The Final Omnibus Rule: Key Enhancements, Examples, and Best Practices

The Final Omnibus Rule consolidated and strengthened multiple provisions of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. It sharpened accountability for handling Protected Health Information, expanded who counts as a business associate, and clarified Patient Authorization Requirements for marketing, fundraising, and the sale of PHI. It also integrated Genetic Information Nondiscrimination protections and reinforced Office for Civil Rights Enforcement expectations.

This guide explains each major enhancement, provides practical examples, and outlines best practices you can apply to reduce risk and improve compliance.

Expanded Business Associate Definition

The rule broadens “business associate” to include not only vendors working directly for covered entities, but also subcontractors that create, receive, maintain, or transmit PHI on behalf of another business associate. Entities that provide data transmission with routine access to PHI and organizations that maintain PHI (such as many cloud service providers) fall within scope. The long-standing “mere conduit” concept remains narrow and does not extend to services that store PHI, even if encrypted.

Examples

• Cloud storage providers that host ePHI for a clinic, even when the provider cannot routinely view the data.
• Health Information Organizations and e-prescribing gateways that route and manage PHI.
• Analytics firms, revenue cycle vendors, and practice management platforms that handle PHI.
• Subcontractors of a billing company who process PHI on the billing company’s behalf.

Best Practices

• Map all vendors and downstream subcontractors that touch PHI, including “behind-the-scenes” services.
• Apply minimum necessary access and verify technical safeguards for each vendor relationship.
• Use standardized due diligence checklists and risk questionnaires during procurement and renewal.

Direct Liability of Business Associates

Business associates are directly liable for compliance with the Security Rule and for certain provisions of the HIPAA Privacy Rule. They must implement administrative, physical, and technical safeguards, limit uses and disclosures to those permitted, and execute Business Associate Agreements with their subcontractors. OCR can investigate and impose civil monetary penalties directly on business associates for violations.

Examples

• A cloud vendor that lacks access controls and audit logging can face enforcement for Security Rule failures.
• An analytics firm that discloses PHI beyond what its Business Associate Agreement permits may incur penalties.

Best Practices

• Adopt a risk management program aligned to the Security Rule: risk analysis, risk mitigation, and continuous monitoring.
• Train workforce members on permitted uses/disclosures and incident reporting pathways.
• Flow down all relevant requirements to subcontractors and verify compliance periodically.

Enhanced Patient Rights

The Final Omnibus Rule reinforces patients’ ability to access PHI, including receiving an electronic copy of ePHI from the designated record set in the format requested if readily producible. Patients can direct a copy to a third party and, when they pay out of pocket in full, require a provider to refrain from disclosing that treatment information to a health plan, except where disclosure is required by law.

Notices of Privacy Practices must reflect changes such as new limits on marketing, fundraising opt-out rights, restrictions on the sale of PHI, and the right to be notified of a breach. The rule also implements Genetic Information Nondiscrimination by treating genetic information as PHI and tightening its use, including prohibitions on using genetic information for underwriting by health plans.

Examples

• A patient requests an electronic copy of their imaging report via secure email; the provider supplies it in the requested readable format.
• A patient pays cash for a sensitive service and instructs the provider not to disclose the encounter to their health plan.

Best Practices

• Offer multiple ePHI fulfillment options (portal download, secure email, or media) and document the format requested.
• Embed restriction workflows in registration and billing systems to honor pay-in-full nondisclosure requests.
• Update the Notice of Privacy Practices to reflect marketing, fundraising, sale-of-PHI, and breach rights.

Strengthened Breach Notification Requirements

The rule adopts a presumption of breach unless you can demonstrate a low probability that PHI has been compromised based on an objective risk assessment. The assessment must consider: the nature and extent of PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

Covered entities must notify affected individuals without unreasonable delay and within required timeframes, and report larger incidents to HHS and, in some cases, the media. The Breach Notification Rule’s encryption safe harbor still applies when PHI is protected by approved encryption methods.

Examples

• An unencrypted stolen laptop containing clinical notes triggers notification absent a documented low-probability finding.
• A misdirected fax to a provider who promptly confirms destruction may be mitigated, but still requires a documented assessment.

Best Practices

• Standardize a four-factor assessment template and require it for every incident ticket.
• Encrypt laptops, mobile devices, and backups to reduce notification exposure.
• Maintain current contact data and notification scripts to meet deadlines and reduce errors.

