Compliance Guide: What the HIPAA Omnibus Rule Was Meant to Protect

This compliance guide explains what the HIPAA Omnibus Rule was meant to protect and how you can operationalize its requirements across your organization. It lines up the HIPAA Privacy Rule, Security Rule compliance, and the Breach Notification Rule to strengthen safeguards for Protected Health Information (PHI) through HITECH Act alignment.

HIPAA Omnibus Rule Overview

The HIPAA Omnibus Rule consolidated and updated multiple regulations to better protect PHI and electronic PHI. It tightened oversight over covered entities and business associates, enhanced patient rights, clarified breach risk assessment, and incorporated the Genetic Information Nondiscrimination Act (GINA) into HIPAA’s framework.

What it was meant to protect

• Confidentiality and integrity of PHI across the full health data lifecycle.
• Patient autonomy through stronger access, restrictions, and authorization controls.
• Accountability for all parties handling PHI, including downstream subcontractors.
• Public trust via clear breach notifications and transparent privacy notices.

Core rules unified

• HIPAA Privacy Rule: governs permitted uses and disclosures of PHI.
• HIPAA Security Rule: mandates administrative, physical, and technical safeguards for ePHI.
• Breach Notification Rule: requires timely notice and documented risk assessment.
• HITECH Act alignment: codifies direct liability for business associates and strengthens enforcement.

Business Associates' Liability

The Omnibus Rule made business associates (and their subcontractors) directly liable for Security Rule compliance and for key Privacy Rule obligations. If a vendor creates, receives, maintains, or transmits PHI on your behalf, they are in scope.

Who is a business associate now

• Cloud and data hosting providers handling ePHI, even if encrypted.
• Health information exchanges, e-prescribing gateways, claims processors, analytics firms, and similar vendors.
• Subcontractors of business associates that handle PHI (liability “flows down”).

Direct obligations

• Implement Security Rule safeguards: risk analysis, risk management, access controls, audit controls, integrity, transmission security, and workforce training.
• Limit uses/disclosures to the minimum necessary; support individual rights and privacy restrictions.
• Report breaches to the covered entity without unreasonable delay and document all incidents.

Business Associate Agreement essentials

• Clearly define permitted uses/disclosures of PHI and minimum necessary standards.
• Require Security Rule compliance, breach reporting timelines, and mitigation duties.
• Mandate subcontractor flow-down terms and right to audit or obtain assurances.
• Require return/destruction of PHI at termination where feasible and continued safeguards if retention is necessary.

Marketing and Fundraising Restrictions

The Omnibus Rule tightened the definition of marketing and placed limits on remunerated communications while clarifying permitted fundraising practices. You must distinguish treatment or care coordination communications from marketing that requires prior authorization.

Marketing

• Authorization is required for marketing communications when you receive financial remuneration from a third party, with limited exceptions (e.g., face-to-face communication or small promotional gifts).
• Refill reminders or communications about a currently prescribed drug or biologic are permitted if any payment received is reasonably related to the cost of making the communication.
• Sale of PHI is generally prohibited without a specific authorization disclosing the sale.

Fundraising

• You may use limited PHI for fundraising (e.g., demographic data, dates and department of service, treating physician), but you must provide a clear, simple, and free opt-out.
• Fundraising communications must inform individuals how to opt out; you cannot condition treatment or payment on their choice, and you must respect their opt-out across all campaigns.
• Maintain a suppression list and ensure downstream vendors honor opt-out preferences.

Patient Rights Enhancements

The Omnibus Rule expanded individual rights to give patients more control over PHI and greater transparency.

Electronic access and transmission

• Provide an electronic copy of PHI in the requested readily producible format, or a mutually agreed alternative, within standard HIPAA timeframes.
• Upon a patient’s written direction, send an electronic copy directly to a designated third party.
• Charge only a reasonable, cost-based fee for labor, supplies, and postage where applicable.

Right to restrict disclosures

• Honor a patient’s request to restrict disclosure of PHI to a health plan if the patient pays for the item or service in full out of pocket, and segregate such records to prevent inadvertent billing.

Notice of Privacy Practices (NPP)

• Update the Notice of Privacy Practices (NPP) to describe marketing limits, sale-of-PHI prohibitions, fundraising opt-out, breach notification duties, GINA restrictions, and the out-of-pocket restriction right.
• Distribute or post updated NPPs and make them available at points of service and online where applicable.

