HITECH and the 2013 Omnibus Rule: Business Associate Requirements

HITECH and the 2013 Omnibus Rule reshaped how you manage Business Associate responsibilities under the HIPAA Privacy Rule and HIPAA Security Rule. This guide explains who qualifies as a business associate, where direct liability applies, what a compliant Business Associate Agreement (BAA) must include, how the Breach Notification Rule works, how enforcement occurs, how subcontractors fit in, and the key dates you need to know.

Definition of Business Associate

Under the HIPAA Privacy Rule, a business associate is any person or entity that creates, receives, maintains, or transmits Protected Health Information (PHI) for a covered entity—or for another business associate—to perform regulated functions. The 2013 Omnibus Rule confirmed and expanded this scope.

• Common examples include cloud and IT service providers (including hosted storage), EHR vendors, billing and coding companies, claims processing and TPAs, data analytics firms, health information exchanges, e-prescribing gateways, transcription and document destruction services.
• Individuals within a covered entity’s workforce are not business associates; they are part of the covered entity. Personal apps used solely by consumers without acting on behalf of a covered entity are not business associates.
• Maintaining PHI alone (even if encrypted and not viewed) makes a vendor a business associate, triggering HIPAA Security Rule obligations.

Direct Liability of Business Associates

The Omnibus Rule made business associates directly liable for compliance, not just contractually responsible to covered entities. You face enforcement for specific Privacy and Security Rule violations, independent of any BAA terms.

• Impermissible uses and disclosures of PHI, including failure to apply the minimum necessary standard where required.
• Failure to implement the HIPAA Security Rule’s administrative, physical, and technical safeguards, including risk analysis and risk management.
• Failure to provide breach notification to the covered entity as required by the Breach Notification Rule.
• Failure to provide access to ePHI to the covered entity (or to the individual, as applicable) and to provide an accounting of disclosures.
• Failure to disclose PHI to HHS during investigations, compliance reviews, or audits.
• Failure to enter into BAAs with subcontractors that create, receive, maintain, or transmit PHI, or failure to flow down required obligations.

Business Associate Agreements

A Business Associate Agreement (BAA) is mandatory before any PHI is shared. The BAA operationalizes HIPAA requirements and sets clear, enforceable obligations for both parties.

• Define permitted and required uses and disclosures of PHI; prohibit any use or disclosure not authorized by the BAA or the Privacy Rule.
• Require compliance with the HIPAA Security Rule, including risk analysis, workforce training, access controls, audit controls, and contingency planning.
• Obligate prompt reporting of breaches and security incidents, with specific content and timelines.
• Mandate that subcontractors sign BAAs with equivalent restrictions and safeguards before they handle PHI.
• Ensure the business associate makes PHI available for access, amendment, and accounting of disclosures, and cooperates with HHS investigations.
• Address return or destruction of PHI upon termination, and authorize termination for material breach.

Breach Notification Requirements

Under the Breach Notification Rule, a business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI. Many BAAs set shorter internal deadlines, which you must meet.

• There is a presumption that an impermissible use or disclosure is a breach unless you demonstrate a low probability of compromise based on a documented risk assessment considering: nature and extent of PHI involved; the unauthorized person; whether the PHI was actually acquired or viewed; and the extent to which the risk has been mitigated.
• Notification must include what happened, types of PHI involved, steps individuals should take, mitigation measures, and contact information. You must supplement details as they become available.
• Encryption that renders PHI unusable, unreadable, or indecipherable provides a safe harbor; if PHI is secured, breach notification is generally not required.

Enforcement and Penalties

The HHS Office for Civil Rights Enforcement investigates complaints, conducts compliance reviews, and audits. Outcomes may include resolution agreements with corrective action plans and civil monetary penalties.

• Penalty tiers scale with culpability—from lack of knowledge to willful neglect—with per-violation and annual caps (historically up to $1.5 million per violation type per year, adjusted for inflation).
• Willful neglect requires mandatory penalties, and repeated or systemic noncompliance increases financial and operational risk.
• Demonstrable compliance—risk analysis, policies, vendor management, training, and monitoring—mitigates exposure and supports defensibility.

Subcontractors as Business Associates

Any subcontractor that creates, receives, maintains, or transmits PHI on your behalf is itself a business associate. The Omnibus Rule subjects these subcontractors to direct HIPAA obligations and to your contractual oversight.

• Execute BAAs with each subcontractor before they handle PHI, mirroring your own obligations and the Security Rule safeguards.
• Apply due diligence: assess security posture, review audit reports, require incident and breach reporting, and establish right-to-audit and termination-for-cause provisions.
• Maintain a documented vendor inventory and a risk-based oversight cadence to manage the full chain of custody for PHI.

Compliance Deadlines

The final Omnibus Rule was published on January 25, 2013, took effect on March 26, 2013, and had a general compliance date of September 23, 2013—the Omnibus Rule Compliance Deadline. Certain BAAs executed before January 25, 2013, and not modified between March 26 and September 23, 2013, benefited from a transition period until the earlier of renewal or September 22, 2014.

As of November 24, 2025, these requirements remain fully in force. Any new or modified BA relationship must be compliant before PHI is exchanged, and BAAs should be reviewed periodically to reflect changes in services, risk, or law.

Summary: The 2013 Omnibus Rule broadened who is a business associate, imposed direct liability, standardized BAA content, tightened breach notification through a presumption of breach, extended obligations to subcontractors, and reinforced consequences through active enforcement. Aligning contracts, safeguards, and vendor oversight keeps you compliant and reduces regulatory and operational risk.

FAQs.

What entities are considered business associates under the Omnibus Rule?

Entities that create, receive, maintain, or transmit PHI for a covered entity—or for another business associate—are business associates. Typical examples include IT and cloud providers, EHR vendors, billing and coding services, claims processors and TPAs, data analytics firms, HIEs, e-prescribing gateways, and document destruction or transcription vendors.

How did the 2013 Omnibus Rule change business associate liabilities?

It made business associates directly liable for complying with the HIPAA Security Rule and key provisions of the HIPAA Privacy Rule, required BAAs with subcontractors, adopted a presumption of breach unless low probability of compromise is demonstrated, and strengthened enforcement and penalties for noncompliance.

What are the breach notification requirements for business associates?

You must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI, supplying required details and updates. A documented risk assessment determines whether an incident constitutes a breach, and encryption of PHI generally provides a safe harbor.

When must business associate agreements be updated?

BAAs must reflect Omnibus Rule requirements before any PHI is shared and should be updated whenever services, risks, or legal requirements change. Historically, the general compliance date was September 23, 2013, with a limited transition for certain preexisting BAAs until September 22, 2014; today, any new or amended BAAs must be fully compliant upfront.