HIPAA Omnibus Rule Compliance Checklist: Meet 2013 Deadlines and Ongoing Obligations

Effective Dates and Deadlines

The HIPAA Omnibus Final Rule was published on January 25, 2013, became effective March 26, 2013, and carried a final compliance date of September 23, 2013. Covered entities and business associates were required to meet those 2013 deadlines and continue maintaining compliance thereafter.

Transitional relief applied to certain Business Associate Agreements (BAAs) that were in place as of January 25, 2013 and not renewed or modified between March 26 and September 23, 2013; those could be updated by the earlier of the next renewal date or September 22, 2014. From that point forward, all BAAs needed to meet the Omnibus standards.

• Maintain a compliance calendar that tracks annual or event-driven reviews (risk analysis, policy updates, training) to sustain Security Rule Compliance.
• Retain documentation (policies, risk analyses, BAAs, Notice of Privacy Practices) for at least six years from creation or last effective date.
• Monitor enforcement trends and HITECH Act Penalties to align your program with regulator expectations.

Business Associate Agreement Updates

The Omnibus Rule makes Business Associate Agreements central to compliance. A business associate includes any vendor that creates, receives, maintains, or transmits PHI for you—including cloud service providers—and their downstream subcontractors.

Required BAA elements

• Permitted and required uses/disclosures of PHI, including minimum necessary.
• Obligations to implement administrative, physical, and technical safeguards and meet Security Rule Compliance.
• Prompt reporting of incidents, including PHI Breach Notification obligations, to the covered entity.
• Flow-down terms requiring Subcontractor Agreements that impose the same restrictions and safeguards.
• Termination rights, accounting/return or destruction of PHI when feasible, and access/cooperation for audits.

Update checklist

• Inventory all vendors that handle PHI and confirm BAA status for each.
• Replace legacy indemnity-only language with Omnibus-compliant terms, including breach reporting and risk assessment cooperation.
• Verify subcontractor flow-down and require proof of safeguards (e.g., SOC reports, security attestations).

Notice of Privacy Practices Revisions

Your Notice of Privacy Practices (NPP) must reflect Omnibus Rule changes and be distributed according to your entity type. Providers must post the revised NPP prominently and offer it to new patients; health plans must post online and include the notice in the next annual mailing after a material revision.

What your NPP must now include

• Statements about uses/disclosures that require authorization, including marketing and any sale of PHI.
• A description of PHI Breach Notification practices.
• The right to restrict disclosures to a health plan for items or services paid in full out of pocket.
• Fundraising communications limitations and an easy, no-cost opt-out.
• Health plan notice that genetic information will not be used for underwriting.

Breach Notification and Risk Assessment

The Omnibus Rule establishes a presumption that an impermissible use or disclosure of PHI is a breach unless you demonstrate a low probability of compromise through a documented Four-Factor Risk Assessment.

The four factors

• Nature and extent of PHI involved, including sensitivity and likelihood of re-identification.
• Who used or received the PHI and their obligation to protect confidentiality.
• Whether the PHI was actually acquired or viewed.
• The extent to which risks were mitigated (for example, prompt retrieval or satisfactory assurances of destruction).

Notification requirements

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: for 500+ affected in a state/jurisdiction, contemporaneously with individual notice; for fewer than 500, report in aggregate no later than 60 days after the end of the calendar year.
• Media: for incidents affecting 500+ residents of a state/jurisdiction.

Notices must describe what happened, the types of information involved, steps individuals should take, actions you are taking, and contact information. Maintain breach logs and keep risk assessment documentation for at least six years.

Restrictions on Marketing and Sale of PHI

Marketing communications that involve financial remuneration from a third party generally require an individual’s prior authorization. Limited exceptions apply to face-to-face communications and nominal promotional gifts, and to certain treatment-related messages such as refill reminders—where only reasonable, cost-based payments are permitted.

• Obtain valid HIPAA authorizations for paid marketing, clearly describing remuneration.
• Vet all outreach vendors as business associates and ensure Subcontractor Agreements flow down restrictions.
• Prohibit the sale of PHI without express authorization; narrow exceptions exist (for example, public health or research with reasonable, cost-based fees).

Security Rule Implementation

Security Rule Compliance is a continuous program, not a one-time project. You must implement risk-based safeguards that evolve with your systems, vendors, and threat landscape.

Core tasks

• Conduct an enterprise-wide risk analysis and implement risk management plans; repeat after major changes and on a routine cadence.
• Apply administrative, physical, and technical safeguards (access controls, encryption where reasonable and appropriate, audit logging, device/media controls, contingency plans).
• Manage vendors: ensure BAAs, evaluate security, and enforce least-necessary access to PHI.
• Monitor: review audit logs, conduct periodic technical testing, and address findings promptly.

Training and Policy Updates

Train your workforce on updated policies by the compliance date and thereafter whenever responsibilities or policies materially change. Provide role-based training to staff who handle PHI and document attendance, comprehension, and retraining triggers.

• Update privacy, security, and breach response policies to reflect Omnibus standards and your environment.
• Maintain sanctions for noncompliance and document corrective actions.
• Schedule periodic tabletop exercises of incident response and PHI Breach Notification workflows.
• Retain policies, training records, BAAs, risk analyses, and incident documentation for at least six years.

Summary: The HIPAA Omnibus Rule’s 2013 deadlines have passed, but ongoing obligations continue—keep BAAs current, maintain an accurate NPP, use the Four-Factor Risk Assessment, restrict marketing and sale of PHI, harden safeguards under the Security Rule, and sustain a documented training and policy lifecycle to avoid HITECH Act Penalties.

FAQs.

What is the HIPAA Omnibus Rule compliance date?

The compliance date was September 23, 2013. The Final Rule was published on January 25, 2013 and took effect March 26, 2013; entities were expected to complete updates by the September 23, 2013 deadline and maintain compliance thereafter.

When must Business Associate Agreements be updated?

BAAs executed or modified on or after September 23, 2013 had to be Omnibus-compliant by that date. Certain BAAs in effect as of January 25, 2013 that were not renewed or modified between March 26 and September 23, 2013 could be updated by the earlier of their renewal date or September 22, 2014. Today, all BAAs must meet Omnibus requirements and flow down to subcontractors.

What are the breach notification requirements?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting 500+ individuals in a state/jurisdiction, notify HHS at the same time and local media; for fewer than 500, report to HHS annually within 60 days after the year’s end. Document a Four-Factor Risk Assessment for each incident and retain records for six years.

How do the HIPAA Omnibus Rule changes affect marketing PHI?

If a third party pays you for a marketing communication, you generally must obtain an individual’s prior authorization, with limited exceptions (for example, certain refill reminders at only reasonable, cost-based payments). The Rule also prohibits the sale of PHI without authorization, subject to narrow exceptions, and requires that these limits be reflected in your Notice of Privacy Practices and Business Associate Agreements.