HIPAA Omnibus Rule Explained: What Covered Entities Are Provided With

This guide—HIPAA Omnibus Rule Explained: What Covered Entities Are Provided With—clarifies the key protections, responsibilities, and enforcement tools that shape your day‑to‑day privacy and security operations. You will see how the rule strengthens safeguards for Protected Health Information, expands accountability to vendors, and sets clear expectations for breach response.

Expanded Business Associate Liability

The Omnibus Rule makes business associates—and their subcontractors—directly liable for compliance with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. If a vendor creates, receives, maintains, or transmits PHI for you, they are a business associate with independent obligations, not just contractual ones.

What changed

• Direct liability for uses and disclosures of PHI not permitted by HIPAA, for failing to provide breach notifications, and for inadequate safeguards.
• “Flow‑down” requirements: subcontractors of business associates must sign Business Associate Agreements and meet the same standards.
• Security Rule application: risk analysis, risk management, workforce training, and technical, physical, and administrative safeguards now apply to business associates.

What you must update in Business Associate Agreements

• Specify permitted uses/disclosures, breach reporting timelines, and required risk assessments.
• Require subcontractor compliance and right‑to‑audit or attestations as appropriate.
• Mandate safeguards for ePHI, including access controls, audit logs, and appropriate encryption where reasonable and appropriate.
• Define incident response coordination and documentation retention (e.g., six years for required records).

Practically, you should inventory vendors, confirm they qualify as business associates, execute or refresh Business Associate Agreements, and monitor ongoing compliance—not just at onboarding but throughout the relationship.

Enhanced Patient Rights

The Omnibus Rule strengthens individual control over PHI and improves transparency. You must ensure your processes deliver timely access and honest, understandable notices.

Key enhancements

• Right of access to electronic copies: when you maintain PHI electronically, you must provide an electronic copy in the format requested if readily producible, or in a mutually agreeable format.
• Right to direct PHI to a third party: upon a patient’s written request, send an electronic copy to a designated person or app.
• Cost‑based fees only: you may charge a reasonable, cost‑based fee limited to labor for copying, supplies, postage (if mailed), and any agreed‑upon summary. Retrieval or access fees are not permitted.
• Right to restrict disclosures to a health plan: if the individual pays out‑of‑pocket in full, you must honor a request to withhold that item or service from the health plan, absent legal requirements to disclose.
• Updated Notice of Privacy Practices: your NPP must reflect marketing and sale‑of‑PHI rules, fundraising opt‑out, and a statement about your breach notification duties.

Operational steps

• Map where ePHI resides, standardize fulfillment channels, and meet the general 30‑day access timeline (with one allowable extension when necessary).
• Publish a clear fee methodology and train staff to apply it consistently.
• Flag out‑of‑pocket restrictions in your EHR/payer workflows to prevent unauthorized health plan billing or data sharing.
• Revise and redistribute your NPP; document staff training on the updates.

Stricter Marketing and Fundraising Regulations

The Omnibus Rule narrows when you may use PHI for marketing and tightens the rules for fundraising. Many communications that involve third‑party financial remuneration now require an individual’s prior authorization.

Marketing

• Authorization required when promoting a product or service if a third party pays you to make the communication, with limited exceptions (for example, certain prescription refill reminders with only reasonable remuneration).
• Treatment and care coordination communications that are not paid promotions may proceed under the Privacy Rule without authorization, but apply the minimum necessary standard for non‑treatment operations.
• Sale of PHI is prohibited without a valid authorization, subject to narrow exceptions (such as public health or research with reasonable cost‑recovery).

Fundraising

• You may use limited PHI (for example, demographic information and dates of service) for fundraising, but every solicitation must provide a clear, simple opt‑out.
• Honoring opt‑outs is mandatory and may not be burdensome; you may not condition treatment or payment on fundraising participation.

Action checklist

• Review all sponsored outreach for “financial remuneration” and obtain authorizations where required.
• Standardize opt‑out language and mechanisms across mail, email, and SMS.
• Log and honor opt‑out preferences across all marketing and development systems.

