HIPAA Omnibus Rule Updates: Privacy, Security, and Breach Notification Requirements

Breach Notification Procedures

Determining whether an incident is a breach

Under the HIPAA Omnibus Rule, any impermissible use or disclosure of Protected Health Information (PHI) is presumed to be a breach unless you document a low probability of compromise. Use a structured, four-factor analysis that considers the sensitivity of the data, who received it, whether it was actually viewed or acquired, and the extent to which risks were mitigated.

Establish clear intake channels so employees can escalate suspected incidents quickly. Your incident response team should secure systems, preserve evidence, and begin the risk assessment immediately, then decide whether notification is required based on the documented findings.

Breach Notification Timelines and recipients

When notification is required, act without unreasonable delay, following the Breach Notification Timelines. Provide notice to affected individuals and, depending on the scale and location of the breach, to the Department of Health and Human Services and, for large regional events, to prominent media outlets. Maintain substitute notice procedures for situations where contact information is insufficient.

Each notice must explain what happened, what types of PHI were involved, steps individuals should take, what your organization is doing to investigate and prevent further harm, and how to reach you. Keep copies of all notices, press materials, and submission confirmations to support future audits.

Documentation and continuous improvement

Maintain a breach log, the underlying Risk Assessment Protocols, and remediation records. Trend the root causes of incidents to drive targeted training, technology hardening, and vendor oversight. After-action reviews should update playbooks and clarify decision thresholds for future events.

Privacy Rule Enhancements

Strengthened individual rights

The HIPAA Omnibus Rule expands patient rights to access and receive electronic copies of their PHI and to request restrictions on disclosures to health plans when services are paid out of pocket in full. Your procedures should make it simple for individuals to submit requests and for staff to respond within defined timeframes.

Authorization for Marketing and sale of PHI

Authorization for Marketing is required when a third party provides financial remuneration for a communication about a product or service. The rule also restricts the sale of PHI without prior authorization, with narrow exceptions. Review all outreach, patient engagement, and sponsorship arrangements to confirm the correct authorization language and recordkeeping.

Fundraising, underwriting, and sensitive categories

Fundraising communications must be limited to permissible data elements and include a clear, easy opt-out that does not affect care. Health plans may not use genetic information for underwriting decisions, and you must apply heightened protections for psychotherapy notes and other specially sensitive records.

Minimum necessary and data minimization

Reinforce the minimum necessary standard by tightening role-based access, masking unneeded data fields, and aligning workflows so only essential PHI is used. Data minimization reduces exposure in daily operations and during Office for Civil Rights (OCR) Audits.

Security Safeguards Implementation

Administrative safeguards

Begin with an enterprise risk analysis that inventories systems, data flows, and threat scenarios. Define policies for access, acceptable use, change management, vendor oversight, sanctions, and incident response. Train your workforce regularly and test comprehension with scenario-based exercises.

Physical safeguards

Control facility access, secure workstations, and protect devices with screen locks, cable locks, and secure storage. Apply procedures for device disposal and media reuse, ensuring PHI is irretrievably destroyed or sanitized before redeployment.

Technical safeguards and encryption

Implement unique user IDs, strong authentication, and automatic logoff. Monitor with audit controls and integrity checks, and secure transmission channels. Technical Safeguards Encryption—covering data in transit and at rest with sound key management—reduces breach likelihood and impact and supports safe harbor considerations when properly deployed.

Operational hardening and monitoring

Harden endpoints and servers with timely patching, configuration baselines, and application allowlisting. Use network segmentation, data loss prevention, and continuous log monitoring to detect anomalous activity early. Validate backups routinely and practice restoration to meet recovery objectives.

Enforcement and Penalty Framework

How enforcement works

The Office for Civil Rights investigates complaints, self-reports, and breach submissions, and may open compliance reviews. Outcomes range from technical assistance and corrective action plans to monetary settlements and ongoing monitoring, depending on the severity and remediation posture.

The Four-Tier Penalty System

Penalties align with culpability under a Four-Tier Penalty System, from violations where the entity did not know and, with reasonable diligence, could not have known, to willful neglect that is uncorrected. Caps are set per violation category and adjusted periodically. Demonstrable good-faith efforts, rapid containment, and comprehensive remediation weigh heavily in enforcement decisions.

