HIPAA Omnibus Rule Explained: 2013 Changes, Business Associate Requirements

Effective Date and Compliance Deadline

The HIPAA Omnibus Rule was published on January 25, 2013, took effect on March 26, 2013, and had a general compliance deadline of September 23, 2013. You were expected to update policies, train your workforce, amend Business Associate Agreements, and revise your Notice of Privacy Practices by that date.

A transition period applied to certain Business Associate Agreements (BAAs) that were in place on January 25, 2013 and not renewed or modified between March 26 and September 23, 2013. Those BAAs had to be brought into compliance by the earlier of the first renewal/modification after September 23, 2013 or September 22, 2014.

Expanded Business Associate Definition

The rule broadened who qualifies as a business associate under the HIPAA Privacy Rule. An entity is a business associate if it creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity for a function regulated by HIPAA, even if the entity never actually views the data (for example, encrypted cloud storage).

Examples now clearly include Health Information Organizations and health information exchanges, e-prescribing gateways, vendors that provide personal health records on behalf of covered entities, data transmission services with routine access to PHI, and cloud service providers that maintain PHI. “Mere conduits” that do not access PHI other than on a transient basis (such as the postal service) are not business associates.

Direct Liability for Business Associates

Business associates became directly liable for compliance with the HIPAA Security Rule and with specific provisions of the HIPAA Privacy Rule. You must implement safeguards, restrict uses and disclosures to what your BAA permits, honor the minimum necessary standard, support access and amendment rights, and provide breach notification to the covered entity without unreasonable delay.

Enforcement now applies to business associates through Civil Money Penalties using a tiered penalty structure. Violations can range from “did not know” to “willful neglect not corrected,” with per-violation penalties from $100 up to $50,000 and annual caps of up to $1.5 million per violation category.

Subcontractor Agreements

The Omnibus Rule extends obligations downstream. If you are a business associate, any subcontractor that creates, receives, maintains, or transmits PHI on your behalf is also a business associate and must sign a written agreement with the same restrictions and conditions you have. Your BAAs must require appropriate safeguards, incident reporting, breach notification timelines, and return or destruction of PHI at termination.

You are responsible for ensuring subcontractor compliance. Due diligence, ongoing oversight, and documented security requirements help you manage risk across your vendor ecosystem.

Security Rule Requirements

Business associates must comply with the HIPAA Security Rule in full. This includes conducting an enterprise-wide risk analysis, implementing risk management plans, training your workforce, and maintaining policies and procedures that cover administrative, physical, and technical safeguards for ePHI.

Practically, you should implement access controls, unique user IDs, audit controls, integrity protections, authentication, and transmission security. Physical and administrative measures—such as facility access controls, device/media controls, contingency planning, and incident response—are equally essential under the HIPAA Security Rule.

Breach Notification Standards

The rule replaced the prior “significant risk of harm” test with a presumption of breach unless you can demonstrate a low probability of compromise. You must perform and document a risk assessment considering four factors: the nature and extent of PHI involved, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent of mitigation.

Encryption remains a safe harbor: if PHI is encrypted to the specified standards and the key is not compromised, the incident generally is not a reportable breach. Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery; business associates must notify covered entities so they can meet those obligations.

Updated Notice of Privacy Practices

Covered entities had to revise their Notice of Privacy Practices (NPP) to reflect Omnibus Rule changes. Your NPP must explain new limits and authorizations for marketing and the sale of PHI, the right to be notified following a breach, and fundraising opt-out rights. Health plans must include a statement that they are prohibited from using or disclosing genetic information for underwriting purposes.

The NPP must also describe the right to restrict certain disclosures to a health plan when services are paid out-of-pocket in full and explain how individuals can exercise their updated rights under the HIPAA Privacy Rule.

Expanded Individual Rights

The Omnibus Rule strengthened individual rights. If you maintain PHI electronically, individuals have the right to an electronic copy in the form and format requested, if readily producible, and may direct you to transmit that copy to a designated third party. Reasonable, cost-based fees may be charged for copies.

Individuals can require you to restrict disclosures of PHI to a health plan regarding an item or service paid in full out-of-pocket, unless another law requires disclosure. They also have a right to receive breach notifications when their unsecured PHI is compromised.

In practice, you should update request workflows, designate formats for ePHI delivery, adjust your minimum necessary policies, and ensure your BAAs, security safeguards, and NPP align with the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule as finalized in 2013.

FAQs.

What entities qualify as business associates under the Omnibus Rule?

Any entity that creates, receives, maintains, or transmits Protected Health Information for a covered function on behalf of a covered entity is a business associate. This includes health information exchanges/Health Information Organizations, e-prescribing gateways, cloud service providers that store PHI, data transmission vendors with routine access, vendors offering personal health records on behalf of covered entities, and any subcontractors that handle PHI for a business associate. “Mere conduits” without routine access are not business associates.

How did the breach notification standard change in 2013?

The rule introduced a presumption that an impermissible use or disclosure is a breach unless a documented four-factor assessment shows a low probability of compromise. It eliminated the prior “significant risk of harm” test, retained encryption safe harbor, and requires timely notification—business associates to covered entities without unreasonable delay, and covered entities to affected individuals no later than 60 days after discovery.

What are the new individual rights under the HIPAA Omnibus Rule?

Individuals gained the right to receive electronic copies of their PHI and to have an e-copy sent to a third party of their choice. They also can require you to restrict disclosure of PHI to a health plan for items or services paid out-of-pocket in full and have a right to be notified following a breach of unsecured PHI.