HIPAA Omnibus Rule Guide: Privacy, Security, and Breach Notification Updates

HIPAA Omnibus Rule Overview

The HIPAA Omnibus Rule, finalized in 2013, implemented major provisions of the HITECH Act and strengthened protections for Protected Health Information (PHI) across the Privacy, Security, and Breach Notification Rules. It expanded who is directly regulated, tightened Breach Notification standards, and imposed new limits on the use and disclosure of PHI, including for marketing and fundraising. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html?utm_source=openai))

At a practical level, the Rule requires you to reassess how PHI flows through your organization, refresh policies, and update Notice of Privacy Practices and Business Associate Agreements to reflect new obligations and rights. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html?utm_source=openai))

Applicability to Business Associates

The Omnibus Rule makes Business Associates—and their subcontractors that create, receive, maintain, or transmit PHI—directly liable for compliance with HIPAA. The definition of “business associate” explicitly includes downstream subcontractors and certain data transmission and health information network services. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

Cloud service providers that handle electronic PHI (even if encrypted and the vendor lacks the key) are Business Associates and must enter into Business Associate Agreements (BAAs) and comply with the Security Rule. This closes the historical “conduit” gap and ensures Technical Safeguards apply throughout the information lifecycle. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html?utm_source=openai))

Your BAAs must include the core elements in 45 CFR 164.504(e), such as permitted uses/disclosures, breach reporting duties, downstream subcontractor requirements, and a commitment to implement appropriate safeguards. Many organizations add stricter breach-reporting timelines and role clarity for notifications. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.504?utm_source=openai))

Breach Notification Requirements

An impermissible use or disclosure of PHI is presumed to be a breach unless you show a low probability of compromise via a documented risk assessment considering four factors: (1) the nature and extent of PHI; (2) the unauthorized recipient; (3) whether the PHI was actually acquired or viewed; and (4) mitigation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery, notify HHS (immediately for breaches ≥500 individuals; annually for smaller breaches), and notify the media for large local/regional incidents. Business Associates must notify the covered entity without unreasonable delay and no later than 60 days, supplying information needed for individual notices. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Encryption and proper media destruction can place incidents outside the Breach Notification Rule (“safe harbor”) by rendering PHI unusable, unreadable, or indecipherable consistent with HHS guidance (for example, NIST SP 800-111 for data at rest). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html?utm_source=openai))

Marketing and Fundraising Restrictions

Marketing that uses PHI generally requires an individual’s authorization—especially if there is direct or indirect financial remuneration from a third party. Exceptions include face‑to‑face communications and promotional gifts of nominal value. The Rule also restricts the “sale of PHI,” which requires specific authorization. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html?utm_source=openai))

For fundraising, a covered entity (or its Business Associate/institutionally related foundation) may use limited PHI without authorization—demographics, dates of care, department of service, treating physician, outcome information, and health insurance status—provided each solicitation includes a clear, conspicuous, and not‑unduly‑burdensome opt‑out and the choice is honored. ([ecfr.io](https://ecfr.io/Title-45/Section-164.514?utm_source=openai))

Enforcement and Penalties

HIPAA has a tiered civil monetary penalty structure that scales with culpability, and penalty amounts are adjusted for inflation. OCR also considers “recognized security practices” (for example, NIST-based frameworks and 405(d) practices) implemented for at least 12 months when determining fines, audit results, or other remedies. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

OCR enforces compliance through investigations, settlements, and Office for Civil Rights Audits informed by an audit protocol updated to reflect the Omnibus Rule; federal oversight has recommended broadening audits to better cover physical and Technical Safeguards. A robust Security Risk Analysis and ongoing risk management remain central to demonstrating due diligence. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html?utm_source=openai))

Updates to Breach Notification Rule

The Omnibus Rule replaced the prior “risk of harm” trigger with a presumption of breach unless you can demonstrate a low probability of compromise using the four‑factor risk assessment. This change makes documentation and consistency in Risk Assessment crucial whenever an impermissible use or disclosure occurs. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

• Document your four‑factor assessment for each incident and retain evidence supporting your decision.
• Train workforce members on timely reporting and your notification workflow.
• Align incident response, Security Risk Analysis, and mitigation steps with your policies and BAAs.

Proposed Changes to HIPAA Security Rule

HHS/OCR has issued a Notice of Proposed Rulemaking (Dec. 27, 2024) to modernize the Security Rule. While current requirements remain in effect, the proposal would add specificity and raise the floor for cybersecurity controls across covered entities and Business Associates. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))

Key proposals you should anticipate

• Make formerly “addressable” implementation specifications required (with limited exceptions) and require written documentation of policies, procedures, plans, and analyses.
• Mandate a technology asset inventory and a network map showing ePHI flows, reviewed at least annually and after significant changes.
• Strengthen Security Risk Analysis with explicit written components (threats, vulnerabilities, predisposing conditions, likelihood/impact risk levels).
• Require encryption of ePHI at rest and in transit and multi‑factor authentication, with limited exceptions.
• Require vulnerability scanning at least every six months and penetration testing at least annually; require network segmentation and standardized secure configuration (e.g., anti‑malware, removal of extraneous software, disabling unnecessary ports).
• Enhance contingency and incident response planning, including written procedures to restore systems/data within 72 hours and to test and update plans periodically.
• Institute annual compliance audits by regulated entities; require Business Associates (and BA subcontractors) to verify deployment of Technical Safeguards annually and to notify upstream entities within 24 hours of contingency plan activation; add prompt access-change/termination notifications (within 24 hours).

As of today, these requirements are proposed; monitor OCR rulemaking and prepare gap assessments so you can move quickly if the rule is finalized. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

In sum, the Omnibus Rule elevated privacy and security expectations, widened accountability to Business Associates, and recalibrated Breach Notification through a structured Risk Assessment. Maintain a living Security Risk Analysis, update BAAs, implement strong Technical Safeguards, and rehearse incident response so you can meet current obligations and adapt to forthcoming changes. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))

FAQs

What entities are affected by the HIPAA Omnibus Rule?

The Rule applies to covered entities (health plans, most providers, and clearinghouses) and directly to Business Associates and their subcontractors that create, receive, maintain, or transmit PHI on their behalf. Examples include cloud service providers, billing vendors, consultants, and other service partners handling PHI; all must have compliant Business Associate Agreements and implement required safeguards. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

How does the Omnibus Rule change breach notification requirements?

It establishes a presumption that an impermissible use or disclosure is a breach unless a documented four‑factor risk assessment shows a low probability of compromise. It also clarifies who must be notified (individuals, HHS, and in some cases the media) and by when (generally within 60 days of discovery), and sets clear duties for Business Associates to notify covered entities. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

What are the penalties for noncompliance with the HIPAA Omnibus Rule?

OCR applies tiered civil monetary penalties that scale with culpability, with amounts adjusted for inflation. During enforcement, OCR also considers whether you had recognized security practices in place for at least 12 months, which can mitigate penalties and other remedies. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

How does the Rule regulate the use of PHI for marketing purposes?

Using PHI for marketing generally requires the individual’s authorization, and if a third party pays you to make the communication, the authorization must disclose that remuneration. Exceptions allow face‑to‑face communications and nominal‑value promotional gifts. The Rule also restricts the sale of PHI and expands—but constrains—fundraising by requiring clear opt‑outs and limiting the PHI elements used. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html?utm_source=openai))