HIPAA Omnibus Rule 2013 Summary: Practical Steps to Achieve Compliance

The HIPAA Omnibus Rule of 2013 reshaped how you safeguard Protected Health Information across privacy, security, breach notification, and enforcement. This summary translates dense requirements into practical steps you can apply to policies, systems, and Business Associate Agreements.

Use this guide to confirm what changed, what the law expects from covered entities and business associates, and which actions close your gaps—before they become reportable incidents or Civil Monetary Penalties.

Effective Date and Compliance Timeline

The Final Rule took effect on March 26, 2013. HHS set a general compliance deadline of September 23, 2013 for implementing updates across policies, procedures, and Notices of Privacy Practices. Certain existing Business Associate Agreements in place before January 25, 2013 qualified for a transition period until September 22, 2014, provided they were not renewed or modified between March 26 and September 23, 2013.

Action steps

• Map requirements to owners: privacy officer, security officer, compliance lead, and IT.
• Inventory all Business Associate Agreements; flag those needing immediate updates versus those that qualified for the transition period.
• Update policies, workforce training, and documentation to reflect the Omnibus changes by the applicable dates.
• Complete a holistic Risk Assessment covering administrative, physical, and technical safeguards; document remediation timelines.
• Revise and distribute your Notice of Privacy Practices and post the current version prominently.

Business Associate Liability and Responsibilities

The Omnibus Rule makes business associates directly liable for compliance with key Privacy and Security Rule provisions and extends those obligations to their subcontractors. You must ensure Subcontractor Compliance by flowing down the same terms through written agreements.

What this means

• Business associates must implement Security Rule safeguards, restrict uses/disclosures to the minimum necessary, and maintain audit-ready documentation.
• Written Business Associate Agreements must define permissible uses/disclosures, breach reporting timelines, risk analysis duties, subcontractor flow-down, and termination for cause.
• Subcontractors that create, receive, maintain, or transmit PHI are business associates too; they carry direct liability and require equivalent agreements.

Action steps

• Build and maintain a current vendor inventory; categorize by PHI access and criticality.
• Standardize Business Associate Agreements with explicit Security Rule and breach terms, including incident escalation and cooperation in investigations.
• Require and verify subcontractor flow-down obligations, with evidence of security controls and training.
• Establish an annual BA oversight cycle: attestations, security questionnaires, and sample audits.

Breach Notification Requirements

The rule replaces the old “risk of harm” test with a presumption of breach unless you document a low probability of compromise. Your Risk Assessment must, at a minimum, evaluate: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which risks were mitigated.

Notification basics

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media and report to HHS contemporaneously.
• For fewer than 500 individuals, log and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.
• Breaches of “secured” PHI (for example, strong encryption consistent with guidance) are not reportable.

Action steps

• Adopt a standard incident intake and triage process; require immediate escalation from workforce and business associates.
• Use a documented Risk Assessment worksheet aligned to the four-factor test; retain evidence for each decision.
• Pre-draft notification templates and establish a 60-day countdown with internal deadlines.
• Encrypt ePHI at rest and in transit to leverage the safe harbor and reduce incident impact.

Updated Patient Rights

The Omnibus Rule enhances individual control over PHI. Patients can request electronic copies of ePHI and may direct you to transmit ePHI to a designated third party. They can also require you to restrict disclosure of PHI to a health plan if the service is paid out-of-pocket in full.

What you must enable

• Timely access: provide access within 30 days (one 30-day extension with written explanation) in the requested electronic format if readily producible.
• Out-of-pocket restrictions: implement workflows to flag and honor restrictions for specific services/items.
• Clear opt-outs for fundraising communications and transparent communication about breach notifications.

Action steps

• Publish an access process that supports secure electronic delivery and designated third-party requests.
• Configure EHR and billing systems to capture and enforce health plan disclosure restrictions.
• Train staff on verification, response timelines, fees, and documentation requirements for access requests.

Notice of Privacy Practices Revisions

Your Notice of Privacy Practices must reflect key changes: breach notification duties, the right to restrict disclosures to a health plan for out-of-pocket payments, limits on the sale of PHI, marketing rules, and fundraising opt-outs. Health plans must also state they are prohibited from using genetic information for underwriting.

Action steps

• Update the Notice of Privacy Practices to include all required statements and Authorization Requirements where applicable.
• Post the current NPP on your website and at service locations; provide to new patients on or after the compliance date and upon request to existing patients.
• Version and archive prior NPPs; document the effective date on each notice.

Marketing and Fundraising Restrictions

Marketing communications that involve financial remuneration from a third party generally require prior, written Authorization. Limited exceptions include face-to-face communications and promotional gifts of nominal value. Fundraising may use limited PHI elements, but each message must include a clear, convenient opt-out, and opting out cannot condition treatment or payment.

Action steps

• Inventory all outreach activities; classify them as treatment, health care operations, marketing, or fundraising.
• Obtain written Authorization for marketing that involves remuneration; ensure the form meets Authorization Requirements and is specific, time-limited, and revocable.
• Embed opt-out mechanisms in every fundraising communication and honor opt-outs across all channels.
• Prohibit the sale of PHI without patient Authorization, and reflect this in policies and Business Associate Agreements.

Enforcement and Penalties

The Omnibus Rule strengthens enforcement and applies the tiered Civil Monetary Penalties structure, ranging from violations a covered entity did not know about to willful neglect. Penalties can reach up to $1.5 million per violation category, per year, with heightened exposure for uncorrected willful neglect and for business associates that fail to meet direct obligations.

Action steps

• Establish a mature compliance program: ongoing Risk Assessment, risk management plans, workforce training, and documented sanctions.
• Designate and empower privacy and security officials; conduct periodic internal audits and mock OCR inquiries.
• Maintain six years of documentation for policies, training, risk analyses, breach assessments, and Notices of Privacy Practices.
• Test your incident response and notification processes at least annually; close gaps promptly and document corrective action.

In practice, compliance is achievable when you operationalize the rule: keep current Business Associate Agreements, standardize breach Risk Assessment, honor updated patient rights, and embed marketing/fundraising controls. These steps reduce risk and position you to demonstrate compliance under scrutiny.

FAQs

What is the compliance deadline for the HIPAA Omnibus Rule 2013?

The rule became effective on March 26, 2013, with a general compliance deadline of September 23, 2013. Certain Business Associate Agreements in effect before January 25, 2013 could rely on a transition period until September 22, 2014 if unchanged during March 26–September 23, 2013.

How does the rule affect business associate liability?

Business associates are directly liable for compliance with key Privacy and Security Rule provisions and must implement safeguards, limit uses/disclosures, report breaches, and flow down equivalent terms to subcontractors. Subcontractor Compliance is mandatory through written agreements mirroring Business Associate Agreements.

What changes were made to breach notification requirements?

The rule presumes a breach unless you document a low probability of compromise via a four-factor Risk Assessment. You must notify affected individuals within 60 days of discovery, report larger incidents to media and HHS, and log smaller breaches for annual reporting. Secured (properly encrypted) PHI is generally exempt from notification.

How must covered entities update their Notice of Privacy Practices?

You must revise the Notice of Privacy Practices to include statements on breach notification, out-of-pocket disclosure restrictions, marketing and sale-of-PHI limits, and fundraising opt-outs. Health plans must add a statement prohibiting the use of genetic information for underwriting. Post the updated notice and provide it to new patients and upon request.