What Covered Entities Are Provided With Under the HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule equips you, as a covered entity, with clearer guardrails for Privacy Rule compliance, stronger vendor accountability, and practical tools to safeguard protected health information (PHI). It refines Security Rule requirements, tightens when an authorization for disclosure is required, and heightens penalties for non‑compliance—all while expanding individuals’ rights and expectations.

Business Associates' Direct Liability

What changed

The rule makes business associates (BAs)—and their subcontractors—directly liable for meeting HIPAA’s Security Rule requirements and specified Privacy Rule provisions. That means vendors that create, receive, maintain, or transmit PHI on your behalf must implement administrative, physical, and technical safeguards, limit uses and disclosures, and report breaches without relying solely on your contracts.

What this provides to covered entities

• Stronger leverage to enforce Privacy Rule compliance through business associate agreements (BAAs).
• Clear accountability for impermissible uses/disclosures and failure to provide breach notification.
• Flow‑down obligations so subcontractors handling PHI are held to the same standards.

Action steps

• Update BAAs to mirror Security Rule requirements, breach notification timelines, and minimum necessary standards.
• Inventory all vendors and subcontractors that maintain PHI; verify risk analysis, access controls, and encryption practices.
• Establish incident response expectations, including prompt reporting and cooperation during investigations.

Expanded Definition of Business Associates

Who is included

The rule broadens who counts as a BA. It includes entities that maintain PHI for you—even if they never view it—such as cloud service providers, data centers, and hosted IT platforms. It also reaches health information organizations and exchanges, e‑prescribing gateways, patient safety and quality organizations, consultants and analytics firms handling PHI, and the subcontractors of those entities.

Narrow “mere conduit” exception

Only true couriers and telecom carriers that simply transmit PHI without persistent storage fall outside BA status under the "mere conduit" exception. If a vendor stores PHI, even in encrypted form, it is typically a business associate subject to Security Rule requirements.

Prohibition on Sale of PHI

General rule

You may not receive remuneration in exchange for PHI without a valid authorization for disclosure from the individual. This prohibition protects the value of PHI and prevents its commercialization without informed consent.

Common exceptions

• Public health and research where any payment reflects only reasonable, cost‑based fees.
• Treatment, payment, and healthcare operations disclosures that are customary and not a sale.
• Sale, transfer, merger, or consolidation of your organization where PHI is part of the transaction.
• Payments to business associates for services performed on your behalf.

Authorization for Disclosure requirements

• State that the disclosure involves remuneration and describe the purpose.
• Specify who may disclose and receive PHI, what PHI is involved, and the expiration.
• Explain the individual’s right to revoke and any applicable conditions.

Strengthened Limitations on Marketing and Fundraising

Marketing

Marketing communications generally require an authorization for disclosure, particularly when a third party pays you to promote a product or service. Limited exceptions remain for face‑to‑face communications and nominal‑value gifts, and for prescription refill reminders where any payment is reasonably related to the cost of the communication.

Fundraising

You may use limited PHI for fundraising—such as demographic information, dates of service, department of service, treating clinician, outcome, and insurance status. Every fundraising message must offer a clear, simple opt‑out that you honor across future campaigns, and you may not condition care on an individual’s decision to opt out.

Expanded Individual Rights

Access to electronic PHI

Individuals can obtain electronic copies of PHI you maintain electronically and may direct you to transmit that ePHI to a designated third party. Fees must be reasonable and cost‑based, reflecting only permitted components of fulfillment.

Right to restrict certain disclosures

If an individual pays a provider in full, out‑of‑pocket, they may require you to restrict disclosure of that encounter to a health plan, except where disclosure is otherwise required by law.

Breach notifications

Individuals are entitled to timely notice of breaches of unsecured PHI. The rule presumes a breach unless you document a low probability of compromise after a risk assessment of the facts.

Family, caregivers, and decedents

You may share relevant PHI with a patient’s family members or others involved in care or payment, consistent with the individual’s preferences. Certain disclosures related to decedents are also simplified to support continuity and compassion.

Genetic Information Non-Discrimination

Genetic information is treated as PHI. Health plans may not use or disclose genetic information for underwriting purposes, reinforcing genetic information non‑discrimination protections.

Modifications to Notice of Privacy Practices

What your Notice must now cover

• Uses and disclosures that require authorization, including marketing, sale of PHI, and psychotherapy notes.
• The right to opt out of fundraising communications.
• The right to restrict disclosures to a health plan for services paid in full out‑of‑pocket.
• Your obligation to provide breach notifications.
• For health plans, a statement that genetic information will not be used or disclosed for underwriting.

Distribution and format

Update and prominently post your Notice of Privacy Practices, make revised copies available at points of service, and provide them upon request. Ensure plain‑language explanations so individuals understand their rights and your duties.

Increased Enforcement and Penalties

Civil Monetary Penalties and tiers

The rule hardens enforcement with a tiered civil monetary penalties framework. Penalties escalate based on culpability—from lack of knowledge to willful neglect—and may reach significant amounts per violation type in a calendar year, emphasizing proactive compliance.

Presumption of breach and risk assessment

A breach is presumed unless you can demonstrate a low probability of compromise after assessing factors such as the nature of PHI involved, the unauthorized recipient, whether the PHI was actually acquired or viewed, and the extent of mitigation.

Audits, investigations, and corrective actions

Expect investigations, audits, and resolution agreements that may include corrective action plans and ongoing monitoring. Documentation, staff training, and vendor oversight are essential to demonstrate Security Rule requirements and Privacy Rule compliance.

Practical compliance checklist

• Perform an enterprise‑wide risk analysis and implement risk management plans.
• Revise BAAs, verify subcontractor compliance, and monitor vendor performance.
• Harden access controls, audit logging, encryption, and incident response processes.
• Refresh policies on minimum necessary, marketing, fundraising, and authorizations.
• Update the Notice of Privacy Practices and train your workforce accordingly.

Conclusion

The HIPAA Omnibus Final Rule provides covered entities with clearer rules, stronger vendor accountability, expanded individual rights, and tougher penalties that together raise the bar for safeguarding protected health information. By aligning BA relationships, Notices of Privacy Practices, authorizations for disclosure, and security controls, you can meet today’s requirements with confidence.

FAQs

What are the new obligations for business associates under the HIPAA Omnibus Rule?

Business associates are directly liable for complying with Security Rule requirements and key Privacy Rule provisions. They must implement safeguards, limit uses and disclosures, report breaches to covered entities, and flow down obligations to subcontractors that handle PHI. Contracts should reflect these duties and establish clear incident reporting and cooperation expectations.

How does the rule affect the sale of protected health information?

The rule generally prohibits receiving remuneration in exchange for PHI without an explicit authorization for disclosure that explains the payment. Limited exceptions apply—such as certain public health, research, or operational disclosures where any payment is cost‑based rather than a sale.

What individual rights are expanded by the HIPAA Omnibus Final Rule?

Individuals gain streamlined access to electronic copies of PHI, the ability to direct you to send ePHI to a third party, the right to restrict disclosures to a health plan when they self‑pay in full, and timely breach notifications. Genetic information non‑discrimination protections are also reinforced.

What penalties apply for non-compliance with the HIPAA Omnibus Rule?

Enforcement uses a tiered civil monetary penalties structure that increases with culpability, including mandatory penalties for willful neglect. Regulators may also require corrective action plans, monitoring, and documentation to verify sustained Privacy Rule compliance and Security Rule requirements.