Major Component of the Omnibus Rule: Expanding Business Associate Obligations

The HIPAA Omnibus Rule’s major component is the sweeping expansion of business associate obligations across the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule. If your organization creates, receives, maintains, or transmits PHI on behalf of a covered entity, you likely have direct compliance duties—well beyond a simple Business Associate Agreement.

Expanded Definition of Business Associate

The Omnibus Rule broadened who qualifies as a business associate to include any entity that creates, receives, maintains, or transmits PHI for a covered entity. “Maintains” and “transmits” are pivotal—cloud storage, hosted platforms, and PHI transmission services with routine access are in scope, even if PHI is encrypted and the vendor never views it.

Who is in scope

• Cloud service providers and data centers that store or maintain PHI.
• Health Information Organizations and health information exchanges.
• E-prescribing gateways and similar routing services with routine PHI access.
• Personal health record vendors when offering services to covered entities.
• Analytics, billing, and document management vendors handling PHI.

The conduit exception

By contrast, mere conduits—like postal services or telecom carriers that only transfer PHI without routine access—are generally not business associates. If PHI transmission requires more than transient, random access, the conduit exception does not apply.

Direct Liability of Business Associates

Under the Omnibus Rule, business associates are directly liable for violations of the HIPAA Security Rule and specific provisions of the HIPAA Privacy Rule. Liability no longer flows only through the covered entity; regulators can enforce directly against you.

Areas of direct liability

• Failure to implement required administrative, physical, and technical safeguards for ePHI under the HIPAA Security Rule.
• Uses or disclosures of PHI not permitted by the HIPAA Privacy Rule or your Business Associate Agreement.
• Failure to provide breach notification to the covered entity under the Breach Notification Rule.
• Failure to provide access to PHI, cooperate with HHS investigations, or account for disclosures when required.
• Failure to ensure subcontractor compliance by executing appropriate downstream agreements.
• Not applying the minimum necessary standard when using, disclosing, or requesting PHI.

Subcontractor Agreements

The Rule requires “flow-down” protections. Any subcontractor that creates, receives, maintains, or transmits PHI on your behalf becomes a business associate in its own right and must sign a written agreement mirroring your obligations—this is core to Subcontractor Compliance.

What the agreement should cover

• Permitted and required uses/disclosures of PHI consistent with the Privacy Rule.
• Safeguards aligned to the Security Rule, including risk analysis, access controls, and audit readiness.
• Prompt reporting of incidents, including breaches, so you can notify the covered entity.
• Individual rights support (access, amendment, and accounting of disclosures when applicable).
• Return or destruction of PHI at termination, and HHS inspection rights.
• Termination for material breach and ongoing cooperation with investigations.

Beyond contract language, conduct due diligence: evaluate security posture, restrict PHI sharing to the minimum necessary, and verify that each subcontractor can meet Breach Notification Rule timelines.

Minimum Necessary Standard Compliance

Business associates must limit PHI to the minimum necessary to accomplish the task. This is not optional; it is a core Privacy Rule principle reinforced by the Omnibus Rule.

Practical implementation

• Adopt role-based access so workforce members see only what they need.
• Use limited data sets or de-identification when full identifiers are unnecessary.
• Constrain PHI transmission to essential elements; log disclosures for accountability.
• Apply retention schedules so PHI is not kept longer than required.

Enforcement and Penalties

The Office for Civil Rights can investigate complaints, audit entities, and impose tiered civil monetary penalties for violations. Factors include the nature and extent of the violation, harm caused, and your organization’s diligence and remediation efforts.

Serious or willful neglect can trigger substantial civil penalties, and the Department of Justice may pursue criminal cases for knowing wrongful disclosures. Expect corrective action plans, monitoring, and mandated security improvements where gaps are found—civil and criminal penalties are real risks for noncompliance.

Covered Entity Liability

Covered entities remain responsible for ensuring Business Associate Agreements are in place and for addressing known patterns of noncompliance. If a business associate acts as the covered entity’s agent, the covered entity can be liable for the associate’s actions within the scope of that agency.

Strong contracts, risk-based oversight, and timely remediation help reduce exposure. However, a contract alone does not shield a covered entity from enforcement when oversight is lacking or red flags are ignored.

Compliance Deadlines

• January 25, 2013: HIPAA Omnibus Rule published.
• March 26, 2013: Rule effective date.
• September 23, 2013: General compliance date for covered entities and business associates.
• September 22, 2014: Transition period end date for certain preexisting Business Associate Agreements.

While these deadlines have passed, the obligations are ongoing. Your policies, Business Associate Agreements, and subcontractor management should continuously align with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule as clarified by the Omnibus Rule.

FAQs.

What entities are included in the expanded definition of business associate?

Entities that create, receive, maintain, or transmit PHI for a covered entity are included, such as cloud service providers, data hosting platforms, Health Information Organizations, e-prescribing gateways, PHI transmission vendors with routine access, PHR vendors serving covered entities, and service providers like billing or document management firms that handle PHI.

How does the omnibus rule affect business associate liability?

It makes business associates directly liable for compliance with the HIPAA Security Rule and certain Privacy Rule provisions, requires breach reporting to covered entities, mandates minimum necessary practices, and enforces accountability for subcontractor compliance—allowing regulators to take action directly against the business associate.

What are the requirements for subcontractor agreements under the omnibus rule?

Business associates must execute written agreements with subcontractors that mirror HIPAA obligations: specify permitted PHI uses/disclosures, require Security Rule safeguards, mandate incident and breach reporting, support individual rights, ensure PHI return or destruction, authorize HHS access, and permit termination for material breach.

What penalties apply for noncompliance with the omnibus rule?

Noncompliance can lead to OCR investigations, corrective action plans, and tiered civil monetary penalties, with higher tiers for willful neglect. In egregious cases, the Department of Justice may pursue criminal enforcement. Each violation category can accrue penalties, and obligations extend to subcontractors as well.