Omnibus Rule Guide: Implementing HITECH, Breach Notification, and Patient Rights

Omnibus Rule Overview

This Omnibus Rule Guide explains how the HIPAA Omnibus Rule implements the HITECH Act to strengthen privacy and security protections for Protected Health Information. The rule expands accountability to Business Associates, tightens the Breach Notification Rule, and enhances patient rights, ensuring Covered Entities and their partners safeguard PHI across the data lifecycle.

The Omnibus Rule aligns privacy and security standards with modern care delivery and technology. It clarifies when authorizations are required, sets Patient Authorization Restrictions for marketing and the sale of PHI, and updates Notice of Privacy Practices content so patients understand their choices and protections.

Key updates at a glance

• Broader liability for Business Associates and their subcontractors under the Security Rule and parts of the Privacy Rule.
• Presumption that unauthorized access, use, or disclosure of PHI is a breach unless a documented risk assessment shows a low probability of compromise.
• Stronger patient access rights, including electronic access and the right to restrict disclosures to a health plan when services are paid out of pocket in full.

Breach Notification Requirements

The Breach Notification Rule requires prompt action when unsecured PHI is compromised. Upon discovery, you must investigate, perform a documented risk assessment, and—if a breach is confirmed—notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media.

Timelines

• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: For breaches affecting 500 or more individuals, without unreasonable delay and no later than 60 days; for fewer than 500, log and report to HHS within 60 days after the end of the calendar year.
• Media: If 500 or more residents of a single state or jurisdiction are affected, notify prominent media outlets within 60 days.
• Business Associates: Notify the Covered Entity without unreasonable delay and no later than 60 days after discovery (or sooner if required by the Business Associate Agreement).

Content and method of notice

• Content: A description of what happened (including dates), the types of PHI involved, steps individuals should take to protect themselves, measures you are taking to mitigate harm and prevent recurrence, and contact information.
• Method: First-class mail or electronic notice if individuals have agreed to receive electronic communications. For 10 or more outdated addresses, provide substitute notice (website posting or media) and a toll-free number for at least 90 days.
• Law enforcement delay: If a law enforcement official determines that notification would impede an investigation or threaten national security, delay notices for the time specified.

Definition of Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. The Omnibus Rule presumes a breach has occurred unless you can demonstrate, via a documented risk assessment, a low probability that PHI has been compromised.

Exceptions

• Unintentional access or use by a workforce member, acting in good faith and within scope of authority, that does not result in further impermissible use or disclosure.
• Inadvertent disclosure by a person authorized to access PHI to another person authorized to access PHI within the same organization or Business Associate.
• Situations where the unauthorized recipient could not reasonably have retained the information.

Risk Assessment Factors

The Omnibus Rule requires a fact-specific analysis to determine the probability that PHI has been compromised. You must document the assessment and retain it as part of your breach decision and response record.

The four required factors

• Nature and extent of PHI involved, including sensitivity (for example, diagnoses, Social Security numbers, or financial details) and the likelihood of re-identification.
• The unauthorized person who used or received the PHI, including whether they are obligated to protect confidentiality.
• Whether the PHI was actually acquired or viewed, or if only the opportunity existed.
• The extent to which the risk has been mitigated, such as obtaining written assurances of destruction or confirming that data were not retained.

Safe harbor and safeguards

• Unsecured PHI triggers breach analysis; PHI rendered unusable, unreadable, or indecipherable (for example, via strong encryption and proper key management) typically falls outside notification requirements.
• Proactive controls—risk analysis, access management, audit logging, and workforce training—reduce likelihood and impact, supporting defensible decisions under the Breach Notification Rule.

Business Associate Obligations

The Omnibus Rule makes Business Associates directly liable for compliance with key HIPAA provisions. If you create, receive, maintain, or transmit PHI on behalf of a Covered Entity, you must implement Security Rule safeguards, limit uses and disclosures to what the Privacy Rule and the Business Associate Agreement permit, and report breaches to the Covered Entity.

Core requirements

• Execute and honor a written Business Associate Agreement that defines permitted uses/disclosures, breach reporting timelines, and safeguards.
• Conduct enterprise-wide risk analysis and implement risk management, including encryption, access controls, and contingency planning.
• Flow down obligations to subcontractors that handle PHI and monitor their compliance.
• Apply minimum necessary standards and support individual rights, including timely access requests fulfilled in electronic form when applicable.

Enforcement and Penalties

HHS’s Office for Civil Rights enforces HIPAA through investigations, audits, and HHS enforcement actions that often culminate in resolution agreements and corrective action plans. Noncompliance can lead to Civil Monetary Penalties under a four-tier structure that scales with culpability and is adjusted for inflation.

Factors influencing penalties include the nature and extent of the violation, the number of individuals affected, the duration of noncompliance, and the organization’s history and level of cooperation. Willful neglect not corrected carries the highest penalty exposure. State attorneys general may also bring actions, increasing the legal and financial risk of lax compliance.

Common triggers for enforcement

• Absence of an adequate risk analysis or failure to manage known risks.
• Lack of a required Business Associate Agreement with vendors handling PHI.
• Delayed breach notifications or incomplete notices to individuals, HHS, or the media.
• Insufficient access controls, audit logs, or workforce training leading to impermissible disclosures.

Patient Rights Enhancements

The Omnibus Rule enhances individual control over PHI. Patients can request electronic access to their designated record set and receive information in the requested electronic format if readily producible. You must transmit ePHI to a patient’s designated third party when directed in a valid request.

Patients may demand restrictions on disclosures to a health plan for services paid out of pocket in full, and you must honor this restriction unless disclosure is required by law. The rule tightens Patient Authorization Restrictions for marketing and prohibits the sale of PHI without explicit authorization, with narrow exceptions such as public health or research cost-recovery scenarios.

Notice of Privacy Practices and fundraising

• Update the Notice of Privacy Practices to reflect new rights, breach duties, and authorization requirements, and make it available upon request and at service points.
• Fundraising communications must include a clear opt-out that you honor; opting out cannot be a condition of treatment or payment.

Conclusion

To implement the HIPAA Omnibus Rule effectively, build a living compliance program: maintain current policies, complete risk analyses, manage vendors through strong Business Associate Agreements, and practice your breach response. Doing so protects patients, reduces exposure to Civil Monetary Penalties, and demonstrates a culture of compliance.

FAQs

What is the primary purpose of the Omnibus Rule?

The primary purpose is to implement HITECH-driven updates to HIPAA by strengthening protections for Protected Health Information, expanding direct liability to Business Associates, tightening the Breach Notification Rule, and enhancing patient rights such as electronic access and restrictions on certain disclosures.

How does the Omnibus Rule affect business associates?

Business Associates become directly liable for maintaining Security Rule safeguards, adhering to permitted uses and disclosures defined by HIPAA and the Business Associate Agreement, reporting breaches to Covered Entities, and ensuring subcontractor compliance—exposing them to HHS enforcement actions and Civil Monetary Penalties for violations.

What are the breach notification timelines under the Omnibus Rule?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notify HHS within the same 60-day window for breaches affecting 500 or more individuals, and within 60 days after the end of the calendar year for smaller breaches. If 500 or more residents of a state or jurisdiction are affected, notify the media within 60 days. Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 days or as specified in the BAA.

How does the Omnibus Rule enhance patient rights?

It guarantees electronic access to PHI in the designated record set, permits patients to direct ePHI to a chosen third party, requires honoring restrictions on disclosures to a health plan when services are paid out of pocket in full, and tightens Patient Authorization Restrictions for marketing and the sale of PHI—giving individuals greater control over how their information is used and shared.