Final Omnibus Rule Checklist: What Organizations Must Update to Meet HIPAA

Update Business Associate Agreements

Key updates to add or confirm

• Extend obligations to subcontractors, requiring the same safeguards and reporting duties to flow down across the chain.
• State that business associates have direct HIPAA liability for Privacy Rule provisions and Security Rule compliance, including administrative, physical, and technical safeguards.
• Define permitted and required uses/disclosures, expressly prohibiting sale of PHI and restricting marketing uses consistent with PHI marketing restrictions.
• Require prompt written notice to the covered entity for any security incident or suspected breach to support unsecured PHI breach reporting timelines.
• Mandate minimum necessary practices, access controls, and audit readiness, including cooperation during investigations and civil money penalties enforcement actions.
• Include termination triggers and data return/destruction procedures, with contingency terms if return is infeasible.
• Address ePHI rights support (access, amendments, accounting) and alignment with electronic health records certification capabilities such as audit logging and secure transmission.

Practical steps

• Inventory all business associates and subcontractors; prioritize high-risk vendors handling ePHI.
• Adopt a standard BAA template with version control; obtain countersignatures and track expirations and renewals.
• Embed breach notification playbooks and security requirements (encryption, MFA, logging) as enforceable contract terms.

Revise Notice of Privacy Practices

Required content elements

• Explain uses/disclosures that require authorization, including psychotherapy notes authorization and most marketing communications.
• State the prohibition on the sale of PHI and outline PHI marketing restrictions, with examples users can understand.
• Inform individuals of the right to be notified following a breach of unsecured PHI and how they will be contacted.
• Note the right to restrict disclosure to a health plan when services are paid out of pocket in full.
• Describe fundraising communications and a clear, no-cost opt-out method.
• Summarize relevant Privacy Rule provisions in plain language, including access, amendment, and accounting rights.

Practical steps

• Update the NPP text, translate as needed, and repost in facilities, patient portals, and intake packets.
• Revise acknowledgment workflows and retain proof that individuals received the current NPP.
• Align call center, registration scripts, and website copy to the updated NPP language.

Amend Privacy Policies

Policy topics to update

• Uses and disclosures: apply minimum necessary, document authorization workflows, and codify prohibitions on sale/marketing of PHI.
• Special categories: clarify rules for psychotherapy notes authorization and sensitive data handling.
• Individual rights: procedures for access to ePHI, amendment, restrictions, alternative communications, and accounting.
• Third parties: vendor due diligence, BAA approval, and monitoring processes.
• Workforce standards: sanctions for violations, non-retaliation, and complaint handling.
• Documentation: retain policies, approvals, and risk analyses for at least six years, mapped to Privacy Rule provisions.

Practical steps

• Consolidate policies into a single, version-controlled manual; note owners and review dates.
• Embed policy checkpoints in daily workflows (EHR order sets, release-of-information forms, and marketing review gates).
• Conduct a gap analysis to verify policy language matches current practices and technology.

Implement Security Measures

Technical and administrative controls

• Complete a risk-based security program aligned to Security Rule compliance, emphasizing encryption in transit/at rest and key management.
• Enforce least privilege, unique IDs, multi-factor authentication, and timely termination of access.
• Enable audit controls, centralized logging, and alerting for anomalous access and exfiltration.
• Harden endpoints and servers with patching, EDR, configuration baselines, and device/media controls.
• Segment networks, secure APIs, and validate cloud and data center architectures against zero trust principles.
• Maintain contingency plans: backups, disaster recovery, and periodic restoration testing.

EHR and vendor alignment

• Confirm your EHR’s security features—role-based access, audit trails, break-the-glass workflows—meet operational needs.
• Map capabilities to applicable electronic health records certification criteria that support secure transport, integrity, and auditing.
• Build vendor SLAs that require incident reporting, continuous monitoring evidence, and remediation timelines.

Conduct Employee Training

Curriculum essentials

• Teach workforce roles and responsibilities under the Privacy and Security Rules, with realistic scenarios.
• Explain updated policies on marketing, sale of PHI, minimum necessary, and psychotherapy notes authorization.
• Run phishing and social engineering drills tied to sanctions and coaching.
• Practice incident spotting and immediate reporting to support unsecured PHI breach reporting obligations.

