HIPAA Omnibus Rule 2013 Summary: Compliance Checklist and Best Practices

The HIPAA Omnibus Rule (2013) finalized sweeping updates to the Privacy, Security, Enforcement, and Breach Notification Rules. It expands liability to business associates, tightens the Breach Notification Rule, restricts marketing and the sale of Protected Health Information (PHI), incorporates the Genetic Information Nondiscrimination Act (GINA), and requires refreshed Notice of Privacy Practices (NPPs). Use this summary to align your policies, Business Associate Agreements, training, and Compliance Risk Assessments with the rule’s requirements.

Omnibus Rule Overview

What the rule changed

The Omnibus Rule strengthens patient privacy rights and clarifies obligations across the HIPAA framework. Key themes include a presumption of breach for impermissible uses/disclosures of unsecured PHI, direct liability for business associates and their subcontractors, explicit limits on marketing and sale of PHI, and GINA-based prohibitions on using genetic information for underwriting. It also standardizes enforcement through a tiered HIPAA Penalty Structure and mandates updates to your Notice of Privacy Practices.

Compliance checklist at a glance

• Update and execute Business Associate Agreements (including with subcontractors) that reflect Omnibus requirements.
• Document a breach risk assessment methodology and incident response workflow aligned to the four-factor test.
• Revise policies to restrict marketing and prohibit the sale of PHI without valid authorization.
• Incorporate GINA prohibitions on using genetic information for underwriting and treat genetic data as PHI.
• Refresh your Notice of Privacy Practices to include new rights, authorizations, and breach notification statements.
• Conduct and document enterprise-wide Compliance Risk Assessments and workforce training to operationalize changes.

Best practices

• Adopt minimum-necessary, role-based access; encrypt PHI in motion and at rest; and centralize vendor risk management.
• Use playbooks and checklists for onboarding vendors, handling incidents, and executing breach notifications on time.
• Align internal audit cycles to test Privacy, Security, and Breach Notification Rule controls at least annually.

Business Associate Liability

Direct liability and scope

The rule makes business associates (and their subcontractors) directly liable for compliance with the Security Rule and relevant Privacy Rule provisions. Business associates must implement safeguards, limit uses/disclosures to what is permitted, support individual rights as applicable, and report breaches of unsecured PHI to the covered entity without unreasonable delay.

Business Associate Agreements (BAAs)

BAAs must be updated to:

• Describe permitted and required uses/disclosures of PHI and prohibit uses not authorized by the agreement or law.
• Require administrative, physical, and technical safeguards to protect PHI and to comply with the Security Rule.
• Mandate prompt breach reporting, cooperation, and documentation of risk assessments and mitigation steps.
• Flow down BAA obligations to subcontractors that create, receive, maintain, or transmit PHI.
• Provide for return or destruction of PHI at termination, when feasible, and allow HHS access for compliance reviews.

Vendor management practices

• Inventory all vendors; classify which are business associates; and maintain executed, current BAAs.
• Assess vendor security controls routinely and track remediation of gaps.
• Map data flows so you know what PHI each business associate handles and for which purposes.

Breach Notification Requirements

Presumption of breach and four-factor analysis

Any impermissible use or disclosure of unsecured PHI is presumed to be a breach unless you demonstrate a low probability of compromise based on a documented four-factor assessment:

• Nature and extent of PHI involved (types of identifiers and likelihood of re-identification).
• Unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., recipient attests to destruction, robust encryption).

If the analysis does not support a low probability of compromise, you must notify as required.

Timelines and methods

• Individuals: Notify without unreasonable delay and no later than 60 calendar days after discovery.
• Media: If a breach affects 500 or more residents of a single state or jurisdiction, notify prominent media in that area within 60 days.
• HHS: For breaches affecting 500 or more individuals, notify contemporaneously with individual notice; for fewer than 500, log and report to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.
• Substitute notice: If contact information is insufficient or out of date, use substitute written, electronic, web posting, or media notice as applicable.

Operational controls

• Encrypt PHI to qualify for the “secured PHI” safe harbor; unencrypted PHI is presumed unsecured.
• Standardize incident intake, triage, and evidence logging to support the Breach Notification Rule clock.
• Pre-draft notification templates and executive approvals to accelerate timely, accurate communications.

Marketing and Sale of PHI

Marketing restrictions

Marketing generally requires an individual’s valid authorization when a third party provides financial remuneration for the communication. Exceptions include face-to-face communications and promotional gifts of nominal value. Treatment-related communications (such as refill reminders) may be permitted with only reasonable, cost-based remuneration and clear opt-out instructions.

