporting.

Enhanced Patient Rights

The Omnibus Rule strengthens individuals’ ability to control and access their information. You must provide access to PHI in electronic form when you maintain it electronically and, when feasible, in the format requested by the individual. Your processes should support secure portal downloads, direct transmissions, or other agreed electronic formats.

Individuals may require you to restrict disclosure of PHI to a health plan for an item or service paid for in full out of pocket. You must honor this restriction except where disclosure is otherwise required by law, so your workflows should flag and enforce these limitations.

The Genetic Information Non-Discrimination Act is woven into HIPAA via the Omnibus Rule, treating genetic information as PHI and prohibiting its use for underwriting purposes. Update your Notice of Privacy Practices to reflect these rights and explain how individuals can exercise them.

Stricter Breach Notification Standards

Omnibus shifted breach analysis to a presumption of breach unless you can demonstrate a low probability that PHI has been compromised. Your risk assessment must be documented and consider factors such as the nature and sensitivity of the PHI, the unauthorized recipient, whether the PHI was actually acquired or viewed, and the extent to which you mitigated the risk.

Encryption and proper destruction create strong safe harbors by rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals. If notification is required, provide it without unreasonable delay and include clear, actionable information for affected individuals.

• A brief description of what happened and when it occurred and was discovered.
• The types of PHI involved (for example, names, diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• How to reach you for more information.

Increased Penalties for Non-Compliance

The HITECH Act introduced a tiered civil monetary penalty structure that the Omnibus Rule operationalized, aligning penalties with the level of culpability—from lack of knowledge to willful neglect. Penalties escalate for repeated violations, and corrective action plans and monitoring can accompany settlements.

Willful neglect requires mandatory enforcement, making timely remediation and documentation essential once you discover an issue. State attorneys general may also bring actions, increasing potential exposure beyond federal enforcement.

Practical risk reduction centers on visible governance: conduct regular risk analyses, remediate findings, enforce sanctions for noncompliance, keep policies current, encrypt portable devices, and monitor vendors through robust Business Associate Agreements and oversight.

Prohibition on Sale of PHI

The Omnibus Rule generally prohibits the sale of PHI without an individual’s valid authorization that expressly states remuneration is involved. “Sale” includes direct or indirect payment in exchange for PHI, with narrow exceptions designed to enable care and public good while protecting privacy.

• Permitted exceptions include public health reporting, research with reasonable cost-based fees, treatment and payment activities, and disclosures to business associates acting on your behalf.
• Charging reasonable, cost-based fees for copies or for data processing is not a sale of PHI. De-identified information is not PHI, but you must ensure it meets HIPAA’s de-identification standard.

Marketing Restrictions

Omnibus tightens when you can use PHI for marketing. If a third party provides financial remuneration for a communication that encourages the purchase or use of a product or service, you generally need an authorization. Your authorization must be specific, voluntary, and revocable.

Certain communications are not “marketing” under the Privacy Rule, including face-to-face communications and promotional gifts of nominal value. Treatment and care coordination communications may also be permissible, but you must meet content and transparency requirements and honor any opt-outs.

Before launching any campaign, determine whether the message is treatment-related or marketing, assess remuneration, and document your analysis. Build templates and review checkpoints so your team can rapidly decide when authorization is required and how to craft it.

In short, the HIPAA Omnibus Rule strengthens privacy and security by extending responsibilities to business associates, enhancing patient rights, sharpening breach response, tightening rules on marketing and the sale of PHI, and raising enforcement stakes. If you align your policies, technology, vendor management, and training with the Privacy Rule, Security Rule, and Breach Notification Rule, you will meet the spirit and letter of the rule.

FAQs

What changes did the HIPAA Omnibus Rule introduce?

It updated the Privacy Rule, Security Rule, and Breach Notification Rule to strengthen protections for PHI; expanded direct liability to business associates and their subcontractors; enhanced patient rights (electronic access and plan-disclosure restrictions); tightened marketing rules and prohibited most sales of PHI without authorization; and aligned enforcement and penalties with the HITECH Act.

How does the rule affect business associates?

Business associates are directly responsible for Security Rule compliance and specific Privacy Rule obligations, must report incidents and breaches, and must flow down requirements to subcontractors. Updated Business Associate Agreements are required to specify permissible uses, safeguards, breach reporting, and termination protocols.

What are the new patient rights under the Omnibus Rule?

Patients can receive PHI in electronic form when maintained electronically and can restrict disclosures to health plans for services paid out of pocket. The rule also incorporates the Genetic Information Non-Discrimination Act so genetic information is treated as PHI and cannot be used for underwriting.

What are the penalties for HIPAA Omnibus Rule violations?

Penalties follow a tiered structure that increases with the level of culpability and can include substantial civil monetary penalties, corrective action plans, and monitoring. Willful neglect triggers mandatory enforcement, and state attorneys general may also bring actions, amplifying potential consequences.