HIPAA Final Omnibus Rule Explained: What It Strengthens and Compliance Requirements

Business Associate Liability Expansion

The Final Omnibus Rule makes business associates directly liable for safeguarding protected health information (PHI) and complying with key Privacy and Security Rule provisions. This liability now extends to vendors that create, receive, maintain, or transmit PHI on behalf of covered entities, including cloud service providers and health information exchanges.

Who qualifies and what changed

• Direct liability: Business associates must implement administrative, physical, and technical safeguards, follow the minimum necessary standard, and support individuals’ access and amendment rights when they maintain designated record sets.
• Subcontractor Compliance: Any subcontractor handling PHI for a business associate is itself a business associate and must meet the same requirements through flow‑down terms.
• Data conduit is narrow: Mere transmission without persistent storage may be exempt, but routine access, storage, or management of PHI triggers business associate status.

Business Associate Agreements

Business Associate Agreements must be updated to reflect the expanded obligations. Required terms include permitted uses and disclosures, breach reporting to the covered entity without unreasonable delay, safeguards aligned to the Security Rule, and flow‑down provisions to ensure Subcontractor Compliance. Maintain an inventory of vendors, perform due diligence, and monitor performance against the agreement.

Operational actions

• Risk analysis and risk management covering all systems that store or transmit PHI.
• Workforce training, access controls, encryption at rest and in transit, and contingency planning.
• Documented processes to support patient access to Electronic Health Information when the business associate maintains it.

Marketing and Fundraising Restrictions

The rule tightens PHI Marketing Restrictions. If a covered entity is paid by a third party to send a communication that promotes a product or service, a valid, written authorization is required before using or disclosing PHI for that purpose.

Marketing

• Authorization required when financial remuneration is involved.
• Treatment and care‑coordination communications are permitted, but if subsidized, disclosures must be transparent and limited.
• Refill reminders and medication adherence notices are allowed with only reasonable, cost‑based payments.
• Sale of PHI is generally prohibited without authorization, subject to narrow exceptions (e.g., public health reporting).

Fundraising

• Covered entities may use limited data (e.g., contact details, department of service) for fundraising.
• Each message must include a clear, no‑cost way to opt out, and opting out cannot affect care or coverage.
• Maintain a do‑not‑contact list and honor preferences promptly.

Individual Rights Enhancement

The Final Omnibus Rule strengthens individual control over PHI and Electronic Health Information.

Access and format

• Individuals have the right to electronic copies of PHI in the form and format requested if readily producible, or an agreed alternative.
• They may direct the covered entity to transmit a copy to a designated third party.
• Any fee must be reasonable and cost‑based.

Right to restrict disclosures

When an individual pays in full out of pocket for a specific service, they may require the provider to withhold information about that service from the health plan, if the disclosure is solely for payment or operations and not otherwise required by law.

Additional clarifications

• Timely response to access requests (with limited extension) is required.
• Disclosures to family or others involved in care are clarified, and protections for decedent information apply for a defined period.
• Immunization information may be disclosed to schools with appropriate agreement from a parent or guardian when required by law.

Notice of Privacy Practices Updates

Covered entities and health plans must revise their Notices of Privacy Practices (NPPs) to reflect new rights and restrictions and to explain how PHI may be used or disclosed.

Core NPP updates

• Statements that authorizations are required for most uses and disclosures of psychotherapy notes, marketing, and any sale of PHI.
• Disclosure of the individual’s right to opt out of fundraising communications.
• Notice of the right to request restrictions when services are paid in full out of pocket.
• Explanation of access rights to Electronic Health Information and the right to receive breach notifications.

Distribution

• Post and distribute updated NPPs to new patients and make them readily available at service sites and online, as applicable.
• Health plans must post the revised NPP on their website and include it in the next regular mailing to members after material changes.

Breach Notification Standards

The rule replaces the old “harm standard” with a presumption of breach unless you can demonstrate a low probability that PHI has been compromised based on a documented Breach Risk Assessment.

Conduct a Breach Risk Assessment

• Nature and extent of PHI involved (types of identifiers and likelihood of re‑identification).
• Unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• Extent to which the risk has been mitigated (e.g., prompt return, satisfactory assurances, or effective encryption).

Notification and documentation

• Notify affected individuals without unreasonable delay and no later than the regulatory deadline; notify the Department of Health and Human Services and, for large breaches, prominent media, consistent with existing thresholds.
• Business associates must notify covered entities of breaches they discover.
• Maintain records of investigations, assessments, and decisions supporting breach determinations.

Enforcement and Penalties Increase

The Final Omnibus Rule strengthens enforcement and aligns penalty tiers with HITECH, significantly raising Civil Money Penalties for noncompliance.

Penalty tiers and exposure

• Unknowing violations and those due to reasonable cause: penalties scale with circumstances and diligence.
• Willful neglect corrected within the required time frame carries substantial penalties.
• Willful neglect not corrected triggers the highest penalties, up to statutory maximums per violation type, per year.
• Audits and investigations may consider mitigation efforts, cooperation, and corrective action plans.

Practical safeguards

• Maintain risk analysis, ongoing risk management, and documented policies and training.
• Test incident response and breach notification procedures regularly.
• Monitor Business Associate Agreements and vendor performance to reduce enforcement risk.

Genetic Information Protection Measures

The rule incorporates Genetic Information Nondiscrimination requirements by prohibiting health plans from using or disclosing genetic information for underwriting purposes. Genetic information includes family medical history and results of predictive genetic tests, even when a condition has not manifested.

What plans must do

• Do not request, require, or purchase genetic information for underwriting or premium decisions.
• Treat genetic information as PHI with full privacy and security safeguards.
• Reflect these limits in plan documents and the Notice of Privacy Practices.

Conclusion

The Final Omnibus Rule expands accountability to business associates, tightens PHI Marketing Restrictions, enhances patient control over Electronic Health Information, mandates clearer NPPs, standardizes breach evaluations, increases Civil Money Penalties, and codifies protections for genetic data. Standing up strong governance, modern security, updated Business Associate Agreements, and responsive patient‑rights workflows are the core of sustainable compliance.

FAQs

What does the Final Omnibus Rule require of business associates?

Business associates are directly liable for safeguarding PHI, complying with the Security Rule, and following key Privacy Rule provisions. They must perform risk analysis, implement safeguards, train workforce members, report breaches to covered entities, support individuals’ access when maintaining designated record sets, and execute Business Associate Agreements with their subcontractors to ensure Subcontractor Compliance.

How does the rule affect marketing communications?

Using or disclosing PHI for marketing generally requires prior written authorization when there is financial remuneration. Limited treatment‑related communications remain permissible, and refill reminders are allowed with only reasonable, cost‑based payments. The sale of PHI is broadly prohibited without authorization, and all fundraising outreach must include an easy, no‑cost opt‑out.

What individual rights are expanded under the Final Omnibus Rule?

Individuals gain stronger rights to access and receive electronic copies of their PHI, to have PHI sent to a designated third party, and to restrict disclosures to health plans for services paid in full out of pocket. The rule also clarifies timely responses to access requests and protections around disclosures to family members and for decedent information.

When must covered entities comply with the Final Rule?

The Final Omnibus Rule was published on January 25, 2013, took effect on March 26, 2013, and had a general compliance date of September 23, 2013. Certain existing Business Associate Agreements that met transition criteria could be updated by September 23, 2014, if not otherwise renewed or modified during the interim period.