What Did the January 2013 HIPAA Omnibus Rule Do? Key Changes, Patient Rights, and Who Is Affected

The January 2013 HIPAA Omnibus Rule finalized major updates to the Privacy, Security, Breach Notification, and Enforcement Rules, aligning them with the HITECH Act and Genetic Information Nondiscrimination Act (GINA). Published on January 25, 2013, it took effect March 26, 2013, with compliance required by September 23, 2013. These changes affect covered entities, business associates, and their subcontractors handling Protected Health Information (PHI).

At its core, the rule expands who is directly accountable, tightens the Breach Notification Rule, enhances patient rights, and raises HIPAA enforcement penalties. You must evaluate Security Rule compliance, update Business Associate Agreements, and revise your Notice of Privacy Practices to reflect the new standards.

Expansion of Business Associates' Responsibilities

The Omnibus Rule broadened who counts as a “business associate” and made these entities directly liable for key HIPAA requirements. If you create, receive, maintain, or transmit PHI for a covered entity, you’re likely in scope—even when you never actually view the data.

Who is now included

• Data transmission and hosting services with routine or persistent access to PHI (for example, cloud storage, managed IT, and backup vendors).
• Health Information Organizations, e-prescribing gateways, and vendors offering personal health record services on behalf of a covered entity.
• Subcontractors of business associates that handle PHI, creating a full “chain of trust.”

Direct obligations and agreements

• Direct liability for Security Rule compliance: perform risk analysis, implement administrative, physical, and technical safeguards, and maintain workforce training and sanctions.
• Privacy Rule duties: use or disclose PHI only as permitted, provide access to PHI as needed for individual rights, and ensure subcontractors sign downstream Business Associate Agreements (BAAs).
• Updated BAAs: agreements executed or renewed after March 26, 2013 had to reflect the new terms by September 23, 2013, with limited transition relief for certain pre‑January 25, 2013 contracts until September 22, 2014.

Strengthened Breach Notification Requirements

The rule replaced the old “harm” standard with a presumption that any impermissible use or disclosure of unsecured PHI is a breach unless you can document a low probability that PHI was compromised. Your analysis must follow the Breach Notification Rule’s four-factor test.

The required four-factor risk assessment

• Nature and extent of PHI involved, including identifiers and likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk to PHI has been mitigated.

Timelines and recipients

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For incidents affecting 500 or more individuals in a state or jurisdiction, also notify prominent media outlets and the U.S. Department of Health and Human Services (HHS) within 60 days.
• For fewer than 500 individuals, log the event and report annually to HHS within 60 days of the end of the calendar year.
• Business associates must notify the covered entity without unreasonable delay and within 60 days of discovery.

Safe harbors and documentation

• No breach notification is required if PHI was secured via strong encryption or proper destruction under HHS guidance.
• Maintain written risk assessments and incident documentation as part of your compliance record.

Enhanced Patient Rights

The Omnibus Rule strengthened individuals’ control over their PHI and how it is shared. You must have processes that deliver timely access and honor new restrictions.

Electronic access and directed copies

• Provide an electronic copy of PHI maintained in an electronic health record in the requested form and format if readily producible.
• Upon an individual’s written request, transmit a copy directly to a designated third party.
• Fulfill requests within 30 days (one 30‑day extension permitted) and limit fees to reasonable, cost‑based amounts.

Restriction on disclosures to health plans

• When a patient pays a provider out of pocket in full, you must honor a request not to disclose that treatment information to a health plan for payment or operations.

Prohibition on Sale of Health Information

The rule generally prohibits the sale of PHI without an individual’s valid authorization that states whether remuneration is involved. “Sale” means receiving direct or indirect payment in exchange for PHI.

• Narrow exceptions include disclosures for public health, research with only cost-based remuneration, and certain treatment, payment, or health care operations.
• De-identified data is not PHI under HIPAA; however, you still must follow proper de-identification standards before any transfer of value occurs.

Restrictions on Marketing and Fundraising

The Omnibus Rule tightened marketing and clarified fundraising rules to protect patient preferences. Update policies and your Notice of Privacy Practices accordingly.