Reducing enforcement risk

Maintain current risk analyses, documented mitigation, and a functioning compliance program. Prompt self-reporting, transparent cooperation, and swift corrective actions can significantly reduce exposure and help avoid protracted oversight.

Notice of Privacy Practices Revisions

Content requirements

Your Notice of Privacy Practices (NPP) must clearly explain permissible uses and disclosures, individual rights, how to exercise those rights, and the duty to safeguard PHI. It should describe complaint options and specify how you will contact individuals about breaches or important updates.

Updating and distributing the NPP

Revise the NPP when laws, operations, or contact information change. Post the current version in prominent locations and on your website, offer paper copies on request, and ensure the effective date appears on the notice. Train front-line staff on how to explain key provisions and capture patient acknowledgments where applicable.

Accessibility and retention

Provide translations and accessible formats for populations you serve. Retain prior versions and distribution records according to your record retention schedule to demonstrate compliance during audits or investigations.

Risk Assessment and Mitigation Strategies

Establishing Risk Assessment Protocols

Adopt Risk Assessment Protocols that are repeatable and evidence-based. Define scope, rating scales for likelihood and impact, and criteria for determining whether residual risk is acceptable. Map data flows for PHI across systems, locations, and vendors to illuminate hidden exposures.

From findings to action

Translate findings into a prioritized risk register with owners, due dates, and measurable outcomes. Typical mitigations include access reductions, encryption upgrades, multi-factor authentication, segmentation, and enhanced monitoring. Validate closure with tests and artifacts, not just policy updates.

Testing, metrics, and continuous improvement

Exercise your incident response and disaster recovery plans through tabletop and technical simulations. Track metrics like patch compliance, time to detect and contain incidents, and training completion rates. Use lessons learned to refresh policies, technology standards, and vendor requirements.

Audit readiness

Prepare an “audit binder” with current policies, training logs, risk analyses, mitigation evidence, and recent evaluation results. Being ready for Office for Civil Rights (OCR) Audits improves consistency and shortens response times during inquiries.

Business Associate Compliance Obligations

Direct liability and scope

Business associates and their subcontractors are directly liable for Security Rule compliance and for certain Privacy Rule obligations. They must use or disclose PHI only as permitted by the Business Associate Agreement (BAA) or as required by law, and must report breaches to the covered entity promptly.

Essential elements of the BAA

BAAs should define permitted uses, minimum necessary standards, safeguards, breach reporting timelines, subcontractor flow-down, access and amendment support, return or destruction of PHI, and the right to audit. Include requirements for Technical Safeguards Encryption, logging, and secure software development where applicable.

Subcontractors and downstream assurance

Flow down the same obligations to subcontractors that create, receive, maintain, or transmit PHI. Conduct due diligence before onboarding, require security attestations, and verify performance through assessments, documentation reviews, or independent audits.

Operational oversight and continuous monitoring

Set measurable security and privacy KPIs in contracts, require timely incident notifications, and review them during vendor governance meetings. Document findings and remediation to demonstrate ongoing stewardship of PHI across the vendor ecosystem.

Conclusion

The HIPAA Omnibus Rule updates raise the bar for safeguarding PHI by tightening breach analysis, strengthening privacy rights, and enforcing robust security controls. By aligning policies, technology, and vendor management—and by operationalizing risk management—you reduce incident likelihood, meet Breach Notification Timelines, and minimize enforcement exposure.

FAQs

What are the key changes in the HIPAA Omnibus Rule?

The rule presumes an impermissible disclosure is a breach unless a documented risk assessment shows low probability of compromise; it strengthens individual rights to access and restrict disclosures; tightens Authorization for Marketing and sale-of-PHI rules; and holds business associates directly liable. It also clarifies enforcement through a Four-Tier Penalty System and elevates expectations for Security Rule implementation.

How does the rule affect business associates?

Business associates must implement administrative, physical, and technical safeguards, limit uses and disclosures to what the BAA permits, and report incidents and breaches to covered entities. They must flow down obligations to subcontractors and can face investigations, corrective action plans, and monetary penalties for noncompliance.

What are the breach notification requirements?

After confirming a breach, notify affected individuals without unreasonable delay and within the established timelines, include required content elements, and send notice to federal authorities and, for large regional events, to media outlets. Maintain a comprehensive breach log, Risk Assessment Protocols, and remediation evidence to substantiate your decisions during audits or investigations.