Omnibus Rule Requirements for Covered Entities: BAAs, Breach Notices, NPP Updates

The HIPAA Omnibus Rule reshaped expectations for covered entities by tightening Business Associate obligations, standardizing breach notices, and requiring clear Notice of Privacy Practices updates. This guide translates those Omnibus Rule Requirements for Covered Entities into practical steps you can implement now—without guesswork.

Use the sections below to strengthen Business Associate Agreement Compliance, refine Breach Risk Assessment processes for Unsecured PHI, complete a thorough Notice of Privacy Practices Revision, and align operations with Security Rule Requirements and PHI Sale Restrictions.

Updating Business Associate Agreements

Business Associates and their subcontractors carry direct liability under the Omnibus Rule. Your contracts must do more than acknowledge HIPAA—they must operationalize it and flow down responsibilities across the vendor chain.

Essential updates for Business Associate Agreement Compliance

• Define permitted and required uses/disclosures of PHI, expressly limiting anything not authorized by the agreement or law.
• Require adherence to Security Rule Requirements for all ePHI, including risk analysis, safeguards, and incident response.
• Mandate prompt reporting of any impermissible use/disclosure and breaches of Unsecured PHI “without unreasonable delay,” with details sufficient for the covered entity to notify on time.
• Flow down all obligations to subcontractors that create, receive, maintain, or transmit PHI.
• Oblige cooperation with access, amendment, and accounting requests; provide records to support compliance reviews.
• Specify return or destruction of PHI at termination (or continued protections if destruction is infeasible).
• Include clear remedies and termination rights for material breach.

Practical implementation steps

• Inventory all Business Associates and subcontractors; risk-rank by PHI volume/sensitivity.
• Adopt a single BAA template with Omnibus-compliant terms; prohibit unilateral vendor changes to core protections.
• Set reporting timeframes that allow you to meet statutory deadlines (e.g., BA notice well ahead of the 60-day outer limit).
• Map each BAA obligation to internal owners (privacy, security, legal, vendor management) and to monitoring controls.
• Track BAA execution and renewal dates; verify insurance coverage, security attestations, and breach playbook alignment annually.

Enhancing Breach Notification Protocols

The Omnibus Rule presumes an impermissible use or disclosure is a breach unless you demonstrate a low probability of compromise. A consistent, well-documented Breach Risk Assessment is non-negotiable.

Conduct a standardized Breach Risk Assessment

• Nature and extent of PHI involved (identifiers, sensitivity, likelihood of re-identification).
• The unauthorized person who used or received the PHI (and their ability to retain/use it).
• Whether the PHI was actually acquired or viewed versus merely exposed.
• The extent to which risks were mitigated (e.g., prompt retrieval, verified non-use, satisfactory assurances).

Define Unsecured PHI and reduce exposure

Unsecured PHI is PHI not rendered unusable, unreadable, or indecipherable via accepted methods (for example, strong encryption or proper destruction). Encrypting ePHI at rest and in transit, and hardening mobile/portable media, can shift incidents outside breach-notification scope.

Notification timelines and recipients

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• U.S. Department of Health and Human Services (HHS): contemporaneously for incidents affecting 500 or more; for fewer than 500, report annually within the required time frame.
• Prominent media: if a breach involves 500 or more residents of a single state or jurisdiction.
• Law enforcement delay: permitted if an official determines notice would impede an investigation or threaten national security.

Required content and delivery

• Content: a plain-language description of what happened, types of information involved, steps individuals should take, what you are doing to investigate/mitigate/prevent, and how to contact you.
• Delivery: first-class mail or email if the individual agrees. Provide substitute notice if contact info is insufficient; maintain a toll-free call center when applicable.

Role of Business Associates

BAAs must require Business Associates to notify you promptly of any breach, supplying all details you need to complete notices. Establish intake channels, incident templates, and evidence requirements to speed decision-making.

Revising Notice of Privacy Practices

A thorough Notice of Privacy Practices Revision ensures people understand how their information is used and their options. Update the NPP to reflect Omnibus-specific authorizations, restrictions, and breach duties.

What your updated NPP must cover

• Statement that certain uses/disclosures (marketing, sale of PHI, most uses of psychotherapy notes) require prior authorization.
• Notice that you will provide breach notifications if Unsecured PHI is compromised.
• Explanation of the right to request a restriction that PHI not be disclosed to a health plan when the individual pays in full out-of-pocket.
• Fundraising disclosure and a clear, easy Fundraising Communication Opt-Out that does not affect care.
• Right to access PHI in the requested electronic form/format when readily producible.
• Assurance that genetic information will not be used for underwriting purposes.

Distribution and operationalization

• Post the current NPP prominently and online; offer a paper copy on request and at the first service encounter.
• Update acknowledgment processes, staff scripts, patient portals, and signage to mirror the revised language.
• Version-control the NPP with an effective date; retire outdated versions and align downstream materials.

Ensuring Compliance with Security Rule

The Security Rule establishes baseline Security Rule Requirements for safeguarding ePHI. Your program must be risk-based, documented, and continuously improved.

Program pillars

• Administrative safeguards: enterprise risk analysis, risk management plan, vendor oversight, workforce training, sanctions, contingency planning, and periodic evaluations.
• Physical safeguards: facility access controls, device/media controls, secure disposal, and environmental protections.
• Technical safeguards: access controls (unique IDs, MFA), audit controls and log review, integrity protections, transmission security, and encryption.

