Business Associates Under HIPAA: Omnibus Rule Requirements and Compliance Checklist

Business Associate Agreements Updates

The HIPAA Omnibus Rule requires you to update every Business Associate Agreement (BAA) so it mirrors today’s obligations. Beyond listing permitted uses and disclosures, a modern BAA must bind business associates and their subcontractors to Security Rule safeguards, breach reporting, and key Privacy Rule duties.

Key updates mandated by the HIPAA Omnibus Rule

• Direct Security Rule obligations: require administrative, physical, and technical safeguards, plus a documented Security Rule Risk Assessment.
• Breach reporting: mandate prompt PHI Breach Notification to the covered entity, with details sufficient for downstream notices.
• Flow‑down terms: require every subcontractor that creates, receives, maintains, or transmits PHI to sign a Subcontractor Compliance Agreement with the same restrictions.
• Individual rights support: require the business associate to help with access, amendment, and accounting of disclosures when it holds relevant PHI.
• Minimum necessary and use limitations: define what the business associate may do, prohibit sale of PHI without authorization, and limit marketing uses.
• Termination, return, or destruction: specify how PHI will be returned or destroyed and how residual data will be safeguarded if destruction is infeasible.

Compliance checklist

• Inventory all BA relationships; verify an executed, Omnibus‑compliant Business Associate Agreement exists.
• Confirm breach reporting timelines, content, and contacts are explicit in the BAA.
• Include subcontractor flow‑down language and require documented vendor due diligence.
• Define permitted uses/disclosures, minimum necessary standards, and prohibition on sale of PHI without authorization.
• Document return/destruction procedures and audit rights for the covered entity.

Compliance Obligations and Liability

The Omnibus Rule established the direct liability of business associates. They can face civil and, in egregious cases, criminal penalties for impermissible uses or disclosures, failure to provide required breach notices, and failure to comply with the Security Rule. Covered entities remain responsible for oversight and may be liable for agents’ actions.

Practical implications

• Treat business associates as regulated entities: require policies, training, and continuous monitoring—not just a signed contract.
• Use a risk‑based vendor management program that evaluates security posture, privacy controls, and incident response readiness.
• Track obligations that flow to you from your business associates, including accounting of disclosures and access requests.

Compliance checklist

• Map legal obligations to specific controls in your and your business associates’ programs.
• Maintain evidence of training, risk assessments, and remediation by business associates.
• Escalate and document corrective actions; be prepared to terminate for cause when necessary.

Breach Notification Responsibilities

Under the HIPAA Omnibus Rule, a breach is presumed unless a documented risk assessment shows a low probability of compromise. Business associates must provide PHI Breach Notification to the covered entity without unreasonable delay and no later than 60 days after discovery, including all known facts and affected individuals.

Four‑factor risk assessment

• Nature and extent of PHI involved (identifiers and sensitivity).
• Unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• Extent to which the risk has been mitigated (e.g., swift retrieval, reliable destruction).

What the business associate must deliver

• Incident description, dates of occurrence and discovery, and the types of PHI involved.
• Names or count of affected individuals and contact information if available.
• Mitigation steps taken and recommended protective measures for individuals.
• Continuing updates as more information becomes available.

Compliance checklist

• Define “discovery,” reporting paths, and deadlines in the BAA.
• Align incident response plans across covered entity and business associates, including after‑hours escalation.
• Encrypt PHI in transit and at rest to reduce the likelihood that an incident becomes a notifiable breach.
• Maintain a breach log and post‑incident corrective action tracking.

Marketing and Fundraising Protocols

Marketing generally requires an individual’s authorization, especially when a third party provides financial remuneration. Limited exceptions include face‑to‑face communications and promotional gifts of nominal value. Refill reminders and similar communications are permitted only with remuneration that is “reasonable in relation to the cost.”

Fundraising communications may use limited PHI elements. Each message must provide a clear, no‑cost, and easy way to opt out, and an opt‑out cannot affect care or payment. Sale of PHI for marketing or other purposes requires explicit authorization.

Compliance checklist

• Classify proposed outreach as treatment, healthcare operations, fundraising, or marketing before sending.
• Obtain and document valid authorization for marketing or sale of PHI; log revocations.
• Limit fundraising data elements and honor opt‑outs across all channels.
• Bind business associates through the BAA to these marketing and fundraising restrictions.