Program operations

• Deliver onboarding and role-based refreshers at least annually; track attendance and comprehension.
• Provide just-in-time microlearning after policy changes and security incidents.
• Retain training materials, sign-offs, and test results for documentation and audits.

Perform Risk Assessment and Documentation

Enterprise risk analysis

• Identify where PHI resides, data flows, and who accesses it across systems, vendors, and devices.
• Evaluate threats and vulnerabilities; rate inherent and residual risk; prioritize remediation plans with owners and dates.
• Test safeguards through tabletop exercises, vulnerability scans, and corrective action tracking.

Breach risk assessment

• Use the Omnibus four-factor test to decide if an incident is a reportable breach: the nature/extent of PHI, the unauthorized recipient, whether PHI was actually acquired or viewed, and the extent of mitigation.
• Document the analysis, decision, and mitigation steps for every incident, even when not reportable.

Retention and audit readiness

• Maintain policies, BAAs, risk analyses, incident logs, and training records for at least six years.
• Establish evidence repositories and audit trails that demonstrate Privacy Rule provisions and Security Rule compliance in practice.

Enhance Breach Notification Compliance Plan

Plan components

• Define “unsecured PHI,” outline encryption standards, and differentiate breaches from security incidents and permitted exceptions.
• Set timelines and owners for notifying individuals without unreasonable delay (no later than 60 days), the media when required, and the Secretary for events affecting 500+ individuals.
• Describe content requirements for notices, substitute notice procedures, language needs, and toll-free contact options.
• Codify business associate obligations to notify covered entities swiftly with incident facts and affected populations.
• Coordinate with law enforcement to delay notice when permitted, and document decisions thoroughly.
• Track all notifications, remedial actions, and lessons learned to reduce recurrence and demonstrate diligence.

Governance and enforcement

• Conduct periodic drills to validate escalation paths, approvals, and communications.
• Prepare executive reports aligning metrics to civil money penalties enforcement risk and mitigation progress.

Conclusion

By updating BAAs, NPPs, internal policies, security controls, training, risk analysis, and your notification plan, you create a defensible compliance posture. Embed Privacy Rule provisions and Security Rule compliance into daily operations, restrict marketing and sales of PHI, and harden breach response. Treat documentation as proof of performance—your best asset in audits and investigations.

FAQs.

What updates are required for business associate agreements under the Omnibus Rule?

BAAs must impose Security Rule compliance, minimum necessary standards, and breach reporting duties on business associates and their subcontractors. They should prohibit the sale of PHI, restrict marketing uses, define permitted disclosures, require prompt incident notice for unsecured PHI breach reporting, and specify return/destruction of PHI at termination. Include cooperation for audits and investigations to reduce civil money penalties enforcement exposure.

How must notice of privacy practices change to comply with HIPAA Omnibus Rule?

Your NPP must explain when authorization is required—especially for psychotherapy notes authorization and marketing—state that the sale of PHI is prohibited, and inform individuals of their right to notice following a breach of unsecured PHI. It should describe the right to restrict disclosures to a health plan for services paid in full and summarize key Privacy Rule provisions in clear, accessible language.

What security measures are mandated for protecting PHI?

Covered entities and business associates must implement risk-based administrative, physical, and technical safeguards: encryption, access controls, audit logs, MFA, device/media protections, incident response, and contingency planning. Align EHR features—such as audit trails and secure transport—with electronic health records certification criteria and your organization’s risk analysis to demonstrate Security Rule compliance.

How does the Omnibus Rule affect breach notification requirements?

The Omnibus Rule adopts a probability-of-compromise standard using four factors to determine if an incident is a breach. When a breach of unsecured PHI occurs, notify affected individuals without unreasonable delay (no later than 60 days), and follow media and Secretary reporting rules based on the event size. Maintain procedures, templates, and documentation to support timely unsecured PHI breach reporting and to withstand civil money penalties enforcement review.