Operational best practices

• Maintain an ePHI data map; minimize where PHI resides and how long it persists.
• Use secure configuration baselines, patch/vulnerability management, EDR, and backup/restore tests.
• Exercise your incident response plan with tabletop drills that include BAA coordination and breach-notice decision trees.

Managing PHI Use and Disclosure Restrictions

Omnibus refined when you may use or disclose PHI without authorization and when explicit permission is required. Build controls that default to “minimum necessary” and escalate exceptions.

Key controls to implement

• Minimum necessary standard for routine disclosures; role-based access in systems and release-of-information workflows.
• Out-of-pocket restriction: if an individual pays in full, do not disclose related PHI to the health plan for payment or operations.
• PHI Sale Restrictions: prohibit receiving remuneration for PHI disclosures without a valid authorization, subject to limited exceptions.
• Marketing boundaries: most marketing needs authorization; narrow allowances exist (e.g., treatment communications, refill reminders within cost-based limits).
• Special protections: psychotherapy notes require authorization for most uses; genetic data cannot be used for underwriting.
• De-identification and limited data sets: prefer when feasible, with data use agreements for limited data sets.

Responding to Individual Rights Requests

Individuals have enforceable rights, and the Omnibus Rule emphasizes timely, electronic access and clear choices. Standardize intake, verification, routing, and fulfillment.

Access and copies

• Provide access within 30 days of request (one 30-day extension with written explanation if needed).
• Offer electronic copies in the requested form/format if readily producible, or in a readable alternative agreed upon by the individual.
• Permit directed disclosures to a third party at the individual’s written request.
• Charge only reasonable, cost-based fees permitted by the Privacy Rule.

Amendments and accountings

• Respond to amendment requests within 60 days (one 30-day extension if necessary) and appropriately append or deny with rationale.
• Provide an accounting of disclosures within required timeframes; maintain logs to ease fulfillment.

Restrictions and confidential communications

• Honor valid requests to restrict disclosures to health plans when paid in full out-of-pocket.
• Accommodate reasonable requests for alternative means or locations for confidential communications.

Implementing Fundraising and Marketing Authorization Procedures

Marketing and fundraising touchpoints carry heightened risk. Codify authorization thresholds and opt-out mechanics to avoid impermissible uses.

Marketing authorizations

• Obtain authorization for most marketing that promotes a product or service; document scope, expiration, and revocation rights.
• If any financial remuneration is involved, treat the activity as marketing requiring authorization unless a narrow exception applies.
• Coordinate with BAAs to ensure vendors neither use nor disclose PHI for their own marketing.

Fundraising Communication Opt-Out

• Limit fundraising data elements to those permitted (for example, demographics, dates/department of service, treating physician, outcome, and health insurance status).
• Provide a clear, easy Fundraising Communication Opt-Out in every fundraising message; honor preferences promptly and without burden.
• Never condition treatment or payment on fundraising participation.

PHI Sale Restrictions in practice

• Prohibit disclosures where you directly or indirectly receive remuneration in exchange for PHI unless you have a specific, valid authorization or a recognized exception.
• Maintain a central register of authorizations tied to disclosures; audit vendors for compliance.

Conclusion

By tightening BAAs, operationalizing a defensible Breach Risk Assessment, completing a targeted Notice of Privacy Practices Revision, and enforcing Security Rule Requirements and PHI Sale Restrictions, you create a compliance posture that scales. Align policies, contracts, technology, and training—then verify through testing and vendor oversight.

FAQs

What are the key changes to Business Associate Agreements under the Omnibus Rule?

The Omnibus Rule makes Business Associates directly liable for compliance and requires BAAs to include clear limits on PHI use/disclosure, adherence to Security Rule Requirements, prompt reporting of breaches of Unsecured PHI, and full flow-down to subcontractors. BAAs must also support individual rights (access, amendment, accounting), permit HHS review, and provide for PHI return or destruction and termination for material breach—forming the backbone of Business Associate Agreement Compliance.

When must covered entities report a breach of unsecured PHI?

Covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. They must also notify HHS (immediately for incidents affecting 500 or more; annually for fewer than 500) and, for large incidents, prominent media. Business Associates must notify the covered entity promptly with enough detail to enable timely notices.

How should covered entities update their Notice of Privacy Practices?

Complete a Notice of Privacy Practices Revision that adds plain-language statements about breach notifications, uses/disclosures requiring authorization (marketing, sale of PHI, psychotherapy notes), the right to an easy Fundraising Communication Opt-Out, the right to restrict disclosures to health plans when paying in full out-of-pocket, electronic access options, and assurances regarding genetic information and underwriting. Post the updated NPP, distribute at the first service encounter, and align all scripts and portals.

What rights do individuals have regarding the sale of their PHI?

Individuals control the sale of their PHI. You may not sell PHI—receive direct or indirect remuneration in exchange for it—without the individual’s valid, specific authorization, subject to limited exceptions. Individuals may revoke authorization at any time, and your processes must prevent disclosures absent current authorization, reflecting the Omnibus Rule’s PHI Sale Restrictions.