Prohibition on Sale of PHI

The Final Omnibus Rule prohibits receiving remuneration in exchange for PHI without a valid, written patient authorization. Limited exceptions apply, such as public health activities, research with cost-based remuneration, and certain payment or healthcare operations where only reasonable cost-based fees are received.

Examples

• Selling a patient list to a third party for marketing requires explicit authorization that discloses payment.
• Cost-based fees to provide records to another provider for treatment are not a “sale of PHI.”

Best Practices

• Screen all data-sharing arrangements for remuneration and flag those requiring Patient Authorization Requirements.
• Use authorization forms that clearly identify the recipient, purpose, scope, expiration, and remuneration.
• Log authorizations and expirations; verify before each disclosure.

Stricter Marketing and Fundraising Limitations

Marketing communications that are financed by a third party generally require prior patient authorization, with limited exceptions such as face-to-face communications and promotional gifts of nominal value. Refill reminders and adherence messages are allowed when any payment received is reasonably related to the cost of the communication.

For fundraising, covered entities may use limited information (for example, demographic details, dates of service, department of service, treating physician, and outcome information), but must provide a clear, simple opt-out that does not condition treatment or payment. Notices of Privacy Practices must describe this opt-out right.

Examples

• A manufacturer-funded email inviting patients to switch therapies is marketing and needs authorization.
• A hospital foundation mails a letter to former surgery patients and includes a one-click or easy mail-in opt-out.

Best Practices

• Classify all outreach as treatment, healthcare operations, fundraising, or marketing before sending.
• Use standardized authorization templates for third-party funded communications.
• Embed fundraising opt-out preferences in your CRM and honor them across all channels.

Updated Business Associate Agreements

Business Associate Agreements must reflect expanded obligations: adherence to Security Rule safeguards, reporting of breaches and security incidents, limits on uses and disclosures, prohibition on the sale of PHI without authorization, and flow-down requirements to subcontractors. Agreements should also address minimum necessary, breach timelines, and termination for cause.

Key Clauses to Include

• Scope of permitted uses/disclosures and prohibition on re-identification or sale of PHI without authorization.
• Security requirements: risk analysis, encryption at rest and in transit where feasible, access controls, and audit logging.
• Incident response: prompt breach reporting, cooperation in investigation, and allocation of notification responsibilities.
• Subcontractor oversight: written contracts that impose the same restrictions and safeguards.
• Return or secure destruction of PHI upon termination, if feasible, with attestations.

Best Practices

• Use a central contract repository and renewal alerts tied to risk reviews and updated due diligence.
• Align BAA language with your internal policies to avoid gaps between paper and practice.
• Conduct periodic vendor audits or attestations and track remediation to closure.

Conclusion

The Final Omnibus Rule tightened accountability across the ecosystem by expanding who is covered, elevating direct liability, strengthening patient rights, and clarifying the Breach Notification Rule. By operationalizing precise Business Associate Agreements, rigorous security controls, and clear Patient Authorization Requirements, you can protect PHI, honor Genetic Information Nondiscrimination safeguards, and meet OCR’s enforcement expectations.

FAQs

What entities are newly included under the business associate definition?

The rule brings in subcontractors that handle PHI on behalf of another business associate, Health Information Organizations, e-prescribing gateways, many cloud and data hosting providers that maintain PHI, data transmission services with routine access, and vendors such as billing, analytics, and practice management firms. Downstream subcontractors are also business associates when they create, receive, maintain, or transmit PHI.

How does the final omnibus rule affect patient access to health records?

Patients can obtain an electronic copy of ePHI in the format requested if readily producible, direct a copy to a chosen third party, and expect disclosures to be restricted to a health plan when they pay out of pocket in full for a service. Providers must honor these rights within HIPAA’s required timeframes and may only charge reasonable, cost-based fees for copies.

What are the new breach notification requirements under the rule?

The rule presumes a breach unless a documented assessment shows a low probability that PHI was compromised, using four required factors. Covered entities must notify affected individuals without unreasonable delay and within regulatory deadlines, and report large breaches to HHS and, in some cases, the media. Strong encryption can qualify for safe harbor, avoiding notification when properly implemented.

What penalties can be imposed for non-compliance with the omnibus rule?

OCR applies tiered civil monetary penalties per violation based on culpability, with willful neglect drawing the highest amounts. Organizations may also enter resolution agreements requiring corrective action plans, monitoring, and reporting. Depending on scope and duration, financial exposure can reach into the millions, alongside reputational and operational impacts.