HIPAA Omnibus Rule Compliance Checklist: Breach Notification, NPP, Marketing Limits

This HIPAA Omnibus Rule compliance checklist helps you operationalize breach notification, Notice of Privacy Practices (NPP) updates, and marketing limits across your organization. Use it to align policies, train staff, and document compliance for audits while protecting Protected Health Information (PHI). This content is educational and not legal advice.

Breach Notification Requirements

When a breach is presumed

A breach is presumed any time there is an Unauthorized Disclosure or impermissible use of unsecured PHI. You may overcome this presumption only by documenting a Risk Assessment Methodology that shows a low probability that PHI was compromised.

Four required assessment factors

• Nature and extent of PHI involved (identifiers, sensitivity, reidentification risk).
• The unauthorized person who used the PHI or to whom disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., prompt retrieval, satisfactory assurances).

Whom to notify and when

• Affected individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• U.S. Department of Health and Human Services (HHS): for 500+ individuals, within 60 days of discovery; for fewer than 500, no later than 60 days after the end of the calendar year.
• Prominent media: required if 500 or more residents of a state or jurisdiction are affected.
• Law enforcement delay: permitted if a written statement states that notice would impede an investigation or threaten national security.

Notice content checklist

• Brief description of what happened, including the date of breach and discovery.
• Types of PHI involved (e.g., names, diagnoses, Social Security numbers, financial data).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• How to contact you (toll‑free number, email, or postal address).

Method of notification

• First‑class mail to the last known address; email if the individual agreed to electronic notice.
• Substitute notice if contact information is insufficient: for 10 or more individuals, a conspicuous website posting or media notice for at least 90 days.
• For imminent misuse risk, provide telephone or other urgent notice in addition to written notice.

Documentation essentials

• Maintain a breach log, your written risk assessments, decision rationale, and copies of all notices for at least six years.
• Coordinate with Business Associates to ensure timely incident reporting and complete notice content.

Notice of Privacy Practices Updates

Mandatory NPP statements under the Omnibus Rule

• Right to be notified following a breach of unsecured PHI.
• Uses and disclosures requiring Patient Authorization Requirements, including most marketing, the sale of PHI, and certain uses of psychotherapy notes.
• Right to restrict disclosure to a health plan when services are paid in full out‑of‑pocket.
• If a health plan, a statement about restrictions on genetic information for underwriting.
• Fundraising disclosure with a clear right to opt out of future solicitations.

Distribution and acknowledgment

• Post the current NPP prominently and provide it at the first service encounter; make it available electronically when applicable.
• Document good‑faith efforts to obtain individual acknowledgment of receipt for direct treatment relationships.
• Retain prior versions and distribution records for at least six years.

Practical update checklist

• Review template language for clarity and plain English.
• Confirm contact channels for privacy complaints and breach inquiries.
• Align NPP provisions with internal policies, forms, and authorization workflows.

Marketing and Fundraising Restrictions

Marketing limits and authorizations

• Marketing communications generally require advance, written patient authorization, especially when a third party provides financial remuneration.
• Exceptions: face‑to‑face communications and promotional gifts of nominal value do not require authorization.
• Refill reminders or communications about a currently prescribed drug or biologic may be permitted if any remuneration is reasonable and related to communication costs.
• The sale of PHI for marketing or other purposes is prohibited without a specific authorization that discloses remuneration.

Fundraising rules you must implement

• You may use limited PHI for fundraising (e.g., demographics, dates of service, department of service, treating physician, outcome information, insurance status).
• Do not use diagnosis or detailed clinical information for targeting unless you have a valid authorization.
• Every solicitation must include a clear, no‑cost, and not‑burdensome opt‑out method; opting out cannot affect care or payment.
• Honor opt‑out preferences across all fundraising channels.

Business Associate Agreement Obligations

Who is a Business Associate

A Business Associate is any person or entity that creates, receives, maintains, or transmits PHI on your behalf, including downstream subcontractors and cloud providers. You must ensure each BA and subcontractor is bound by a written Business Associate Agreement.

