Final Omnibus Rule: HIPAA Privacy, Security, and Enforcement Requirements

Business Associates' Direct Liability

The Final Omnibus Rule makes business associates—and their downstream subcontractors—directly liable for compliance with key provisions of the HIPAA Privacy Rule and the HIPAA Security Rule. That means vendors that create, receive, maintain, or transmit Protected Health Information (PHI) must implement safeguards, limit uses and disclosures, and report incidents, not just support a covered entity’s efforts.

What business associates are directly liable for

• Impermissible uses or disclosures of PHI, including violations of the minimum necessary standard.
• Failure to provide breach notification to the covered entity under the Breach Notification Rule.
• Failure to provide access to ePHI in a designated record set or to disclose PHI to HHS when required.
• Failure to implement administrative, physical, and technical safeguards required by the HIPAA Security Rule.
• Failure to enter into a compliant Business Associate Agreement (BAA) with subcontractors that handle PHI.

Operational steps

• Inventory all vendors and subcontractors that touch PHI and ensure each has an executed, up‑to‑date BAA.
• Perform a security risk analysis; implement encryption, access controls, and audit logging tailored to ePHI.
• Establish incident detection, breach assessment, and notification workflows with clear timelines and triggers.
• Train workforce members on permissible uses and disclosures, including the minimum necessary standard.

Limitations on Use and Disclosure of PHI

The Rule tightens when and how PHI may be used or disclosed under the HIPAA Privacy Rule. It narrows exceptions for marketing, strengthens fundraising limits, and prohibits the sale of PHI without a valid authorization, ensuring that individuals retain control over their Protected Health Information.

Key limitations

• Marketing: Authorizations are required for most paid communications; limited exceptions include face‑to‑face promotions and nominal‑value gifts.
• Fundraising: Only limited PHI elements may be used; every message must include a clear, no‑cost opt‑out that is honored.
• Sale of PHI: Disclosures in exchange for remuneration generally require prior authorization.
• Public health, law enforcement, and other permitted disclosures remain allowed but must follow minimum necessary and documentation requirements.
• Decedent information: PHI remains protected for 50 years after death; certain disclosures to family members and others involved in care are permitted.
• Immunization records: Disclosures to schools are allowed with documented agreement from a parent or guardian, or from the individual when appropriate.

Practical controls

• Embed minimum‑necessary logic into role‑based access and disclosure review workflows.
• Pre‑approve standardized fundraising and marketing content; require authorization for any use beyond permitted boundaries.
• Record and retain disclosure rationales to support audits and individual accounting requests.

Individuals' Rights to Health Information

The Final Omnibus Rule expands individuals’ abilities to access and control their information. You must provide electronic copies of PHI maintained electronically, allow individuals to direct copies to a third party, and charge only reasonable, cost‑based fees for access.

Expanded rights

• Electronic access: Provide ePHI in the requested readily producible format or an agreed alternative within required timeframes.
• Third‑party directive: Send a copy to a designated person or entity when the individual’s written, signed request clearly identifies the recipient.
• Out‑of‑pocket restriction: When an individual pays in full out‑of‑pocket, you must honor a request not to disclose that treatment information to a health plan, except where disclosure is required by law.
• Fees: Limit charges to labor for copying, supplies, and postage when applicable; no fees for reviewing or retrieving records.

Implementation tips

• Offer secure electronic delivery options aligned with the HIPAA Security Rule, such as portal download or encrypted email.
• Publish a transparent fee schedule and document format options and turnaround times.
• Flag restricted items in the record to prevent unintended health‑plan disclosures.

Modifications to Notice of Privacy Practices

Your Notice of Privacy Practices (NPP) must be updated to reflect Final Omnibus Rule changes. The NPP should clearly explain new rights and limits so individuals understand how their PHI is protected and used.

Required NPP content additions

• Statements that most marketing, the sale of PHI, and certain other uses require written authorization.
• A description of fundraising communications with a clear opt‑out mechanism.
• Notice of the individual’s right to restrict disclosures to a health plan when paying out‑of‑pocket in full.
• A description of breach notification duties under the Breach Notification Rule.
• Explanations of electronic access rights and delivery options.

