Compliance Guide: Understanding the HIPAA Omnibus Rule’s Privacy and Security Changes

The HIPAA Omnibus Rule strengthened how you protect and use Protected Health Information (PHI), with a sharper focus on Electronic Protected Health Information (ePHI). It expands accountability, tightens permissible uses, and elevates breach response expectations across your organization and vendors.

This compliance guide explains the operational impacts you must manage day to day—Business Associate compliance, marketing and fundraising limits, security safeguards, proactive risk management, enforcement exposure, and the HIPAA Breach Notification Rule.

Business Associates' Direct Liability

What changed

Business Associates (BAs) and their subcontractors are directly liable for Security Rule compliance and certain Privacy Rule obligations. Liability now attaches to impermissible uses or disclosures, lack of safeguards, and failures to report breaches to covered entities.

Who qualifies as a BA

BAs include vendors that create, receive, maintain, or transmit PHI or ePHI on your behalf—such as cloud providers, EHR hosts, billing services, analytics firms, and e-mail gateways. Subcontractors that handle PHI for your BA inherit the same obligations.

What you must do

• Inventory all vendors touching PHI and map data flows to confirm Business Associate compliance requirements.
• Execute and “flow down” updated Business Associate Agreements that address minimum necessary, breach reporting, and security controls.
• Verify BA safeguards through due diligence, security questionnaires, and right-to-audit clauses; document oversight activities.
• Ensure BAs can support access, amendment, accounting of disclosures, and breach investigation timelines.

Marketing and Fundraising Restrictions

Marketing limits and remuneration

Marketing communications that promote a third party’s product or service generally require Patient Authorization. If you receive financial remuneration for the communication, authorization is required except for narrow treatment-related notices like limited-cost refill reminders.

Fundraising boundaries

Fundraising may use limited data elements (for example, demographics, dates of service, department of service, treating physician). Each fundraising message must offer a clear, simple opt-out that is not burdensome, and you cannot condition treatment on participation.

Patient Authorization Requirements

Valid authorization is required for most marketing, any sale of PHI, and sensitive categories like psychotherapy notes. Authorizations must be specific, time-limited, and revocable, and may not be combined with unrelated permissions.

Operational actions

• Classify outreach by purpose; separate treatment or care coordination from marketing.
• Standardize authorization language and tracking; record decisions in your EHR/CRM.
• Embed easy opt-outs in fundraising communications and honor preferences across all channels.

Safeguards for Electronic PHI

Security Rule essentials

You must implement administrative, physical, and technical safeguards proportionate to your risks. For ePHI, this includes risk analysis, role-based access, audit controls, integrity protections, and transmission security.

Technical safeguards to prioritize

• Strong authentication and unique IDs; multi-factor authentication for remote and privileged access.
• Encryption of ePHI at rest and in transit based on your risk assessment and data exposure patterns.
• Comprehensive audit logging, immutable logs, and alerting tuned to anomalous access or exfiltration.
• Endpoint hardening, device and media controls, secure disposal, and least-privilege enforcement.

Documentation and validation

Maintain written policies, risk analyses, remediation plans, and evaluations. Test backups and disaster recovery procedures, and verify that workforce training aligns with actual workflows involving ePHI.

Proactive Security Measures

Risk management and governance

Perform an enterprise-wide risk analysis at least annually and upon major changes. Track risks to closure with owners, timelines, and evidence, and brief leadership to maintain accountability.

Access control and zero trust

Apply least privilege, segregate administrative duties, and continuously verify device health and user identity. Review high-risk access (e.g., research downloads, third-party integrations) on a defined cadence.

Data protection and resilience

Encrypt PHI, deploy data loss prevention for e-mail and web, and implement immutable, off-network backups. Test restoration and define recovery time and point objectives for critical systems.

Detection and response

Stand up 24/7 monitoring for ePHI systems, with playbooks for ransomware, lost devices, and misdirected disclosures. Practice incident response with tabletop exercises to accelerate containment and notification.

Vendor oversight and audit readiness

Tier vendors by risk, require security evidence, and track corrective actions. Keep an audit file to demonstrate readiness for Office for Civil Rights (OCR) audits or investigations at any time.

Stricter Enforcement and Penalties

How enforcement works

OCR investigates complaints, breach reports, and patterns of noncompliance, and may initiate audits. Outcomes range from technical assistance to resolution agreements with multi-year corrective action plans.

Tiered Penalty Structure

Civil penalties scale by culpability: no knowledge, reasonable cause, willful neglect corrected, and willful neglect not corrected. Penalties apply per violation with annual caps, and amounts adjust for inflation; criminal penalties may apply for egregious misuse.

Reducing exposure

• Address identified risks promptly and document remediation; delay increases penalty exposure.
• Demonstrate ongoing training, monitoring, and enforcement of sanctions for policy violations.
• Use post-incident lessons learned to update safeguards and prevent recurrence.

Breach Notification Requirements

Presumption of breach and risk assessment

An impermissible use or disclosure of unsecured PHI is presumed a breach unless you show a low probability of compromise. Assess the data’s sensitivity, the unauthorized recipient, whether the PHI was actually viewed, and the effectiveness of mitigation.

Timelines and who to notify

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For 500 or more residents of a state or jurisdiction, also notify prominent media and report to HHS within the same 60-day window; smaller incidents are logged and reported to HHS within 60 days after the calendar year.

Content and delivery

Individual notices must describe what happened, the PHI involved, steps individuals should take, your containment and mitigation actions, and contact methods. A Business Associate must notify its covered entity promptly with sufficient detail to support required notices.

Documentation

Maintain incident records, your risk assessment, notifications, and decisions about whether notice was required. Align your process with the HIPAA Breach Notification Rule and test it through regular exercises.

Key takeaways

• Extend safeguards and oversight to every Business Associate and subcontractor handling PHI or ePHI.
• Use clear Patient Authorization Requirements for marketing, fundraising limits, and any sale of PHI.
• Invest in risk-driven security, continuous monitoring, and OCR audit readiness to reduce enforcement risk.
• Prepare to meet strict breach notification timelines with accurate content and thorough documentation.

FAQs

What is the HIPAA Omnibus Rule?

The HIPAA Omnibus Rule is a set of amendments that strengthened the Privacy, Security, Enforcement, and Breach Notification Rules. It expanded direct liability to Business Associates, refined marketing and fundraising uses of PHI, and clarified processes for breach risk assessment and notification.

How does the Omnibus Rule affect business associates?

Business Associates and their subcontractors must comply with Security Rule safeguards and certain Privacy Rule duties, are directly liable for violations, and must report breaches to covered entities. Updated agreements, documented controls, and demonstrable Business Associate compliance are now mandatory.

What are the penalties for HIPAA violations under the Omnibus Rule?

OCR applies a Tiered Penalty Structure that scales penalties by culpability and adjusts amounts for inflation, with per‑violation and annual caps. Outcomes can include corrective action plans, civil monetary penalties, and in severe cases, referral for criminal enforcement.

When must a breach notification be issued?

You must notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI. Incidents affecting 500 or more people in a state or jurisdiction also require media notice and prompt reporting to HHS, while smaller incidents are logged and reported to HHS annually.