Notice of Privacy Practices Updates

The Omnibus Rule requires your Notice of Privacy Practices to reflect new rights and disclosures. Individuals must be told about breach notification, fundraising communications and opt‑out, uses and disclosures requiring authorization (including marketing, sale of PHI, and psychotherapy notes), and the right to restrict disclosures to a health plan when services are paid in full out‑of‑pocket. Health plans must also address limits on the use of genetic information for underwriting.

Compliance checklist

• Rewrite the Notice of Privacy Practices to include Omnibus‑required statements and distribution methods.
• Ensure staff and business associates know when to provide the updated notice and how to capture acknowledgments.
• Align internal policies, authorization forms, and patient‑facing materials with the updated notice.

Business Associate Definition Expansion

The HIPAA Omnibus Rule broadened who counts as a business associate. Any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity is included, along with subcontractors that handle PHI. Cloud service providers and data storage vendors are business associates even if data is encrypted and the vendor lacks the decryption key. The “mere conduit” exception is narrow and does not cover routine access or persistent storage.

Compliance checklist

• Re‑classify vendors that maintain or transmit PHI as business associates; do not rely on the conduit exception.
• Execute BAAs with cloud, analytics, billing, transcription, and other service providers that touch PHI.
• Flow down BAA obligations using a Subcontractor Compliance Agreement wherever PHI moves downstream.

Security and Privacy Rule Compliance

Business associates must comply directly with the Security Rule and applicable Privacy Rule provisions. That means a current Security Rule Risk Assessment, risk management plan, access controls, audit logging, encryption strategies, workforce training, contingency planning, and vendor oversight. Privacy duties include minimum necessary, supporting access and amendment, and restricting impermissible uses.

Operational essentials

• Documented risk analysis and ongoing risk management tied to technical and procedural controls.
• Role‑based access, unique user IDs, strong authentication, and regular review of audit logs.
• Encryption for ePHI in transit and at rest, key management, and data loss prevention where appropriate.
• Incident response with clear thresholds for PHI Breach Notification and post‑incident remediation.
• Vendor management that tests subcontractor security and privacy conformance regularly.

Compliance checklist

• Complete and update Security Rule Risk Assessments at least annually and after major changes.
• Maintain policies, training, and sanctions to enforce both Security and Privacy Rule requirements.
• Verify mechanisms to fulfill access, amendment, and accounting requests when the business associate holds the PHI.
• Test backups, disaster recovery, and emergency mode operations.

Conclusion

The HIPAA Omnibus Rule made business associates regulated partners, not peripheral vendors. Update BAAs, verify direct compliance, tighten breach response, and align marketing, fundraising, and Notices of Privacy Practices. Use the checklists above to operationalize requirements and demonstrate continuous, risk‑based compliance.

FAQs.

What is a business associate under HIPAA?

A business associate is any non‑workforce entity that creates, receives, maintains, or transmits PHI for a covered entity’s functions or services (for example, billing, cloud hosting, analytics, or archiving). Subcontractors that handle PHI are also business associates and must meet the same requirements through a Subcontractor Compliance Agreement.

How did the Omnibus Rule change HIPAA compliance?

The HIPAA Omnibus Rule expanded the definition of business associate, imposed the direct liability of business associates, strengthened breach notification by presuming a breach unless low probability of compromise is shown, tightened marketing and sale‑of‑PHI rules, and mandated updates to Business Associate Agreements and the Notice of Privacy Practices.

What are the breach notification requirements for business associates?

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI. The notice must include what happened, when it happened, what PHI was involved, who is affected, mitigation steps taken, and recommended protective actions. A four‑factor risk assessment must support any decision not to notify.

What must be included in updated BAAs?

Updated BAAs must require Security Rule compliance (including a Security Rule Risk Assessment), prompt PHI Breach Notification, adherence to minimum necessary, support for access/amendment/accounting, flow‑down to subcontractors via a Subcontractor Compliance Agreement, defined permitted uses and disclosures, and return or destruction of PHI at termination. They should also prohibit sale of PHI and address marketing and fundraising limits.