HIPAA Omnibus Rule Checklist: What Covered Entities Must Provide and Receive

Patient Access to PHI

Your obligations to provide

• Timely access: Provide individuals access to their Protected Health Information (PHI) within 30 calendar days of a request, with one written 30‑day extension if necessary.
• Form and format: Supply PHI in the form and format requested (including electronic) if readily producible; otherwise offer an agreed, readable alternative.
• Fees: Charge only a reasonable, cost‑based fee for copying, supplies, and labor; no per‑page fees for ePHI.
• Verification: Confirm the requester’s identity using reasonable procedures without creating barriers.
• Denials: Issue written denials that cite the basis, describe the right to review (where applicable), and explain how to file a complaint.

What you should receive

• Clear request: A legible, dated request that specifies the scope of PHI and preferred delivery method.
• Direction on delivery: Any instructions for secure transmission (for example, encrypted portal or mail address) and acknowledgment of risk if an individual insists on unencrypted email.

Note: Personal access by the patient does not require Written Authorization; it is a right you must enable and document.

Third-Party Access to PHI

Your obligations to provide

• Designee delivery: When an individual directs you in a signed writing to send PHI to a designated person or entity, you must do so within the same 30‑day timeframe.
• Content control: Disclose only the PHI specified; apply minimum necessary when the request is not an individual‑directed access.
• Format parity: If you maintain ePHI, provide it electronically when requested and readily producible.

What you should receive

• Signed directive: A written, signed instruction that clearly identifies the designee and where to send the PHI.
• Transmission details: The precise address or electronic destination and any special handling instructions.
• Authorization when needed: If the request is not individual‑directed, obtain a HIPAA‑compliant Written Authorization.

Restrictions on PHI Disclosure

Your obligations to provide

• Plan restrictions: Honor an individual’s request to restrict disclosure of PHI to a health plan when the individual pays in full out of pocket for the item or service.
• Minimum necessary: Apply minimum necessary to uses and disclosures not related to treatment.
• Agreed limits: If you agree to any additional restrictions, implement and communicate them across your workforce and systems.

What you should receive

• Specific restriction request: A clear description of the PHI to be restricted and the affected payer(s).
• Proof of payment: Confirmation that the individual paid in full for the restricted service.

Marketing Communications Requirements

Your obligations to provide

• Authorization for marketing: Obtain Written Authorization for any marketing communication, including those for health‑related products or services, when financial remuneration from a third party is involved.
• Permitted exceptions: Face‑to‑face communications and promotional gifts of nominal value do not require authorization; refill reminders and adherence communications are allowed only with cost‑based support.
• Transparency: If authorization is required, clearly state the purpose and include Remuneration Disclosure.

What you should receive

• Valid authorization: A signed, time‑limited authorization that describes the information, purpose, recipients, expiration, and the right to revoke.
• Content approvals: Confirmation that all marketing materials reflect the individual’s choices and any applicable limitations.

Sale of PHI Authorization

Your obligations to provide

• Authorization for sale: Do not sell PHI—i.e., disclose it in exchange for direct or indirect remuneration—without a Written Authorization that expressly permits the sale.
• Narrow exceptions: Recognize exceptions such as disclosures for public health, research with reasonable cost recovery, or other permitted purposes that are not sales.
• Disclosure clarity: When authorization is required, include Remuneration Disclosure and describe the anticipated recipients and purposes.

What you should receive

• Explicit permission: A specific, signed authorization that references the sale of PHI, the remuneration, and the right to revoke.

Business Associate Agreement Obligations

Your obligations to provide

• Updated contracts: Execute and maintain Business Associate Agreements (BAAs) that define permitted uses and disclosures, require Security Rule safeguards, and mandate breach reporting to you.
• Downstream coverage: Ensure business associates obtain BAAs with their subcontractors that handle PHI.
• Oversight and termination: Take reasonable steps to address a business associate’s material breach and terminate if unresolved.

What you should receive

• Contract assurances: Signed BAAs that include breach notification terms, minimum necessary provisions, and a commitment to comply with applicable HIPAA standards.
• Incident reports: Prompt breach or security incident notices with details sufficient to meet your Breach Notification Requirements.

Notice of Privacy Practices Provision

Your obligations to provide

• Distribution: Provide the Privacy Practices Notice at first service, post it prominently, and make it available on your website if you have one; offer updates when material changes occur.
• Content updates: Include statements on uses and disclosures requiring authorization (marketing, sale of PHI, certain psychotherapy notes), the right to opt out of fundraising, the right to restrict disclosures to health plans for self‑paid services, and Breach Notification Requirements.

What you should receive

• Acknowledgment: Reasonable efforts to obtain written acknowledgment of receipt (or document why it was not obtained).

Breach Notification Procedures

Your obligations to provide

• Risk assessment: Conduct and document a four‑factor assessment (nature/extent of PHI, unauthorized person, whether PHI was actually acquired/viewed, and mitigation) with a presumption of breach unless low probability of compromise.
• Timely notices: Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery; notify HHS and, for breaches affecting 500+ residents of a state or jurisdiction, the media within 60 days.
• Notice content: Describe what happened, the types of PHI involved, steps individuals should take, your mitigation efforts, and contact information.
• Business associate flow: Require business associates to notify you without unreasonable delay so you can meet your deadlines.

What you should receive

• Incident details: Sufficient facts from internal teams or business associates to determine scope, affected individuals, and required notifications.
• Proof of dispatch: Records showing when and how notices were sent and any substitute notice methods used.

Enforcement and Penalties

Your obligations to provide

• Compliance evidence: Maintain policies, procedures, training records, sanctions, and risk analyses; retain documentation for at least six years.
• Cooperation: Respond to investigations and audits, implement corrective actions, and track remediation.

What you should receive

• Penalty awareness: Understand the tiered Civil Monetary Penalties structure that increases with culpability, with per‑violation and annual caps adjusted for inflation.
• Guidance and findings: Written findings from regulators, corrective action plans, and deadlines you must meet.

Conclusion

This HIPAA Omnibus Rule checklist distills what you must provide—access, notices, authorizations, breach communications—and what you must receive—valid requests, acknowledgments, BAAs, and incident details. Embed these requirements in daily operations, verify with documentation, and monitor partners so your compliance posture remains defensible.

FAQs.

What must covered entities provide under the HIPAA Omnibus Rule?

You must provide timely individual access to PHI, accommodate designated third‑party delivery, honor required restrictions, obtain Written Authorization for marketing and the sale of PHI when applicable, issue a compliant Privacy Practices Notice, maintain Business Associate Agreements, and follow Breach Notification Requirements with complete, on‑time notices.

How long do covered entities have to respond to PHI access requests?

You have 30 calendar days from receipt to fulfill an access request, with one additional 30‑day extension when you provide a written explanation of the delay and a new target date.

What are the requirements for marketing communications under the Omnibus Rule?

Marketing generally requires a Written Authorization, and if you receive financial remuneration from a third party to make the communication, the authorization must include Remuneration Disclosure. Face‑to‑face communications and nominal promotional gifts are exempt; refill reminders are permitted only with cost‑based support.

When must a breach notification be sent to affected individuals?

Send individual breach notifications without unreasonable delay and no later than 60 calendar days after discovery. The notice must include what happened, the types of PHI involved, recommended protective steps, your mitigation actions, and contact information.