What Is the HIPAA Omnibus Rule? Compliance Requirements and Best Practices

HIPAA Omnibus Rule Overview

The HIPAA Omnibus Rule is a major update to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. It strengthens protections for Protected Health Information (PHI), expands accountability to vendors, and aligns requirements with modern Electronic Health Records. The rule elevates expectations for Privacy and Security Policies and tightens how you assess and report incidents.

Key objectives

• Extend safeguards for PHI across covered entities and their vendors.
• Modernize privacy rights and access to electronic copies of information.
• Standardize the Breach Notification Rule using a consistent risk framework.
• Increase HIPAA Enforcement and penalties to drive sustained compliance.

Expanded Business Associate Liability

The rule makes business associates—and their subcontractors—directly liable for HIPAA compliance when they create, receive, maintain, or transmit PHI. This includes cloud service providers, data centers, EHR hosting firms, billing services, and analytics vendors. You must treat relevant downstream subcontractors as business associates too.

Core obligations for business associates

• Implement administrative, physical, and technical safeguards that meet the Security Rule.
• Use or disclose PHI only as permitted, applying the minimum necessary standard.
• Report security incidents and potential breaches to the covered entity without undue delay.
• Flow down the same requirements to subcontractors that handle PHI.

Business Associate Agreements

Business Associate Agreements must explicitly define permitted uses and disclosures, required safeguards, breach reporting timelines and content, subcontractor requirements, and termination, return, or destruction of PHI. Update BAAs when services change, security risks evolve, or laws are clarified.

Enhanced Patient Rights

Patients gain stronger control over their information. You must provide access to PHI in the requested electronic format when readily producible, including copies from Electronic Health Records, within the HIPAA-required time frame (generally 30 days). Reasonable cost-based fees may apply.

• Restriction rights: If a patient pays for an item or service out of pocket in full, you must honor a request not to disclose that information to the health plan.
• Marketing and sale of PHI: Most uses for marketing or sale of PHI require individual authorization, with narrow exceptions.
• Fundraising: Communications must allow a clear, simple opt-out that is honored.
• Notices of Privacy Practices: Update and prominently communicate changes to reflect Omnibus requirements.

Stricter Breach Notification Standards

The Omnibus Rule presumes an impermissible use or disclosure is a breach unless you demonstrate a low probability that PHI has been compromised. You must perform and document a risk assessment for each incident.

The four-factor risk assessment

• Nature and extent of PHI involved (identifiers and likelihood of re-identification).
• Unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• Extent to which the risk has been mitigated (for example, through encryption or prompt retrieval).

If a breach occurred, notify affected individuals without unreasonable delay and no later than 60 days. Follow the Breach Notification Rule for content and method, notify HHS, and inform the media for incidents affecting 500 or more individuals. Business associates must notify the covered entity and supply details needed for individual notices.

Increased Penalties for Non-Compliance

Penalties scale with culpability—from reasonable cause to willful neglect—and can include corrective action plans and ongoing monitoring. Civil penalties can reach up to $1.5 million per violation category per year, with potential criminal exposure for certain wrongful disclosures.

HIPAA Enforcement actions consider the size of your organization, the scope and duration of violations, harm to individuals, and how promptly and thoroughly you mitigate and prevent recurrence.

Compliance Best Practices

Governance and culture

• Designate a privacy officer and a security official with clear authority and resources.
• Establish a risk-based compliance program that integrates legal, security, and operations.
• Provide role-based training and refreshers tied to your Privacy and Security Policies.

Risk management and controls

• Perform enterprise-wide Risk Assessments at least annually and after major changes.
• Harden systems supporting Electronic Health Records with encryption, strong authentication, access controls, and audit logging.
• Implement patching, vulnerability management, device encryption, and secure disposal.

Vendors and data lifecycle

• Inventory all business associates; execute and maintain current Business Associate Agreements.
• Conduct due diligence and periodic reviews of vendor safeguards; require timely incident reporting.
• Apply the minimum necessary standard, data retention schedules, and de-identification where feasible.

Incident response and reporting

• Document a step-by-step playbook for discovery, containment, forensics, the four-factor analysis, decisioning, and notification.
• Track regulatory timelines, maintain proof of decisions, and coordinate with leadership and counsel.
• Use after-action reviews to close gaps and prevent repeat issues.

Documentation and continuous improvement

• Keep evidence of training, policies, Risk Assessments, BAAs, and breach analyses.
• Test plans, run tabletop exercises, and adjust controls based on new threats and lessons learned.

Conclusion

The HIPAA Omnibus Rule expands accountability, strengthens patient rights, and standardizes breach response. By formalizing governance, executing strong BAAs, performing rigorous Risk Assessments, and operationalizing the Breach Notification Rule, you build a defensible, scalable compliance program that protects PHI and supports patient trust.

FAQs.

What changes did the HIPAA Omnibus Rule introduce?

It extended HIPAA obligations and liability to business associates and subcontractors, strengthened patient rights to electronic access and restrictions, tightened marketing and sale-of-PHI rules, standardized breach risk assessments with a four-factor test, and increased enforcement and penalties for non-compliance.

Who is liable under the HIPAA Omnibus Rule?

Covered entities and business associates—including relevant subcontractors—are directly liable for safeguarding PHI and complying with the Privacy, Security, Breach Notification, and Enforcement Rules. Workforce members can trigger organizational liability and, in egregious cases, face criminal exposure under separate provisions.

What are the patient rights under the HIPAA Omnibus Rule?

Patients can access and obtain electronic copies of their PHI (including EHR data), request amendments, and ask you to restrict disclosures to a health plan when they pay out of pocket in full. They also receive clearer notices about uses of PHI, marketing, fundraising, and any reportable breaches.

How should organizations respond to breaches under the HIPAA Omnibus Rule?

Immediately contain the incident, investigate, and perform the four-factor risk assessment to determine if PHI was compromised. If it’s a breach, notify affected individuals without unreasonable delay and within 60 days, follow the Breach Notification Rule, report to HHS (and the media for large breaches), document every step, and implement corrective actions to prevent recurrence.