Practical Guide: What Changed Under the January 2013 HIPAA Omnibus Rule

The January 25, 2013 HIPAA Omnibus Rule overhauled privacy, security, breach notification, and enforcement standards by implementing HITECH and GINA. It took effect March 26, 2013, with a general compliance date of September 23, 2013. This practical guide explains exactly what changed and how you can align day-to-day operations with the updated requirements.

Breach Notification Requirements

The Omnibus Rule replaced the prior “harm” test with a presumption that a Protected Health Information breach has occurred unless you demonstrate a low probability that the PHI was compromised. You must conduct and document a risk assessment for every incident involving unsecured PHI.

The four-factor risk assessment

• Nature and extent of PHI involved (identifiers and likelihood of re-identification).
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., obtaining satisfactory assurances of destruction).

Notification timelines and scope

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For incidents affecting 500 or more individuals in a state or jurisdiction, notify prominent media and report to HHS contemporaneously; for fewer than 500, log and report to HHS annually.
• Maintain written analysis supporting any decision not to notify.

Narrow exceptions

• Unintentional access by a workforce member acting in good faith within scope of authority.
• Inadvertent disclosure between authorized persons within the same organization or organized health care arrangement.
• Good-faith belief that the recipient could not reasonably retain the information.

Business Associate Liability

The Rule makes Business Associates—and their subcontractors—directly liable for complying with key provisions of the HIPAA Security Rule and certain Privacy Rule requirements. Business Associate compliance is no longer optional or purely contractual.

What Business Associates must do

• Implement administrative, physical, and technical safeguards; perform risk analyses; and maintain ongoing risk management.
• Limit uses/disclosures to the minimum necessary and to purposes permitted by the Business Associate Agreement (BAA).
• Report breaches of unsecured PHI to the covered entity and flow down obligations to subcontractors handling PHI.

Business Associate Agreements

• Update BAAs to reflect direct liability, breach reporting duties, permitted uses/disclosures, and subcontractor requirements.
• Recognize that data storage and cloud providers are Business Associates even if they never view PHI.

Marketing and Fundraising Restrictions

The Omnibus Rule tightens marketing authorization restrictions. A covered entity generally must obtain an individual’s authorization for any marketing communication if it receives financial remuneration from a third party whose product or service is being promoted.

Marketing: what requires authorization

• Paid communications promoting a third party’s product or service.
• Sale of PHI (disclosure in exchange for remuneration) is prohibited without specific authorization, subject to limited exceptions (e.g., public health, research with cost-based fees).

Marketing: what does not require authorization

• Face-to-face communications and promotional gifts of nominal value.
• Refill reminders or adherence communications, if any payment received is reasonably related to the cost of the communication.

Fundraising rules

• You may use limited PHI for fundraising: demographic and contact data, dates and departments of service, treating physician, outcome information, and health insurance status.
• Every solicitation must include a clear, simple opt-out; you must honor the opt-out, and you cannot condition treatment or payment on a fundraising decision.

Expanded Individual Rights

The Rule expands patient control, particularly around Electronic health information access and payer disclosures. These changes affect intake, release-of-information, and billing workflows.

Right to electronic copies and directed transmission

• Provide access to PHI in the requested electronic form and format if readily producible (or an agreed alternative). Deliver within 30 days, with one permissible 30-day extension when necessary.
• Upon a signed request, send an electronic copy to a third party the individual designates.
• Fees must be reasonable and cost-based (labor for copying, supplies, postage, and if requested, preparing an explanation/summary).

Right to restrict disclosures to health plans

• When an individual pays in full out-of-pocket for an item or service, you must honor a requested restriction on disclosure of that specific visit’s PHI to a health plan, except where disclosure is required by law.

Other notable changes

• Immunization records may be disclosed to a school with a parent or legal guardian’s agreement (written or documented oral agreement, as permitted by law).
• PHI of decedents is protected for 50 years after death.

Notice of Privacy Practices Updates

The Rule requires significant Privacy Notice revisions. You must revise and redistribute your NPP to reflect new rights and uses/disclosures.

• State that certain uses/disclosures require authorization: marketing, sale of PHI, and most uses of psychotherapy notes.
• Explain the right to be notified following a breach of unsecured PHI.
• Describe the right to restrict disclosures to a health plan for services paid in full out-of-pocket.
• Disclose that you may contact individuals for fundraising and that they have a right to opt out of such communications.

Providers must post the updated NPP at service sites and on public websites and make copies available on request. Health plans must distribute the updated notice as part of their regular member communications.

Enforcement and Penalties

The Omnibus Rule strengthens OCR’s enforcement posture and applies penalties to Business Associates. Investigations are mandatory where willful neglect is indicated, and corrective action plans are common outcomes in addition to monetary penalties.

HIPAA penalty tiers

• Tier 1 – Did not know: $100 to $50,000 per violation; annual cap per violation category up to $1,500,000.
• Tier 2 – Reasonable cause: $1,000 to $50,000 per violation.
• Tier 3 – Willful neglect, corrected: $10,000 to $50,000 per violation.
• Tier 4 – Willful neglect, not corrected: $50,000 per violation.

Penalty amounts vary with factors such as the nature and extent of the violation, number of individuals affected, and degree of harm. Robust documentation of safeguards, training, and incident response materially affects outcomes.

Genetic Information Protections

The Rule implements GINA within HIPAA by treating genetic information as PHI and tightening Genetic Information Nondiscrimination Act compliance for health plans. Most health plans are prohibited from using or disclosing genetic information for underwriting purposes.

Key points for plans and providers

• “Genetic information” includes genetic tests, family members’ genetic tests, and family medical history.
• “Underwriting” includes eligibility, premium rating, or benefit determinations. Plans generally may not request, require, or purchase genetic information for underwriting.
• Long-term care insurers are not subject to GINA’s underwriting prohibition, but genetic information they hold is still PHI under HIPAA.

Conclusion

Taken together, the 2013 changes emphasize accountability, transparency, and patient choice. By documenting risk assessments, tightening Business Associate oversight, honoring enhanced access and restriction rights, updating your NPP, and understanding HIPAA penalty tiers and genetic information limits, you position your organization for durable compliance and trust.

FAQs.

What are the new breach notification standards under the Omnibus Rule?

Breaches are presumed reportable unless you show a low probability of compromise using a four-factor assessment (nature of PHI, unauthorized recipient, actual acquisition/viewing, and mitigation). Notify affected individuals without unreasonable delay and no later than 60 days, and follow HHS/media reporting rules based on the number affected.

How did the rule change business associate responsibilities?

Business Associates and their subcontractors became directly liable for HIPAA Security Rule safeguards and certain Privacy Rule provisions. They must conduct risk analyses, implement safeguards, report incidents, limit uses/disclosures, and bind subcontractors via BAAs. OCR may investigate and penalize BAs for violations.

What individual rights were expanded by the 2013 Omnibus Rule?

Individuals gained stronger Electronic health information access rights (electronic copies, directed transmission to a third party, reasonable cost-based fees), a right to restrict disclosures to health plans for fully self-paid services, streamlined school immunization disclosures with parental agreement, and a 50-year limit on decedent PHI protection.

How did HIPAA penalties change after January 2013?

The Rule codified enhanced HIPAA penalty tiers, expanded them to Business Associates, and made investigations mandatory for willful neglect. Penalties range from $100 to $50,000 per violation, with an annual cap of up to $1.5 million per violation category, influenced by culpability and corrective efforts.