HIPAA Omnibus Rule (January 2013) Explained: Key Changes and Requirements

The HIPAA Omnibus Rule finalized in January 2013 reshaped how you handle Protected Health Information (PHI) across privacy, security, enforcement, and breach notification. Below, you’ll find the key changes and practical steps to meet the requirements while honoring the Minimum Necessary Standard.

Breach Notification Procedures

Presumption of breach and Risk Assessment

An impermissible use or disclosure of PHI is now presumed to be a breach unless you demonstrate a low probability that the PHI was compromised. You must conduct and document a Risk Assessment that considers, at minimum, these factors:

• Nature and extent of PHI involved, including types of identifiers and the likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, through retrieval or robust encryption).

Timelines, thresholds, and content

Notify affected individuals without unreasonable delay and no later than 60 days after discovery. For incidents affecting 500 or more individuals in a state or jurisdiction, you must also provide media notice and notify the appropriate federal authorities. For fewer than 500 individuals, you must log incidents and submit them annually.

Notices must be written in plain language and include a description of what happened, the types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate, and contact methods. Use first-class mail or email if the individual has agreed to electronic communications; provide substitute notice when contact information is insufficient.

Business associate reporting duties

Business associates must report breaches to covered entities without unreasonable delay, supplying the information needed for the covered entity to notify affected individuals and regulators. Apply the Minimum Necessary Standard throughout your response to contain exposure.

Business Associate Liability

Who is a business associate now

The Rule expands “business associate” to include entities that create, receive, maintain, or transmit PHI on your behalf, including data storage providers and cloud services—even if they only store encrypted PHI. Subcontractors that handle PHI for a business associate are also business associates.

Direct compliance obligations

Business associates are directly liable for compliance with the HIPAA Security Rule and for certain Privacy Rule provisions, including uses and disclosures of PHI, breach notification, and adherence to the Minimum Necessary Standard. They must implement administrative, physical, and technical safeguards proportionate to the risks they face.

Business Associate Agreements

Update your Business Associate Agreements to reflect Omnibus Rule requirements. Effective BAAs typically address:

• Permitted and required uses/disclosures of PHI and prohibition on unauthorized uses.
• Implementation of safeguards and Security Rule compliance, including risk analysis and risk management.
• Prompt breach reporting and cooperation in incident investigations.
• Subcontractor flow-down obligations and monitoring.
• Support for individual rights (access, amendment, and, where applicable, accounting of disclosures).
• Return or destruction of PHI at termination and ongoing protections if destruction is infeasible.

Marketing and Fundraising Restrictions

Marketing communications and remuneration

Marketing generally requires an individual’s authorization if you or your business associate receive financial remuneration from a third party. Limited exceptions remain, such as face-to-face communications and promotional gifts of nominal value. Refill reminders and adherence communications are permitted without authorization when any payment received is reasonably related to the cost of the communication.

Sale of PHI

The sale of PHI is prohibited without individual authorization. “Sale” includes disclosure for direct or indirect remuneration, with narrow exceptions (for example, public health and research cost-recovery scenarios). Ensure your processes flag any arrangement that could constitute a sale.

Fundraising

Fundraising messages must include a clear, easy opt-out that you must honor. You may use limited information for fundraising—such as demographic details, department of service, treating physician, and outcome—but you must still observe the Minimum Necessary Standard and respect opt-outs.

Individual Rights Expansion

Electronic access and third-party transmission

Individuals have the right to access their PHI in the requested electronic format if readily producible, and to have you transmit a copy directly to a designated third party. You must respond within 30 days (with one 30-day extension if needed) and may charge only reasonable, cost-based fees.

Restrictions for out-of-pocket payments

When an individual pays in full out-of-pocket for a service, they may require you to refrain from disclosing information about that service to a health plan. You must accommodate this restriction unless doing so is prohibited by law.

Notice of Privacy Practices

You must revise your Notice of Privacy Practices to explain new rights and uses, including: breach notification duties; restrictions for self-paid services; limits on marketing, fundraising, and sale of PHI; and any changes tied to the Genetic Information Nondiscrimination Act. Make the updated notice available and post it prominently.

Enforcement and Penalties

Civil Money Penalties and willful neglect

The Rule adopts a tiered Civil Money Penalties structure ranging up to $50,000 per violation, capped at $1.5 million per year per violation type. Penalties for willful neglect are mandatory, and corrective action plans often accompany settlements.

Practical compliance posture

Prioritize a living compliance program: document risk analyses, train your workforce, manage vendors, test incident response, and regularly audit access logs. Demonstrable diligence and timely mitigation are central to reducing enforcement exposure.

Genetic Information Protections

Integration of the Genetic Information Nondiscrimination Act

The Omnibus Rule implements the Genetic Information Nondiscrimination Act by clarifying that genetic information is PHI and restricting health plans from using or disclosing genetic information for underwriting. Genetic information includes genetic tests, family medical history, and requests for or receipt of genetic services.

Operational implications

Update your policies to classify genetic information appropriately, train staff on its handling, and ensure health plan underwriting workflows exclude genetic data. Reflect these limits in your Notice of Privacy Practices and Minimum Necessary procedures.

Compliance Deadlines

Key dates to remember

• Final rule publication: January 25, 2013.
• Effective date: March 26, 2013.
• General compliance date: September 23, 2013 (including updated Notice of Privacy Practices and revised BAAs).
• Grandfathered BAAs: Agreements in place before January 25, 2013, and not modified between March 26 and September 23, 2013, could be updated by September 22, 2014.

Summary

The HIPAA Omnibus Rule tightened breach standards, expanded Business Associate liability, narrowed marketing and sale-of-PHI permissions, strengthened individual rights, increased penalties, and added genetic information protections. Embed these requirements into your policies, Business Associate Agreements, training, and technical safeguards to protect PHI and reduce regulatory risk.

FAQs

What changes did the HIPAA Omnibus Rule introduce for business associates?

Business associates—and their subcontractors—became directly liable for Security Rule compliance and key Privacy Rule provisions. They must conduct risk analyses, implement safeguards, follow the Minimum Necessary Standard, and report breaches promptly. BAAs must flow down obligations to subcontractors and address breach reporting, safeguards, and PHI return or destruction.

How does the rule affect breach notification requirements?

The Rule presumes a breach following any impermissible use or disclosure of PHI unless a documented Risk Assessment shows a low probability of compromise. You must notify affected individuals without unreasonable delay and within 60 days, with additional media and regulator notifications for incidents involving 500 or more individuals.

What rights were expanded for individuals by the Omnibus Rule?

Individuals gained the right to electronic access to their PHI and to direct a copy to a third party, stronger control over disclosures to health plans when services are paid out-of-pocket in full, and clearer notice through an updated Notice of Privacy Practices that explains breach duties, marketing and fundraising limits, and genetic information protections.