Additional clarifications

• Decedents’ PHI is protected for 50 years after death; disclosures to family or others involved in care may be permitted.
• Schools may accept proof of immunization with parental agreement in certain circumstances, consistent with the Rule.

Breach Notification Requirements

The Omnibus Rule established a presumption that an impermissible use or disclosure is a breach unless you demonstrate a low probability of compromise through a documented risk assessment.

Four-factor risk assessment

• Nature and extent of PHI involved, including identifiers and likelihood of re-identification.
• Unauthorized person who used the PHI or to whom the disclosure was made.
• Whether PHI was actually acquired or viewed.
• Extent to which the risk has been mitigated (e.g., recipient’s destruction or return of PHI).

Notifications and timelines

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For breaches affecting 500 or more individuals in a state or jurisdiction, notify prominent media and report to HHS within 60 days.
• For fewer than 500 individuals, log the event and report to HHS annually within the prescribed timeframe.
• Business associates must notify covered entities without unreasonable delay, providing details needed for individual notice.

Content and documentation

• Include what happened, date of breach/discovery, types of PHI involved, steps individuals should take, mitigation actions, and contact methods.
• Maintain evidence of the risk assessment, decisions, and mitigation to support regulatory review.

Enforcement and Penalties

The Omnibus Rule strengthened enforcement with a tiered civil monetary penalty structure and increased obligations to investigate potential willful neglect. Penalties escalate with culpability and can reach substantial annual caps per violation category, with additional criminal exposure for intentional misconduct.

What this means for you

• Perform and document regular risk analyses; remediate identified gaps and track completion.
• Train workforce and business associates; apply sanctions for violations consistently.
• Monitor vendors, audit high-risk processes, and keep evidence of Security Rule compliance.

Genetic Information Protections

To integrate GINA, the Omnibus Rule treats genetic information as PHI and bars its use or disclosure for underwriting by health plans. Underwriting includes eligibility, premium setting, and benefits determinations.

Practical safeguards

• Tag genetic data elements and exclude them from underwriting workflows and datasets.
• Revise policies, NPP language, and vendor instructions to reflect GINA limits.
• Apply minimum necessary and access controls to test results, family histories, and related records.

Authorization Modifications

The Omnibus Rule refined when authorizations are required and how they must be structured, particularly for marketing, sale of PHI, psychotherapy notes, and research.

Key updates

• Authorization must expressly permit sale of PHI or remunerated marketing, describing the remuneration where applicable.
• Compound authorizations for research may be allowed if clearly delineated; do not condition unrelated treatment on authorization.
• Authorizations must be in plain language and specify the information, purpose, recipients, expiration, right to revoke, and potential for re-disclosure.

Action steps

• Update authorization forms and workflows; segregate psychotherapy notes, which generally require separate authorization.
• Implement checks to prevent use of PHI for prohibited purposes absent valid authorization.
• Retain authorizations and revocations per your records management schedule.

Conclusion

The HIPAA Omnibus Rule was meant to protect patients by reinforcing Privacy and Security Rule compliance, tightening breach accountability, aligning with the HITECH Act, and extending safeguards to genetic information. By strengthening BA oversight, refining marketing and fundraising limits, and expanding patient rights, it sets a comprehensive baseline you can operationalize with clear policies, vendor controls, and documented risk management.

FAQs.

What key protections does the HIPAA Omnibus Rule provide?

It fortifies safeguards for PHI by aligning HIPAA with the HITECH Act, making business associates directly liable, tightening breach notification through a risk-based presumption of breach, expanding patient rights to electronic access and restrictions, restricting sale and remunerated marketing, clarifying fundraising opt-out requirements, and protecting genetic information under GINA for underwriting purposes.

How did the Omnibus Rule change business associate responsibilities?

Business associates and their subcontractors became directly responsible for Security Rule compliance and for key Privacy Rule duties, including minimum necessary, permitted uses/disclosures, and timely breach reporting. An updated Business Associate Agreement must flow down obligations, require safeguards, define reporting, and permit oversight to ensure compliance.

What are the updated breach notification requirements?

Any impermissible use or disclosure is presumed a breach unless you document a low probability of compromise using the four-factor risk assessment. Individuals must be notified without unreasonable delay and within 60 days, with additional HHS and media notifications for larger incidents, and comprehensive documentation to support decisions and mitigation.

How does the rule protect genetic information?

The Omnibus Rule incorporates GINA by treating genetic information as PHI and prohibiting its use or disclosure for underwriting by health plans. You must segregate genetic data from underwriting workflows, update policies and notices, and apply strict access controls and minimum necessary standards.