HIPAA Omnibus Rule Requirements for Covered Entities and Business Associates

Definition of Business Associates

The HIPAA Omnibus Rule expands who you must treat as a business associate. A business associate is any person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity for functions regulated by the HIPAA Privacy Rule.

Examples include claims processors, billing and coding vendors, EHR and health IT providers, cloud storage and data center services, e-prescribing gateways, Health Information Exchanges, consultants, attorneys, accountants, transcription services, shredding vendors, and analytics firms. The word “maintains” is pivotal—data hosting or backup providers are business associates even if they never actually view the PHI.

Subcontractors of a business associate that handle PHI are themselves business associates. This “downstream” status brings them under the same requirements and the Breach Notification Rule, closing gaps in the vendor chain.

Direct Applicability of HIPAA Rules

The Omnibus Rule makes business associates directly liable for complying with key provisions of HIPAA. You must limit uses and disclosures of PHI to what your Business Associate Agreement permits or what the law requires, apply the minimum necessary standard, and support covered entities in fulfilling individual rights under the HIPAA Privacy Rule.

Direct liability also includes implementing Security Rule Safeguards for electronic PHI, providing breach notices to the covered entity, disclosing records to the U.S. Department of Health and Human Services during investigations, and refraining from impermissible marketing or sale of PHI without valid authorization.

Business Associate Agreements and Subcontractor Compliance

Business Associate Agreements (BAAs) are the contract backbone of HIPAA compliance. They must spell out permitted uses and disclosures, require appropriate safeguards, and mandate prompt reporting of security incidents and breaches.

• Flow-down obligations: You must obtain written assurances that your subcontractors will comply with the same restrictions and safeguards, creating enforceable downstream compliance.
• Access and accountability: BAAs should require you to assist with access, amendment, and accounting of disclosures, and to return or securely destroy PHI at termination when feasible.
• Oversight and termination: Covered entities must be able to terminate the BAA for material breaches they cannot cure. You should maintain documentation of compliance activities and risk decisions.
• Agency considerations: Under the Federal Common Law of Agency, if you operate as an “agent” subject to a covered entity’s control, the covered entity may be vicariously liable for your acts within the scope of agency—another reason both parties should define roles and controls clearly.

Breach Notification Requirements

The Breach Notification Rule applies when there is an impermissible use or disclosure of unsecured PHI that is not excepted and where a risk assessment does not demonstrate a low probability that the PHI was compromised. You must evaluate at least four factors: the nature and extent of PHI involved, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent of mitigation.

When a breach is discovered, a business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Your notice should enable the covered entity (or you, if delegated) to notify individuals and authorities, and typically includes:

• A description of what happened, including dates of the breach and discovery.
• The types of PHI involved (for example, diagnoses, treatment information, or financial data).
• Steps affected individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact information for follow-up.

If a subcontractor experiences a breach, it must notify you so you can meet your obligations to the covered entity. Proper encryption consistent with recognized standards generally renders PHI “secured,” which can remove an incident from breach reporting requirements.

Enforcement and Penalties

Enforcement is led by the HHS Office for Civil Rights. The Omnibus Rule strengthened Civil Monetary Penalties through a four-tier structure that scales with culpability—ranging from violations where you did not know and could not reasonably have known, up to willful neglect not corrected. Penalty amounts are substantial and adjusted for inflation, with annual caps by tier.

Outcomes may include resolution agreements, corrective action plans, and ongoing monitoring. OCR can consider factors such as the nature and extent of the violation, the harm caused, timeliness of breach notification, and evidence of risk analysis and mitigation. State attorneys general may also bring actions, and contractual liability under your BAA remains in play.

Vicarious liability principles under the Federal Common Law of Agency can affect covered entities when business associates act as their agents, emphasizing the importance of clear governance and documented, risk-based oversight.

Security Rule Compliance

Business associates must implement Security Rule Safeguards for electronic PHI. A risk-based program is required, not a one-size checklist. You should document decisions and monitor controls over time.

• Administrative safeguards: enterprise-wide risk analysis and risk management, workforce training and sanctions, policies and procedures, contingency planning, vendor management, and incident response.
• Physical safeguards: facility access controls, device and media controls, secure disposal, workstation security, and environmental protections.
• Technical safeguards: unique user identification, role-based access and least privilege, multi-factor authentication where feasible, audit controls and log review, integrity controls, and transmission security (encryption in transit and at rest).

Effective encryption and key management reduce breach risk and can qualify data as secured PHI. Routine testing, patching, and third-party assessments validate that safeguards operate as intended.

Covered Entity Obligations

Covered entities remain responsible for overall HIPAA compliance and for ensuring their vendor ecosystem is under contract and risk-managed. You should inventory all vendors that handle PHI, execute updated BAAs, and confirm that downstream subcontractors are contractually bound.

• Governance and oversight: apply risk-based due diligence when onboarding vendors, evaluate incident reports, and take steps to cure known patterns of noncompliance—or terminate the BAA if cure is not feasible.
• Privacy operations: uphold the HIPAA Privacy Rule’s minimum necessary standard, manage individual rights, and update Notices of Privacy Practices as required.
• Security integration: align your own Security Rule Safeguards with those of your business associates, share threat intelligence where appropriate, and coordinate contingency plans.
• Documentation: maintain BAAs, risk assessments, training records, incident files, and decisions that demonstrate a mature compliance program.

In practice, the HIPAA Omnibus Rule requirements unify covered entities and business associates under a shared, risk-based framework: contract for clear roles, implement robust safeguards, assess and report incidents promptly, and maintain documentation that proves your program works.

FAQs

What entities are considered business associates under the HIPAA Omnibus Rule?

Any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity for HIPAA-regulated functions is a business associate. This includes cloud storage and hosting providers, billing firms, EHR and IT vendors, Health Information Exchanges, consultants, attorneys, shredding and scanning services, and analytics companies. Subcontractors that handle PHI for a business associate are also business associates.

How does the Omnibus Rule affect subcontractors?

Subcontractors that handle PHI inherit business associate status and must sign Business Associate Agreements with the upstream business associate. The same privacy, security, and Breach Notification Rule obligations “flow down,” creating enforceable downstream compliance throughout the vendor chain.

What are the breach notification timelines for business associates?

You must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured PHI. Your notice should provide the facts needed for individual and regulatory notifications, and subcontractors must notify you so you can meet this timeline.

What penalties exist for noncompliance with the Omnibus Rule?

HHS may impose tiered Civil Monetary Penalties that scale with the level of culpability, along with corrective action plans and monitoring. Penalty amounts are significant and adjusted for inflation, and state attorneys general may also pursue actions. Contractual remedies under BAAs can apply in parallel.