Business Associate Compliance Under the HIPAA Omnibus Rule: A Practical Guide

Definition of Business Associates

Under the HIPAA Privacy Rule, a business associate is any entity or individual outside a covered entity’s workforce that creates, receives, maintains, or transmits Protected Health Information (PHI) for or on behalf of the covered entity. This includes handling PHI in any form, including electronic PHI (ePHI).

Common business associates include cloud and data storage providers, IT managed service providers with remote access to systems containing PHI, claims and billing companies, document destruction vendors, e‑discovery and legal counsel, transcription services, call centers, and analytics firms. If you maintain PHI—even if you rarely access it—you are likely a business associate.

Workforce members of a covered entity are not business associates. True “conduits” that only transmit PHI without persistent storage (for example, postal services) are generally not business associates; however, entities that store or routinely access PHI are.

Direct Liability Under Omnibus Rule

The HIPAA Omnibus Rule imposes direct liability on business associates. You are regulated in your own right, not only through contracts with covered entities. Core responsibilities include:

• Complying with the HIPAA Security Rule and applicable provisions of the HIPAA Privacy Rule.
• Using and disclosing PHI only as permitted by the Business Associate Agreement (BAA) or as required by law, and applying the minimum necessary standard.
• Reporting breaches and certain security incidents to the covered entity and maintaining required documentation.
• Providing support for individual rights when applicable, such as access, amendment, and accounting of disclosures for PHI you maintain in a designated record set.
• Executing BAAs with subcontractors that handle PHI and ensuring their compliance—your failure to obtain these is a direct violation.
• Cooperating with investigations and audits, and retaining policies, procedures, and related records for at least six years.

Expanded Definition of Business Associates

The Omnibus Rule expanded who qualifies as a business associate by clarifying that entities that maintain PHI are included, even if they do not view the data. As a result, cloud service providers and data storage vendors are business associates when they host PHI, regardless of encryption.

Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are also business associates. This expansion makes Subcontractor Compliance a central part of your program.

Entities typically captured by the expansion

• Cloud hosting, backup, and archiving platforms that store PHI.
• Health information exchange and e‑prescribing gateway providers.
• Managed security providers and remote IT administrators with system access to PHI.
• Analytics, QA/testing, and customer support vendors who can access PHI.

Subcontractor Compliance essentials

• Perform due diligence on subcontractors’ security and privacy controls before sharing PHI.
• Flow down BAA obligations and verify they implement required safeguards.
• Monitor performance and address gaps through remediation plans and periodic reviews.

Required Safeguards

Business associates must implement administrative, physical, and technical safeguards under the HIPAA Security Rule and adopt privacy practices aligned to the HIPAA Privacy Rule. A risk-based approach is expected.

Administrative safeguards

• Conduct a formal Risk Analysis and ongoing risk management; reassess after major system or business changes.
• Adopt written policies and procedures; designate a security official; maintain training and a sanctions process.
• Establish vendor management and BAA governance, including Subcontractor Compliance controls.
• Implement incident response, breach assessment workflows, business continuity, and disaster recovery plans.
• Document everything and retain records for at least six years.

Physical safeguards

• Control facility access and monitor visitors; secure server rooms and storage areas.
• Protect workstations and mobile devices; enforce secure workspace and remote work rules.
• Manage device and media disposal with validated destruction methods to prevent PHI recovery.

Technical safeguards

• Apply role-based access and least privilege; use unique IDs and multi-factor authentication.
• Encrypt ePHI in transit and at rest; secure email and file transfer channels.
• Enable audit logs and monitoring; regularly review alerts and investigate anomalies.
• Use integrity controls, anti-malware/EDR, secure configurations, and timely patching.

Privacy practices for business associates

• Honor the minimum necessary standard and purpose limitation for PHI uses and disclosures.
• Support individual rights requests routed through the covered entity when applicable.
• Define retention schedules and secure disposal consistent with contractual and legal requirements.

