HIPAA Omnibus Rule Requirements and Compliance Date: What Covered Entities Must Do

If you handle protected health information (PHI), you need a precise view of HIPAA Omnibus Rule Requirements and Compliance Date: What Covered Entities Must Do. This guide clarifies key dates, direct liability, prohibited PHI disclosures, expanded individual rights, and the operational updates you must complete under the HIPAA Privacy Rule and HIPAA Security Rule.

You will also find practical steps to update Business Associate Agreements, strengthen Incident Response Plans, and conduct Subcontractor Compliance Evaluation so your organization can demonstrate compliance and reduce enforcement risk and Civil Monetary Penalties.

HIPAA Omnibus Rule Effective Date

Effective date at a glance

The HIPAA Omnibus Final Rule took effect on March 26, 2013. The rule consolidated and implemented statutory changes from HITECH and GINA across the HIPAA Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule.

What the effective date meant for you

Although the regulation became effective on March 26, 2013, HHS provided a 180‑day period for implementation. This window allowed covered entities and business associates to update policies, processes, and contracts before enforcement of most requirements.

Compliance Deadline for Covered Entities and Business Associates

Compliance date

The general compliance deadline for both covered entities and business associates was September 23, 2013. By that date, you were expected to fully implement required safeguards, workflows, and documentation under the HIPAA Privacy Rule and HIPAA Security Rule.

Operational focus areas to meet the deadline

• Refresh risk analysis, tighten access controls, and document technical, physical, and administrative safeguards for ePHI.
• Adopt the Omnibus breach standard (presumption of breach unless a documented risk assessment shows a low probability of compromise) and integrate it into Incident Response Plans.
• Revise Notices of Privacy Practices to reflect marketing, sale of PHI, fundraising, and new individual rights.
• Update Business Associate Agreements and ensure PHI disclosures to and from vendors meet minimum necessary and contract limits.
• Deliver workforce training on new and revised policies; record attendance and comprehension.

Compliance Deadline for Business Associate Agreements

Standard deadline for new or modified BAAs

Any Business Associate Agreements (BAAs) newly executed or modified on or after March 26, 2013 had to be Omnibus‑compliant by September 23, 2013. This included updated definitions, security requirements, breach reporting, and flow‑down obligations.

Transition rule for existing BAAs

Grandfathered BAAs that were in place before January 25, 2013—and not altered between March 26, 2013 and September 23, 2013—could remain in effect until the earlier of their renewal/modification date or September 22, 2014. After that, all BAAs had to meet Omnibus terms.

How to get BAAs right

• Inventory every active BAA, confirm the contract date and last modification, and calendar renewal deadlines.
• Embed breach notification timing, risk assessment cooperation, and minimum necessary limits for PHI disclosures.
• Mandate subcontractor flow‑down and require documented Subcontractor Compliance Evaluation before data sharing.
• Standardize indemnification, audit, and termination-for-cause clauses aligned with your risk appetite.
• Store executed agreements centrally and retain for no less than six years from the last effective date.

Direct Liability of Business Associates

Privacy and security obligations that apply directly

• Full compliance with the HIPAA Security Rule for ePHI (risk analysis, safeguards, and documentation).
• Permitted uses and disclosures only as authorized by the HIPAA Privacy Rule and the BAA; apply the minimum necessary standard.
• Timely breach notification to the covered entity and cooperation with the risk assessment and mitigation process.
• Providing access to PHI, amendments, and accounting of certain PHI disclosures when the BAA or law requires.
• Executing BAAs with subcontractors that create, receive, maintain, or transmit PHI and overseeing their compliance.

Enforcement consequences

Business associates face direct enforcement and Civil Monetary Penalties for violations, including willful neglect. OCR may also require corrective action plans and ongoing monitoring in resolution agreements.

Prohibited Uses and Disclosures of PHI

Key prohibitions and authorization requirements

• Sale of PHI without a valid authorization, subject to narrow exceptions (e.g., public health, research cost recovery).
• Marketing communications in exchange for financial remuneration unless an authorization is obtained (with limited exceptions such as face‑to‑face communications or nominal promotional gifts).
• Use of genetic information for underwriting by health plans is prohibited.
• Use or disclosure of psychotherapy notes without a specific authorization, except for limited purposes permitted by HIPAA.
• Failure to honor an individual’s request to restrict PHI disclosures to a health plan when the individual pays in full out‑of‑pocket for the item or service.
• Any PHI disclosures that exceed the minimum necessary standard or fall outside a permitted use or valid authorization.

Expanded Individual Rights

Electronic access and designated third parties

Individuals have the right to receive an electronic copy of their PHI in the form and format requested if readily producible. They may also direct you to transmit the copy to a designated third party.

Restrictions for self‑pay services

If a patient pays in full out‑of‑pocket, they can require you to restrict PHI disclosures to their health plan for that item or service, provided the disclosure is not otherwise required by law.

Notice of Privacy Practices and transparency

Your NPP must explain uses and disclosures for marketing, the sale of PHI, fundraising communications (with a clear opt‑out), breach notification duties, and these expanded rights to access and restriction.

Required Updates for Covered Entities

Policy, process, and technical changes

• Update privacy and security policies to reflect Omnibus definitions, uses and disclosures, and breach assessment criteria.
• Revise Business Associate Agreements and confirm downstream agreements; perform periodic Subcontractor Compliance Evaluation.
• Refresh Security Rule risk analysis; harden authentication, encryption, and audit logging for ePHI.
• Reissue the Notice of Privacy Practices and update intake forms to capture electronic access requests and restrictions.
• Enhance Incident Response Plans with breach triage, PHI inventorying, risk assessment factors, and notification timelines.
• Train the workforce on new rules (marketing, sale of PHI, fundraising, minimum necessary, and access workflows) and document completion.
• Tighten accounting for PHI disclosures where required and maintain records to support audits and investigations.
• Implement governance: assign owners, set metrics, and schedule periodic testing of controls and vendor oversight.

Conclusion

The Omnibus Rule set firm dates—effective March 26, 2013, with a September 23, 2013 compliance deadline (and a BAA transition through September 22, 2014). By aligning contracts, PHI disclosures, security controls, and patient rights, you reduce risk and prepare for OCR scrutiny, including potential Civil Monetary Penalties.

FAQs.

What is the HIPAA Omnibus Rule compliance deadline for covered entities?

The general compliance deadline was September 23, 2013. By that date, covered entities and business associates were expected to have implemented all required privacy, security, and breach‑notification changes.

When must business associate agreements be updated under the HIPAA Omnibus Rule?

BAAs executed or modified on or after March 26, 2013 had to be compliant by September 23, 2013. BAAs in place before January 25, 2013 that were not modified between March 26, 2013 and September 23, 2013 could remain until renewal/modification or no later than September 22, 2014.

What are the new individual rights introduced by the HIPAA Omnibus Rule?

Key additions include the right to receive electronic copies of PHI (and direct transmission to a third party) and the right to restrict PHI disclosures to a health plan for items or services paid in full out‑of‑pocket. The rule also strengthened transparency via updated Notices of Privacy Practices.

What penalties apply for violations of the HIPAA Omnibus Rule?

OCR enforces a four‑tier Civil Monetary Penalties structure, with per‑violation amounts ranging from $100 to $50,000 depending on culpability, plus annual caps per violation category. Remedies can include corrective action plans and monitoring in addition to monetary penalties.