Required BAA terms checklist

• Permitted and required uses/disclosures of PHI, including minimum necessary standards.
• Obligation to implement administrative, physical, and technical safeguards aligned with the Security Rule.
• Requirement to report security incidents and breaches to you without unreasonable delay and to provide information you need for notification.
• Flow‑down: BA must ensure subcontractors agree to the same restrictions and conditions.
• Prohibition on sale of PHI and restrictions on marketing without authorization.
• Return or destruction of PHI at termination, if feasible.
• Right to terminate for material breach and requirement to make records available for compliance review.

Oversight actions

• Maintain an up‑to‑date BA inventory and copies of executed agreements.
• Evaluate BA security posture (e.g., encryption, access controls, incident response).
• Define escalation paths and points of contact for breach coordination.

Policy and Procedure Modifications

Privacy and security policy updates

• Revise policies to reflect Omnibus Rule changes on breach notification, NPP content, marketing, fundraising, and sale of PHI.
• Update Patient Authorization Requirements, forms, and revocation processes.
• Strengthen minimum necessary rules, role‑based access, encryption at rest and in transit, and secure disposal.

Incident response and mitigation

• Define steps for detection, containment, four‑factor risk assessment, decision‑making, notifications, and post‑incident review.
• Pre‑stage notification templates and media protocols for large breaches.
• Track corrective actions to reduce recurrence risk.

Enforcement Penalties awareness

• Educate leaders on tiered civil monetary penalties, willful neglect findings, and corrective action plans.
• Recognize that states and federal authorities may investigate and enforce; maintain defensible documentation.

Documentation and Employee Training

Role‑based training program

• Teach the Omnibus Rule changes, breach recognition, reporting timelines, NPP updates, and marketing/fundraising limits.
• Provide specialized training for workforce with elevated access (billing, research, development, fundraising).
• Include Business Associate coordination procedures and minimum necessary standards.

Recordkeeping and attestations

• Maintain training rosters, curricula, completion attestations, sanctions, risk assessments, breach logs, and BAAs for at least six years.
• Audit periodically and remediate gaps; document the evidence of remediation.

Continuous monitoring

• Conduct periodic walk‑throughs, access reviews, and phishing or privacy drills.
• Use metrics (e.g., time to detect, time to notify, opt‑out honoring rate) to drive improvements.

Risk Assessment for Breach Notification

Your Risk Assessment Methodology

• Define a consistent scoring rubric for each of the four factors (e.g., low/medium/high impact and likelihood).
• Apply the rubric to each incident, document evidence, and capture your final determination and rationale.
• If risk is not clearly low, treat the event as a reportable breach and proceed with notification.

Secure technologies and safe harbor

• Encrypt ePHI using strong, industry‑recognized algorithms; properly encrypted data typically is not considered “unsecured.”
• Maintain key management, device controls, and wipe capabilities to reduce acquisition or viewing risk.

Summary

To operationalize this HIPAA Omnibus Rule compliance checklist, align NPP language, enforce marketing and fundraising limits, strengthen Business Associate oversight, and institutionalize a defensible breach Risk Assessment Methodology. Train your workforce, log decisions, and test your response plans so you can protect PHI and withstand regulatory scrutiny.

FAQs

What constitutes a reportable breach under the Omnibus Rule?

A reportable breach is any impermissible use or Unauthorized Disclosure of unsecured PHI unless your documented four‑factor assessment shows a low probability that the PHI was compromised. If the assessment does not clearly support a low‑probability finding, you must treat the incident as a breach and notify.

How soon must affected individuals be notified about a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering the breach. “Discovery” occurs on the first day the incident is known—or should reasonably have been known—to your organization.

What are the marketing restrictions under the HIPAA Omnibus Rule?

Most marketing communications require prior written authorization, particularly when a third party finances the message. Exceptions include face‑to‑face communications and nominal promotional gifts. Refill reminders or communications about a currently prescribed drug may be allowed if any remuneration is strictly limited to reasonable communication costs. Selling PHI for marketing or other purposes requires explicit authorization.

How do Business Associate Agreements affect PHI protection?

Business Associate Agreements contractually extend HIPAA protections to vendors that create, receive, maintain, or transmit PHI. BAAs must define permitted uses, require safeguards, mandate prompt incident and breach reporting, flow down obligations to subcontractors, and ensure PHI is returned or destroyed at termination—thereby reinforcing your overall security and compliance posture.