Checklist: Actions to Meet HIPAA Omnibus Privacy and Security Provisions

This practical checklist helps you prioritize HIPAA Omnibus Rule Compliance across privacy and security. It focuses on Business Associate Agreements, Risk Assessments, Security and Privacy Policies, Notice of Privacy Practices updates, PHI Breach Notification, Genetic Information Protection, and Data Use Restrictions so you can act with confidence.

Update Business Associate Agreements

Confirm every vendor that creates, receives, maintains, or transmits PHI qualifies as a Business Associate, then execute updated Business Associate Agreements (BAAs) and flow them down to all subcontractors. Maintain a current inventory of BA relationships, renewal dates, and points of contact.

What to include in BAAs

• Scope: Define permitted uses and disclosures, apply the minimum necessary standard, and embed Data Use Restrictions for limited data sets and de-identification.
• Security: Require compliance with the Security Rule, ongoing Risk Assessments, vulnerability management, audit logging, and prompt security incident reporting.
• Breach terms: Mandate PHI Breach Notification to the covered entity without unreasonable delay, provide required details, and specify the target notification window.
• Subcontractors: Require written, equivalent restrictions for all downstream subcontractors that handle PHI.
• Patient rights support: Obligate assistance with access, amendments, and accounting of disclosures upon request.
• Use prohibitions: Restrict marketing and sale of PHI, prohibit underwriting uses of genetic information (Genetic Information Protection), and require return or destruction of PHI at termination.
• Oversight: Permit audits or attestations, define corrective action and termination for cause.

Operational tips

• Standardize a BAA template and escalation path for exceptions.
• Track due diligence artifacts (e.g., security questionnaires, SOC reports, penetration tests) and renewal checkpoints.
• Embed measurable performance indicators such as incident reporting timelines and training completion rates.

Conduct Comprehensive Risk Analysis

Perform an enterprise-wide Risk Analysis of ePHI and paper PHI to identify threats, vulnerabilities, and the likelihood and impact of harm. Repeat Risk Assessments at least annually and whenever systems, vendors, or workflows materially change.

Risk analysis playbook

• Define scope: Systems, apps, devices, data flows, cloud services, third parties, and physical locations.
• Inventory assets: Classify PHI by sensitivity, volume, and location; map where PHI is created, stored, processed, and transmitted.
• Identify threats and vulnerabilities: Human error, insider misuse, ransomware, lost devices, misconfigurations, and supply-chain risks.
• Evaluate risk: Use a consistent scoring model to rate likelihood and impact, then prioritize remediation in a risk register.
• Treat risk: Implement administrative, physical, and technical safeguards with owners, budgets, and due dates.
• Monitor and verify: Track residual risk, test controls, and validate that corrective actions are effective.

Explicitly consider Genetic Information Protection scenarios (e.g., genetic test results used for underwriting) and apply Data Use Restrictions to reduce exposure in research and analytics use cases.

Implement Security and Privacy Policies

Translate risk findings into clear, enforceable policies and procedures. Keep policies concise, task-oriented, and accessible to your workforce, and update them as systems and regulations evolve.

Administrative safeguards

• Governance: Define roles, decision rights, and an escalation path for incidents and exceptions.
• Access management: Grant role-based access using the minimum necessary standard; review access at least quarterly.
• Contingency planning: Backup, disaster recovery, and emergency operations testing with defined recovery time and point objectives.
• Workforce management: Sanctions for violations, onboarding/offboarding, and vendor oversight procedures.

Technical safeguards

• Identity and authentication: Strong passwords, MFA, session timeouts, and termination of orphaned accounts.
• Encryption: Encrypt ePHI in transit and at rest where reasonable and appropriate; manage keys securely.
• Audit controls: Centralize logs, monitor anomalous activity, and conduct periodic access audits.
• Endpoint and cloud security: Patch management, EDR, configuration baselines, and secure-by-default cloud patterns.

Physical safeguards

• Facility security: Badge controls, visitor logs, surveillance, and cabinet/server room protections.
• Device/media management: Secure disposal, media re-use procedures, and mobile device management (MDM) for PHI-capable devices.

Privacy controls

• Data Use Restrictions: Enforce minimum necessary, need-to-know access, and approvals for new PHI use cases.
• Marketing, sale, and fundraising: Require valid authorization where applicable; maintain easy opt-outs.
• Research: Use de-identification or limited data sets with data use agreements; define re-identification prohibitions.
• Genetic information: Prohibit underwriting uses and incorporate Genetic Information Protection into policy text.