Marketing

• Patient authorization is required when a third party provides financial remuneration for a communication that promotes a product or service.
• Refill reminders or adherence communications are permissible if any payment is reasonably related to the cost of making the communication.
• Face-to-face communications and promotional gifts of nominal value remain permitted without authorization.

Fundraising

• Covered entities may use limited PHI (for example, demographic data and dates of service) for fundraising.
• You must give a clear, simple opt-out in each fundraising communication and honor the choice across future outreach.

Increased Penalties for Non-Compliance

HIPAA enforcement penalties became tougher and apply directly to business associates. The tiered civil penalty framework scales with culpability and corrective efforts.

• Did not know: $100 to $50,000 per violation.
• Reasonable cause: $1,000 to $50,000 per violation.
• Willful neglect—corrected: $10,000 to $50,000 per violation.
• Willful neglect—not corrected: $50,000 per violation.
• Annual cap of up to $1.5 million per violation type, per year, with factors such as the nature and extent of the violation and harm considered.

Expect proactive investigations where willful neglect is indicated and ensure documentation evidencing Security Rule compliance, training, and timely breach responses.

Genetic Information Nondiscrimination Act Protections

The Omnibus Rule implemented GINA within HIPAA by treating genetic information as PHI and restricting its use by health plans. You must adjust underwriting and privacy policies to align with Genetic Information Nondiscrimination requirements.

• Health plans (other than long‑term care plans) cannot use or disclose genetic information for underwriting purposes.
• Genetic information includes family medical history and results of genetic tests.

Extended Protection for Deceased Individuals' PHI

PHI of deceased individuals remains protected for 50 years following the date of death. After 50 years, the information is no longer PHI under HIPAA, though other laws may still apply.

• Providers may disclose relevant PHI to family members and others involved in the individual’s care or payment prior to death, unless the decedent expressed a contrary preference.

Revisions to Notice of Privacy Practices

You must revise and redistribute your Notice of Privacy Practices (NPP) to reflect Omnibus Rule changes. Patients should clearly understand how their PHI may be used, their choices, and how to exercise their rights.

• Describe uses and disclosures that require authorization, including marketing, sale of PHI, and most uses of psychotherapy notes.
• State that individuals will be notified following a breach of unsecured PHI.
• Explain the right to restrict disclosures to health plans for services paid out of pocket in full.
• Outline fundraising practices and provide a clear opt-out mechanism.

Health plans must post the updated NPP on their websites and distribute as required; providers must post it prominently and make it available at service locations and upon request.

FAQs

What entities are considered business associates under the HIPAA Omnibus Rule?

Business associates include vendors and subcontractors that create, receive, maintain, or transmit PHI for a covered entity. Examples are cloud hosting and backup providers, EHR and billing vendors, Health Information Organizations, e-prescribing gateways, data analytics firms with PHI access, legal and accounting firms handling PHI, and personal health record vendors operating on a covered entity’s behalf. Subcontractors that handle PHI are business associates, too, and must sign downstream agreements.

How did the Omnibus Rule change breach notification requirements?

It created a presumption that any impermissible use or disclosure of unsecured PHI is a reportable breach unless you document a low probability of compromise using a four-factor risk assessment. It also clarified timelines—notify individuals without unreasonable delay and within 60 days, notify HHS (and, for large incidents, the media), and ensure business associates promptly notify covered entities. Strong encryption or proper destruction provides a safe harbor.

What new patient rights were introduced by the January 2013 rule?

Patients gained a stronger right to access and receive electronic copies of their PHI and to direct a copy to a third party. They can also require providers not to disclose information about services paid out of pocket in full to a health plan. The rule set deadlines for fulfilling requests and limited fees to reasonable, cost-based amounts.

How does the Omnibus Rule affect the sale of health information?

It generally bans the sale of PHI without an individual’s explicit authorization that discloses any remuneration. Limited exceptions apply, such as disclosures for public health, research with only cost-based payments, and certain treatment, payment, or operations. De-identified data falls outside HIPAA, but you must follow recognized de-identification methods before any compensated transfer.