HIPAA Compliance Checklist for the Final Omnibus Rule Updates

Review and Update Privacy Policies

Use this HIPAA compliance checklist to align your privacy program with the final Omnibus Rule updates. Start by mapping how you create, receive, maintain, and transmit protected health information (PHI), then update policies so they reflect current Authorization Requirements, minimum necessary practices, and patient rights.

Key actions

• Refresh core definitions (PHI, ePHI, business associate, subcontractor) so policy language matches the rule’s scope.
• Embed Authorization Requirements for uses and disclosures that need explicit permission (e.g., most marketing, any sale of PHI, and disclosures involving psychotherapy notes).
• Reinforce minimum necessary standards for routine disclosures and internal access to Protected Health Information Safeguards.
• Address patient rights: timely access, amendments, confidential communications, and restrictions when services are paid out-of-pocket in full.
• Clarify permissible disclosures (treatment, payment, health care operations), and when you must de-identify data or use limited data sets.

Compliance Documentation to maintain

• Version-controlled policy set with approval dates, owners, and review cadence.
• Evidence of workforce distribution and acknowledgment of revised policies.
• Decision logs explaining rationale for policy changes tied to Omnibus updates.

Update Business Associate Agreements

Business associate direct liability and flow-down duties are central to the Omnibus Rule. Complete Business Associate Agreement Modifications across your vendor portfolio and ensure subcontractors are bound to the same terms.

What to include

• Permitted uses/disclosures, minimum necessary adherence, and prohibition on unauthorized marketing or sale of PHI without authorization.
• Security Rule obligations, including risk analysis, safeguards, and Electronic PHI Encryption where feasible.
• Breach Notification Standards for reporting to you without unreasonable delay, with defined timelines, incident details, and cooperation duties.
• Downstream subcontractor compliance with identical restrictions and safeguards.
• Access, amendment, and accounting support to fulfill patient rights.
• Right to audit/assess, mitigation assistance, and termination for cause with return or destruction of PHI.

Compliance Documentation to maintain

• Centralized inventory of business associates and subcontractors with active BAA status.
• Execution dates, renewal schedules, and evidence of due diligence and ongoing monitoring.

Modify Notice of Privacy Practices

Your NPP must transparently describe how you use and disclose PHI under the Omnibus Rule. Update content, re-post it prominently, and redistribute when required.

Required updates

• Explain Authorization Requirements for marketing, sale of PHI, and psychotherapy notes, and state that other uses/disclosures not described require authorization.
• Describe breach notification duties and how individuals will be informed.
• Include the right to restrict disclosures to health plans when services are paid out-of-pocket in full.
• Provide clear fundraising statements and a simple, no-cost opt-out.

Operational steps

• Publish the revised NPP in facilities and on your website; offer copies at points of service.
• Record the revision date and keep prior versions on file for Compliance Documentation.

Revise Breach Notification Policies

The Omnibus Rule establishes a presumption of breach unless a documented risk assessment shows a low probability of compromise. Align your Breach Notification Standards and playbooks accordingly.

Risk-based determination

• Apply the four-factor test: nature/extent of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and mitigation success.
• Treat incidents involving unencrypted ePHI as “unsecured PHI” absent qualifying mitigation; prioritize Electronic PHI Encryption to reduce exposure.

Notification procedures

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For breaches of 500+ residents of a state/jurisdiction, prepare media notice and contemporaneous notice to the Secretary; for fewer than 500, log incidents and report annually.
• Define content requirements (what happened, types of PHI, steps individuals should take, what you are doing, contact information) and approved delivery methods.
• Require business associates to notify you promptly with the facts needed to meet your timelines.

Compliance Documentation to maintain

• Incident register with risk assessments, decision outcomes, and notification artifacts.
• After-action reports with remediation assignments and due dates.

Implement Employee Training

Update workforce education to reflect the Omnibus Rule, role-specific duties, and current threats. Training should be practical, scenario-driven, and reinforced regularly.

Program components

• Onboarding and refresher training tied to policy changes, job functions, and Risk Assessment Protocols.
• Modules on minimum necessary, Authorization Requirements, acceptable use, secure communications, and incident reporting.
• Targeted training for fundraising, marketing, research, and revenue cycle teams.
• Assessments, attestations, and sanctions policy awareness.

Compliance Documentation to maintain

• Curricula, attendance records, test results, and attestations by role and date.
• Training effectiveness metrics and continuous improvement notes.

Reassess Risk Assessment Procedures

Refresh your enterprise risk analysis and ongoing evaluation program so it aligns with the Omnibus Rule and the Security Rule’s expectations. Formalize Risk Assessment Protocols and repeat them on a defined cadence.

How to execute

• Inventory systems, vendors, and data flows that create, receive, maintain, or transmit ePHI.
• Identify threats, vulnerabilities, likelihood, and impact; score risks and prioritize remediation.
• Address vendor risks, including business associates and subcontractors, with documented reviews.
• Track remediation in a risk register with owners, budgets, and deadlines; validate completion.

Compliance Documentation to maintain

• Current risk analysis, risk register, remediation evidence, and executive sign-offs.
• Testing artifacts (vulnerability scans, penetration tests, tabletop exercises) and follow-up actions.

Enhance Security Safeguards

Strengthen administrative, physical, and technical controls to provide robust Protected Health Information Safeguards across your environment, devices, and vendors.

Priority controls

• Access management: role-based access, multi-factor authentication, timely provisioning/deprovisioning, and privileged access oversight.
• Electronic PHI Encryption at rest and in transit; managed keys, email and messaging encryption, and secure patient communications.
• Endpoint and network protection: configuration baselines, patching, EDR, DLP, segmentation, and secure remote access.
• Audit and monitoring: detailed logs for EHR and key systems, anomaly detection, and regular review of access reports.
• Resilience: tested backups, disaster recovery plans, and rapid restoration objectives.
• Physical safeguards: facility access controls, workstation security, device/media tracking, and secure disposal.
• Change and vendor management: pre-implementation reviews, security testing, and continuous oversight of business associates.

Summary and next steps

By updating privacy policies, executing Business Associate Agreement Modifications, refreshing your NPP, modernizing breach playbooks, training your workforce, sharpening Risk Assessment Protocols, and hardening security controls, you create a defensible, auditable HIPAA compliance posture under the final Omnibus Rule updates.

FAQs

What are the key changes in the final Omnibus Rule?

Core changes include direct liability for business associates and their subcontractors; a breach standard that presumes a breach unless a documented risk assessment shows low probability of compromise; stricter rules for marketing and sale of PHI requiring authorizations; enhanced individual rights (including restrictions when care is paid out-of-pocket); and required Notice of Privacy Practices updates that explain these uses, disclosures, and Breach Notification Standards.

How should business associate agreements be updated?

Update BAAs to specify permitted uses/disclosures, minimum necessary compliance, Security Rule obligations (including risk analysis and appropriate Electronic PHI Encryption), prompt incident and breach reporting, downstream subcontractor flow-down, support for access/amendment/accounting, audit rights, mitigation cooperation, and termination with return or destruction of PHI. Maintain Compliance Documentation showing active agreements and ongoing vendor oversight.

What training is required for staff under the new HIPAA rules?

Provide role-based onboarding and periodic refreshers tied to policy changes and current risks. Cover Authorization Requirements, minimum necessary, acceptable use, secure communications, incident recognition/reporting, and breach response roles. Track attendance and comprehension, apply sanctions for noncompliance, and update curricula as your risk assessment and operations evolve.