Genetic Information Protections

The Omnibus Rule incorporates the Genetic Information Nondiscrimination Act by defining genetic information as PHI and restricting its use and disclosure for underwriting purposes by health plans. Genetic tests, family medical history, and information about genetic services fall within this protected category.

What this means for you

• Treat genetic information as PHI subject to the Privacy and Security Rules, including minimum necessary and access controls.
• Exclude genetic information from underwriting activities such as eligibility determinations or premium calculations.
• Update policies, notices, and training to reflect these limits; evaluate research workflows to ensure de‑identification or proper authorization where applicable.

Increased Penalties and Enforcement

The enforcement landscape is stronger under the Omnibus Rule. The HHS Office for Civil Rights Enforcement framework uses tiered civil monetary penalties that scale with culpability, and “willful neglect” can trigger mandatory investigations and higher penalties.

How enforcement shows up

• Proactive audits and complaint‑driven investigations focused on risk analysis, access controls, and timely patient access.
• Resolution agreements and corrective action plans that require sustained remediation and monitoring.
• Potential actions by state attorneys general, in addition to federal oversight.

Readiness practices

• Maintain a current enterprise‑wide risk analysis and risk management plan; repeat when technologies, systems, or threats change.
• Train your workforce routinely and document completion and sanctions for noncompliance.
• Harden vendor management: due diligence, Business Associate Agreements, and proof of safeguards.
• Retain required HIPAA documentation for at least six years from the last effective date.

Breach Notification Requirements

The Omnibus Rule establishes a presumption of breach when unsecured PHI is impermissibly used or disclosed, unless you can demonstrate a low probability that the PHI was compromised based on a documented risk assessment.

Risk assessment factors

• The nature and extent of PHI involved, including sensitivity and likelihood of re‑identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which risk has been mitigated (for example, recipient attestation and verified destruction).

Timelines and notifications

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• For 500 or more individuals in a state or jurisdiction, notify prominent media and report to HHS contemporaneously, and no later than 60 days.
• For fewer than 500 individuals, report to HHS within 60 days after the end of the calendar year in which the breaches were discovered.
• Business associates must notify the covered entity without unreasonable delay, providing identities of affected individuals and other details to support notices.

Securing PHI

• Use strong encryption and destruction methods consistent with HHS guidance; properly secured PHI is not subject to the Breach Notification Rule if compromised.
• Maintain incident response playbooks, contact lists, and notice templates; test them through tabletop exercises.

Summary for covered entities

The Omnibus Rule equips you with clearer authority and obligations: hold vendors accountable through robust Business Associate Agreements, deliver swift patient access and transparent notices, obtain authorizations for paid promotions, treat genetic information with heightened care, stay audit‑ready, and respond to incidents with disciplined risk assessments and timely notifications.

FAQs

What are the main provisions of the HIPAA Omnibus Rule?

The rule expands business associate liability, enhances patient rights to electronic access and restrictions, tightens marketing and fundraising rules (including limits on sale of PHI), protects genetic information from underwriting uses, increases penalties and oversight through the HHS Office for Civil Rights Enforcement, and clarifies breach notification through a presumption of breach and a standardized risk assessment.

How does the rule affect business associates?

Business associates are directly subject to the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. They must implement safeguards, perform risk analyses, train their workforce, report breaches to covered entities, and ensure their subcontractors sign Business Associate Agreements and comply as well.

What patient rights are enhanced under the HIPAA Omnibus Rule?

Patients can obtain electronic copies of their PHI, direct you to send a copy to a third party, expect only reasonable cost‑based fees for copies, request restrictions that prevent health plan disclosure when they pay in full out‑of‑pocket, and receive updated Notices of Privacy Practices that explain marketing, fundraising opt‑outs, and your breach duties.

What are the breach notification requirements?

If unsecured PHI is impermissibly used or disclosed, you must presume a breach and conduct a four‑factor risk assessment. Notify affected individuals without unreasonable delay and no later than 60 days, notify HHS (and, for large incidents, the media), and maintain annual reporting for smaller breaches. Business associates must promptly inform covered entities and supply the details needed for notifications.