HIPAA Omnibus Rule 2013: Executive Summary and Key Requirements

The HIPAA Omnibus Rule 2013 finalized sweeping updates to the Privacy, Security, Enforcement, and Breach Notification Rules. It strengthens protections for protected health information (PHI), expands direct liability to business associates and their subcontractors, and clarifies when you must notify individuals and regulators after a breach. This executive summary distills the key requirements you need to operationalize.

Effective Date and Compliance Deadline

The final rule was published on January 25, 2013, took effect on March 26, 2013, and carried a firm compliance deadline of September 23, 2013. A narrow transition period applied to certain existing business associate agreements (BAAs) that allowed updates no later than September 22, 2014, if specific conditions were met.

What this means for you:

• Confirm your compliance posture as of September 23, 2013, is documented and auditable.
• Verify that any BAA relying on the transition provision was updated by September 22, 2014, or earlier if renewed or modified.
• Retain evidence of policy updates, training, and risk analyses aligned to the rule’s effective timelines.

Covered Entities and Business Associates

The rule reaffirms that covered entities include health plans, health care clearinghouses, and most providers who transmit health information electronically. It also expands who is directly regulated by treating business associates—and their business associate subcontractors that create, receive, maintain, or transmit PHI—as directly liable for compliance with key HIPAA provisions.

Direct liabilities for business associates now include:

• Implementing administrative, physical, and technical safeguards under the Security Rule.
• Using and disclosing PHI only as permitted by the Privacy Rule and the BAA.
• Providing breach notifications to the covered entity without unreasonable delay.
• Ensuring any subcontractor agrees in writing to the same restrictions that apply to the business associate.

Breach Notification Requirements

The Omnibus Rule updates the breach notification rule by presuming a breach has occurred unless you can demonstrate a low probability that PHI has been compromised. You must conduct and document a four-factor risk assessment that evaluates: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated.

Notification standards you must follow:

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Notify the Department of Health and Human Services (HHS); for incidents involving 500 or more residents of a state or jurisdiction, also notify prominent media.
• Have your business associates notify you promptly so you can meet the 60-day outer limit.
• Remember the encryption safe harbor: if PHI is secured (for example, via strong encryption) such that it is unusable, unreadable, or indecipherable, notification is generally not required.

Marketing and Use of PHI Restrictions

The rule tightens marketing authorization requirements. If a communication about a product or service is marketing and you receive financial remuneration from a third party, you generally must obtain the individual’s prior authorization. Limited exceptions remain, such as face-to-face communications and promotional gifts of nominal value.

Additional restrictions you must implement:

• Sale of PHI is prohibited without a valid authorization, subject to narrow exceptions (for example, public health or research cost-recovery scenarios).
• Fundraising communications must include a clear, easy opt-out that you honor.
• Genetic information nondiscrimination: health plans may not use or disclose genetic information for underwriting purposes.

Enforcement Penalties and Compliance

HHS strengthened enforcement and civil monetary penalties with a tiered structure applied per violation, capped per calendar year for identical provisions:

• Did not know: $100–$50,000 per violation.
• Reasonable cause: $1,000–$50,000 per violation.
• Willful neglect, corrected: $10,000–$50,000 per violation.
• Willful neglect, not corrected: $50,000 per violation.

To demonstrate compliance, you should maintain an enterprise-wide risk analysis, implement risk management plans, update policies and procedures, train your workforce, enforce sanctions, and document all actions. These steps position you to withstand audits and investigations.

Individual Rights Under the Rule

The Omnibus Rule enhances individual electronic access to PHI in a designated record set. Upon request, you must provide an electronic copy in the form and format requested if readily producible (or in a readable alternative) within 30 days, with one 30-day extension if needed and documented. Fees must be reasonable and cost-based, limited to labor, supplies, and postage if applicable.

Other strengthened rights include:

• The right to direct a copy to a designated third party of the individual’s choosing.
• The right to restrict disclosures to a health plan for items or services paid for in full out-of-pocket by the individual.
• Clear Notice of Privacy Practices updates reflecting new uses, disclosures, and rights under the rule.

Business Associate Agreements Updates

BAAs must now expressly require business associates to comply with the Security Rule, limit uses and disclosures to those permitted by HIPAA and the agreement, report breaches and security incidents, and ensure business associate subcontractors are bound to the same obligations. BAAs should define permitted uses, minimum necessary standards, safeguards, breach reporting timeframes, and termination rights.

Transition provision: written BAAs in place on January 25, 2013 that were not renewed or modified between March 26 and September 23, 2013 could continue temporarily, but had to be updated by the earlier of renewal/modification after September 23, 2013 or September 22, 2014. If you relied on this provision, confirm the agreement history and retain documentation.

Bottom line: the HIPAA Omnibus Rule 2013 tightened breach response, broadened direct liability to business associates and subcontractors, raised enforcement stakes, and expanded individual rights—requiring you to align governance, contracts, and daily operations.

FAQs

What is the HIPAA Omnibus Rule 2013 compliance deadline?

The rule became effective on March 26, 2013, with a compliance deadline of September 23, 2013. Certain pre-existing business associate agreements qualified for a limited transition period, but they still had to be updated no later than September 22, 2014, if the conditions for that extension were met.

What are the key breach notification requirements?

You must presume a breach unless a documented four-factor risk assessment shows a low probability that PHI was compromised. Notify affected individuals without unreasonable delay and within 60 days of discovery, notify HHS, and notify the media when a breach affects 500 or more residents of a state or jurisdiction. Business associates must notify covered entities promptly, and encrypted PHI that remains unreadable typically does not trigger notification.

How does the rule affect business associate agreements?

BAAs must expressly require Security Rule compliance, limit uses and disclosures to those permitted by HIPAA, mandate breach reporting, and flow down all obligations to business associate subcontractors. Business associates are directly liable for compliance failures, and any grandfathered BAAs had to be updated by September 22, 2014, under the transition provision.

What individual rights are enhanced by the HIPAA Omnibus Rule?

The rule strengthens individual electronic access to PHI, including the right to receive an electronic copy within 30 days (with a limited extension), to direct a copy to a third party, and to restrict disclosures to a health plan for services paid out-of-pocket in full. It also requires updated Notices of Privacy Practices that clearly communicate these rights.