Business Associate Agreements

A Business Associate Agreement documents the permitted and required uses and disclosures of PHI, your safeguard obligations, and the cooperation the covered entity expects. It should be precise, practical, and enforceable.

Required BAA elements

• Permitted and prohibited uses/disclosures of PHI and application of minimum necessary.
• Commitment to implement HIPAA Security Rule safeguards and applicable Privacy Rule duties.
• Timely reporting of breaches and certain security incidents, with clear notification timelines.
• Obligation to obtain BAAs with subcontractors and impose the same restrictions.
• Procedures to support access, amendment, and accounting of disclosures, when relevant.
• Agreement to make internal practices and records available to regulators for compliance review.
• Return or destruction of PHI at contract termination, or continued protections if destruction is infeasible.
• Right to terminate for material breach and requirements for mitigation and cooperation.

Practical drafting tips

• Align breach reporting timelines so the covered entity can meet all external deadlines.
• Define “security incident” and escalation paths to avoid under- or over-reporting.
• Address audit rights, certification or attestation evidence, and cyber insurance where appropriate.

Breach Notification Requirements

Under the Breach Notification Rule, business associates must notify the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery. Discovery occurs when the breach is known or should reasonably have been known.

Action plan for business associates

• Contain the incident, preserve evidence, and activate your incident response plan.
• Perform a four-factor risk assessment to determine the probability of compromise and document your analysis.
• If PHI was properly encrypted or otherwise rendered unusable to unauthorized persons, notification is typically not required.
• Provide the covered entity with required details: what happened, date of breach and discovery, types of PHI involved, number of affected individuals, mitigation steps, and recommended protective actions.
• Coordinate on individual notices, substitute notice, media notice, and regulatory filings if your BAA assigns you those tasks.
• Record decisions and corrective actions; update safeguards to prevent recurrence.

Enforcement and Penalties

The Office for Civil Rights enforces HIPAA through investigations, audits, and resolution agreements that may include corrective action plans and monitoring. Business associates can face civil monetary penalties for violations, with tiers that escalate based on culpability and corrective efforts.

Serious or intentional misuse of PHI can trigger criminal enforcement. State attorneys general may also pursue civil actions. Aggravating and mitigating factors include the nature and extent of the violation, harm caused, cooperation with regulators, and the effectiveness of your Risk Analysis and remediation.

Conclusion

To meet business associate compliance under the HIPAA Omnibus Rule, define your role clearly, implement Security Rule safeguards, apply Privacy Rule principles, manage subcontractors through robust BAAs, maintain rigorous documentation, and execute disciplined breach response. Treat compliance as an ongoing program anchored by Risk Analysis, continuous improvement, and clear accountability.

FAQs

What is the role of a business associate under the HIPAA Omnibus Rule?

Your role is to perform services for a covered entity that involve PHI while complying directly with HIPAA. You must protect PHI, use or disclose it only as permitted by the BAA or law, support the covered entity’s obligations (such as access and accounting when applicable), and maintain safeguards, training, and documentation.

How does the Omnibus Rule change liability for business associates?

The Omnibus Rule makes you directly liable for compliance with key provisions of the HIPAA Privacy Rule and HIPAA Security Rule. It also extends the definition of business associate to subcontractors that handle PHI, requiring you to execute BAAs with them and oversee their compliance.

What safeguards must business associates implement?

You must implement administrative, physical, and technical safeguards proportionate to your risks. That includes a documented Risk Analysis and risk management plan, access controls and encryption, audit logging and monitoring, workforce training and sanctions, incident response and contingency plans, and privacy practices such as minimum necessary and secure retention/disposal.

How should business associates handle breach notifications?

Act quickly: contain the issue, investigate, and complete a documented four-factor risk assessment. Notify the covered entity without unreasonable delay and within 60 days of discovery, providing all required details. Coordinate on individual notices and regulatory filings per the BAA, and implement corrective actions to prevent recurrence.