Provide Workforce Training

Deliver role-based, scenario-driven HIPAA training at hire, when roles change, and at least annually. Measure comprehension and reinforce learning with real-world simulations.

• Core modules: Privacy Rule, Security Rule, breach recognition and reporting, and PHI handling basics.
• Role-specific content: Front desk identity verification, clinical documentation, billing disclosures, IT admin access reviews.
• Security awareness: Phishing simulations, safe data sharing, secure telehealth and remote work practices.
• BA coordination: Verify Business Associates train their workforce and can evidence compliance.
• Evidence: Track attendance, scores, and remediation for missed or failed trainings.

Honor Patient Rights

Design workflows that fulfill patient rights promptly and consistently, with audit trails for every request and response.

• Access to PHI: Provide timely access (including electronic formats) to the designated record set; apply reasonable, cost-based fees where permitted.
• Restrictions: Honor requests to restrict disclosures to a health plan when the individual pays in full out-of-pocket.
• Amendments: Process amendment requests with clear approval/denial criteria and documentation.
• Accounting of disclosures: Track non-TPO disclosures and provide an accounting upon request within the required period.
• Confidential communications: Accommodate alternate addresses or contact methods.
• Genetic Information Protection: Treat genetic data as PHI and prohibit its use for underwriting purposes.

Revise Notice of Privacy Practices

Update your Notice of Privacy Practices (NPP) to reflect HIPAA Omnibus Rule changes and your current operations. Use plain language, ensure accessibility, and distribute through your website and points of service.

• Core content: Your uses/disclosures, patient rights, your duties, and how to exercise rights or file concerns.
• Omnibus updates: Statements on marketing and sale of PHI limits, fundraising opt-outs, PHI Breach Notification, and restrictions on using genetic information for underwriting.
• Operational fit: Reflect telehealth, patient portals, remote care, and third-party apps where PHI may flow.
• Governance: Version, approve, post, and retain prior NPP versions; train staff to explain key changes.

Enhance Breach Notification Protocols

Adopt a presumption of breach unless a documented risk assessment shows a low probability that PHI was compromised. Build speed and accuracy into every step of your response.

Response framework

• Detect and contain: Triage, isolate affected systems, preserve evidence, and engage appropriate leaders promptly.
• Risk assessment factors: Nature/extent of PHI, the unauthorized person, whether PHI was actually viewed/acquired, and mitigation actions.
• Notifications: Notify affected individuals without unreasonable delay and no later than 60 days; notify HHS and, when applicable, prominent media for incidents impacting 500 or more residents; log smaller breaches for annual HHS submission.
• Content of notices: Brief description, types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate, and contact methods.
• Business Associates: Require BAs to notify you promptly with sufficient detail to meet PHI Breach Notification obligations.
• After-action: Remediate root causes, update policies, retrain workforce, and test controls to prevent recurrence.

Summary and Next Steps

Advance HIPAA Omnibus Rule Compliance by locking down BAAs, completing Risk Assessments, operationalizing Security and Privacy Policies, training your workforce, honoring patient rights, updating the NPP, and perfecting breach response. Assign accountable owners, set timelines, and track metrics to sustain performance.

FAQs.

Which HIPAA rule incorporated privacy and security provisions?

The HIPAA Omnibus Final Rule (2013) implemented HITECH and GINA updates that strengthened and integrated privacy, security, breach notification, and enforcement requirements. It did not replace the Privacy and Security Rules; it amended and tightened them while extending direct liability to Business Associates.

What are the key requirements of the HIPAA Omnibus Rule?

Highlights include direct liability for Business Associates and their subcontractors, a presumption of breach with a defined risk assessment, expanded patient rights and updated Notice of Privacy Practices content, stricter limits on marketing and sale of PHI, fundraising opt-out requirements, prohibitions on using genetic information for underwriting, and enhanced enforcement with tiered penalties.

How should organizations update business associate agreements under HIPAA?

Use BAAs that specify permitted uses/disclosures with minimum necessary, require Security Rule safeguards and ongoing Risk Assessments, mandate timely PHI Breach Notification with required details, flow down terms to subcontractors, support patient rights requests, prohibit marketing/sale of PHI and underwriting uses of genetic information, allow audits, and address termination, return, or destruction of PHI.

What are breach notification obligations under the HIPAA Omnibus Rule?

Notify affected individuals without unreasonable delay and no later than 60 days after discovery, include all required content, and use appropriate methods (with substitute notice if needed). Report breaches affecting 500 or more residents to HHS and the media; smaller incidents are logged and reported to HHS annually. Business Associates must notify covered entities promptly with enough information to meet these obligations.