Sale of PHI prohibitions

Sale of PHI is prohibited without an individual’s authorization. “Sale” includes disclosures where the covered entity or business associate directly or indirectly receives remuneration in exchange for PHI. Limited exceptions apply (for example, public health activities, research with reasonable cost-based fees, or customary payments for data processing on behalf of the covered entity) but must be documented and justified.

Genetic Information Nondiscrimination Act Compliance

GINA integration

The Omnibus Rule treats genetic information as PHI and implements the Genetic Information Nondiscrimination Act within HIPAA. Health plans are prohibited from using or disclosing genetic information for underwriting purposes. “Genetic information” includes genetic tests of individuals and family members and family medical history.

Steps to comply

• Classify genetic information as PHI and apply minimum-necessary access controls.
• Configure plan underwriting workflows to exclude any use of genetic information.
• Train staff on what constitutes genetic information and how to handle such data.

Notice of Privacy Practices Updates

Required NPP content

• State that certain uses and disclosures require authorization, including marketing, sale of PHI, and most uses of psychotherapy notes.
• Explain the right to be notified following a breach of unsecured PHI.
• Describe the right to restrict disclosures to a health plan when the individual pays out of pocket in full for a service or item.
• If applicable, describe fundraising communications and the right to opt out of further fundraising.
• Reinforce access rights, including the right to obtain an electronic copy of PHI when maintained electronically.

Distribution and posting

• Providers: Post the updated NPP in a prominent location, make it available to all patients, and provide to new patients at first service after the update.
• Health plans: Provide the revised NPP in the next annual mailing or during the next enrollment cycle, and post it on any plan website.

Enforcement and Penalties

HIPAA Penalty Structure

The enforcement rule uses a four-tier structure keyed to culpability, with per-violation amounts ranging from $100 up to $50,000 and an annual cap of $1.5 million per violation category (subject to periodic inflation adjustments). Willful neglect that is not corrected draws the highest penalties. Civil penalties may be accompanied by corrective action plans and monitoring.

Enforcement posture and documentation

• HHS may initiate compliance reviews and must investigate when a possible willful neglect violation is indicated.
• Business associates are directly subject to civil and, in some cases, criminal penalties for impermissible uses and disclosures of PHI.
• Strong documentation—policies, training, risk analyses, BAAs, incident logs, and mitigation records—demonstrates due diligence and can reduce enforcement exposure.

Governance and ongoing Compliance Risk Assessments

• Perform and update enterprise-wide risk analyses that cover Privacy, Security, and Breach Notification Rule controls.
• Map data, systems, and vendors; remediate findings; and track metrics such as incident mean-time-to-notify and BAA coverage.
• Engage leadership through a privacy and security committee to review metrics and approve improvements.

Conclusion

The HIPAA Omnibus Rule (2013) modernized HIPAA by expanding accountability to business associates, clarifying breach response, restricting marketing and sale of PHI, integrating GINA, and updating the NPP. By executing robust BAAs, tightening incident response, refreshing notices and policies, and sustaining rigorous risk assessments, you can meet the rule’s requirements and improve privacy and security across your organization.

FAQs

What are the key compliance deadlines of the HIPAA Omnibus Rule?

The final rule took effect on March 26, 2013, with a general compliance date of September 23, 2013. Certain existing Business Associate Agreements executed on or before January 25, 2013—and not renewed or modified between March 26, 2013 and September 23, 2013—could be updated by the earlier of their renewal/modification date or September 22, 2014. For health plans, GINA-related underwriting prohibitions applied to plan years beginning on or after September 23, 2013.

How does the rule affect business associate responsibilities?

Business associates (and their subcontractors) are directly liable for Security Rule compliance and applicable Privacy Rule obligations. They must implement safeguards, limit uses and disclosures to what contracts and HIPAA permit, report breaches of unsecured PHI to covered entities without unreasonable delay, and flow down protections via Business Associate Agreements to any subcontractors handling PHI.

What are the breach notification timelines required?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured PHI. For incidents affecting 500 or more individuals, you must also notify HHS contemporaneously and notify prominent media if 500 or more residents of a single state or jurisdiction are affected. For breaches affecting fewer than 500 individuals, log them and report to HHS no later than 60 days after the end of the calendar year in which they were discovered.

How must Notice of Privacy Practices be updated under the rule?

Your NPP must add statements that certain uses/disclosures require authorization (marketing, sale of PHI, most psychotherapy notes), that individuals have a right to be notified following a breach of unsecured PHI, and that individuals may restrict disclosures to a health plan when they pay in full out of pocket. If you engage in fundraising communications, the NPP must disclose that activity and the right to opt out. You should also clarify the right to obtain an electronic copy of PHI when maintained electronically.