What the 2013 HIPAA Omnibus Rule Did: Compliance Impact and Actions

Expanded Regulation of Business Associates

The 2013 HIPAA Omnibus Rule made business associates—and their subcontractors—directly accountable for Privacy Rule Compliance and Security Rule Requirements. If a vendor creates, receives, maintains, or transmits protected health information (PHI) for you, it is a business associate, not just a conduit.

This expansion reaches EHR and billing vendors, cloud and data-hosting providers, eFax and email services handling PHI, health information exchanges, eDiscovery firms, and analytics firms. These entities must perform risk analyses, implement safeguards, and document Protected Health Information Safeguarding just like covered entities.

Action checklist

• Inventory all vendors and map PHI data flows, including subcontractors.
• Designate each vendor’s role and confirm business associate status.
• Require written assurances that Security Rule controls are implemented.
• Establish incident reporting lines and escalation criteria.
• Verify workforce training and sanction policies at your business associates.

Modified Breach Notification Standards

The rule replaced the prior “risk of harm” test with a presumption of breach unless you can show a low probability that PHI was compromised. You must conduct a documented four-factor risk assessment: the nature and extent of PHI, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent to which risk was mitigated.

Notifications must occur without unreasonable delay and no later than 60 days after discovery. Breach Notification Standards also require notifying HHS (and the media for incidents affecting 500 or more individuals). Encryption and proper disposal create strong safe harbors when applied consistently.

Action checklist

• Adopt a standard breach risk assessment template aligned to the four factors.
• Set internal detection-to-notice timelines and verify clock-start rules.
• Pre-draft notice content and maintain up-to-date contact data sources.
• Use NIST-aligned encryption and robust media disposal to reduce exposure.
• Run tabletop exercises to test decision-making and documentation quality.

Established Tiered Civil Monetary Penalties

The Omnibus Rule finalized HITECH’s tiered Civil Monetary Penalties based on culpability: from violations you could not have known about to willful neglect. Per-violation penalties range from $100 to $50,000, with an annual cap of $1.5 million per violation category, subject to periodic inflation adjustments.

OCR weighs factors like the scope of the violation, number of individuals affected, duration, and corrective action. Strong governance, timely remediation, and clear documentation meaningfully reduce enforcement risk.

Action checklist

• Track violations by category to avoid breaching annual caps.
• Document good-faith efforts, corrective actions, and timelines.
• Institute executive oversight for privacy and security metrics.
• Align sanctions with workforce accountability and repeat-offender controls.

Updated Business Associate Agreements

Business Associate Agreements must now reflect direct obligations under the Security Rule and key Privacy Rule terms. Agreements must require breach reporting, flow-down of all requirements to subcontractors, minimum necessary use, and restrictions on marketing and sale of PHI.

Effective BAAs specify permitted uses and disclosures, audit and cooperation duties, incident reporting timelines, return or destruction of PHI at termination, and ongoing compliance attestations. Clear metrics and service levels help you verify real-world compliance.

Action checklist

• Update templates to include Security Rule Requirements and breach reporting windows.
• Require subcontractor flow-down and proof of training and risk analysis.
• Define right-to-audit, evidence production, and remediation obligations.
• Include termination assistance and PHI disposition provisions.
• Map BAAs to vendor tiers and data criticality for oversight intensity.

Incorporated Genetic Nondiscrimination Provisions

The rule integrated Genetic Information Nondiscrimination Act (GINA) protections into HIPAA, barring most health plans from using or disclosing genetic information for underwriting. Genetic information is PHI and receives the full protections of the Privacy Rule.

Plan communications and Notice of Privacy Practices must reflect these limits. Providers may still use genetic information for treatment and payment operations, but underwriting uses are off-limits for applicable plans.

Action checklist

• Classify genetic data elements and tag them in systems as PHI.
• Block underwriting workflows from accessing genetic information.
• Revise plan notices and training to reflect Genetic Information Nondiscrimination.
• Audit plan vendors for prohibited uses and disclosures.

Enhanced Privacy and Security Protections

The Omnibus Rule strengthened patient rights and Privacy Rule Compliance: electronic access to PHI, the right to restrict disclosures to health plans when paying in full out-of-pocket, clearer rules for marketing and fundraising, and tighter limits on the sale of PHI. Notices of Privacy Practices must be updated accordingly.

Security enhancements emphasized ongoing risk analysis, device and media controls, access management, transmission security, and monitoring. Both covered entities and business associates must maintain documented, tested safeguards for Protected Health Information Safeguarding.

Action checklist

• Refresh the risk analysis and risk management plan at least annually.
• Harden endpoints and mobile devices; encrypt data at rest and in transit.
• Implement minimum necessary access, logging, and alerting.
• Update the Notice of Privacy Practices and verify distribution.
• Train workforce members on new rights, restrictions, and reporting paths.

Required Employer Policy Revisions

Employers that sponsor group health plans must separate plan PHI from employment records and update plan documents, privacy policies, and training. Ensure HR staff access only plan PHI necessary for plan administration and not for employment decisions.

Revise vendor oversight, incident response, BYOD and remote work rules, retention and disposal, and sanctions. Align internal audits to verify Security Rule controls, breach handling, and BAA compliance across all plan-related vendors.

Conclusion

The 2013 HIPAA Omnibus Rule broadened who is regulated, raised accountability with tiered penalties, modernized Breach Notification Standards, and required stronger Business Associate Agreements and safeguards. By operationalizing these changes, you build resilient Privacy and Security programs that protect individuals and your organization.

FAQs.

What entities are directly regulated under the 2013 HIPAA Omnibus Rule?

Covered entities (health plans, health care clearinghouses, and providers that conduct standard transactions) and business associates are directly regulated, along with their subcontractors that create, receive, maintain, or transmit PHI on their behalf.

How did the breach notification requirements change?

The rule created a presumption of breach unless you demonstrate a low probability that PHI was compromised using a four-factor risk assessment. It also reinforced the timelines and content for individual, HHS, and, when applicable, media notices.

What are the penalties for noncompliance under the Omnibus Rule?

Penalties follow a tiered structure based on culpability, ranging from $100 to $50,000 per violation, with up to $1.5 million per violation category per year (subject to inflation adjustments), plus corrective action plans and monitoring where warranted.

How must business associate agreements be updated?

BAAs must require Security Rule compliance, breach reporting within defined timeframes, minimum necessary use, prohibition on unauthorized marketing and sale of PHI, subcontractor flow-down, audit cooperation, and PHI return or destruction at termination.