Distribution and posting

• Post the current NPP prominently and make it available at service locations and online where applicable.
• Provide the NPP at first service delivery after updates and upon request; retain prior versions as required.

Enforcement Rule Enhancements

The Enforcement Rule introduces tiered Civil Money Penalties (CMPs) and stronger investigative authority. Penalties scale with culpability—from lack of knowledge to uncorrected willful neglect—with per‑violation amounts that may reach tens of thousands of dollars and annual caps per violation type.

Accountability highlights

• Four CMP tiers: no knowledge, reasonable cause, willful neglect corrected, and willful neglect uncorrected.
• Mandatory investigations and higher penalties for willful neglect findings.
• Business associates face the same enforcement exposure as covered entities.

Readiness actions

• Maintain an auditable compliance program: policies, training, risk analysis, risk management, and monitoring.
• Document corrective actions promptly when issues are identified to reduce enforcement risk.
• Align contracts, BAAs, and vendor oversight with enforcement expectations.

Breach Notification Rule Changes

The Final Omnibus Rule establishes a presumption that an impermissible use or disclosure is a breach unless a documented risk assessment shows a low probability that PHI has been compromised. The assessment must consider specific factors and guide whether notification is required.

Risk assessment factors

• The nature and extent of PHI involved, including identifiers and likelihood of re‑identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, prompt return, destruction, or encryption at the time of the incident).

Notification essentials

• Notify affected individuals without unreasonable delay and within required deadlines; notify HHS and, for large breaches, the media.
• Document every assessment, decision, and notification step; retain evidence for audits.
• Use encryption and proper destruction to leverage safe harbors and reduce breach risk.

Genetic Information Protections

The Rule implements Genetic Information Nondiscrimination protections by treating genetic information as PHI and limiting its use. Most health plans are prohibited from using or disclosing genetic information for underwriting purposes, reinforcing privacy and fairness in coverage decisions.

Scope and definitions

• Genetic information includes an individual’s genetic tests, tests of family members, and family medical history.
• Underwriting restrictions apply broadly to health plans, with limited exceptions such as certain long‑term care policies.
• Providers should avoid collecting genetic details unless needed for treatment, payment, or health care operations permitted by the HIPAA Privacy Rule.

In summary, the Final Omnibus Rule strengthens the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule, extends direct liability to business associates, heightens enforcement through Civil Money Penalties, and adds protections for genetic information. By updating BAAs, tightening disclosure practices, enabling electronic access, and modernizing NPPs, you build a compliant, trust‑centered privacy program.

FAQs

What are the key provisions of the Final Omnibus Rule?

The Rule implements HITECH and GINA changes by expanding business associates’ obligations, tightening limits on marketing, fundraising, and the sale of PHI, enhancing individuals’ electronic access rights and out‑of‑pocket restrictions, updating NPP content, adopting a presumption‑of‑breach standard with defined risk factors, strengthening enforcement with tiered Civil Money Penalties, and prohibiting most underwriting uses of genetic information.

How does the rule affect business associates' liability?

Business associates and their subcontractors are directly liable for compliance with specified HIPAA Privacy Rule and HIPAA Security Rule requirements. They must safeguard ePHI, limit uses and disclosures, execute compliant BAAs with subcontractors, provide breach notifications to covered entities, support access requests, and cooperate with HHS investigations—exposure that now mirrors covered entities’ risk.

What penalties are imposed for noncompliance?

Enforcement uses a four‑tier Civil Money Penalties structure that scales by culpability, with per‑violation amounts that can reach tens of thousands of dollars and annual caps per violation type. Willful neglect triggers mandatory investigations and the highest penalties, and business associates face the same enforcement framework as covered entities.

How are individuals' rights to health information expanded under the rule?

Individuals can obtain electronic copies of PHI in the requested readily producible format, direct copies to a third party, and pay cost‑based fees only. They can also restrict disclosures to a health plan when paying in full out‑of‑pocket, and they receive clearer notice of these rights through updated NPPs and streamlined access processes.