What the Final HIPAA Omnibus Rule Means for Your Organization

Expansion of Business Associates

What changed

The Final HIPAA Omnibus Rule broadens who qualifies as a business associate to include any vendor that creates, receives, maintains, or transmits Protected Health Information. This reaches cloud service providers, data storage companies, health information organizations, e‑prescribing gateways, and similar intermediaries—even when they cannot routinely view the data.

Subcontractors that handle PHI on behalf of a business associate are also business associates. Your Business Associate Agreement must “flow down” HIPAA obligations to these subcontractors, ensuring HIPAA Security Rule Compliance across the entire chain of custody.

What you should do now

• Inventory every vendor and subcontractor that touches PHI, including hosted and managed-service providers.
• Update each Business Associate Agreement to define permitted uses/disclosures, minimum necessary standards, breach reporting timelines, and subcontractor obligations.
• Require documented risk analysis, encryption, access controls, and incident response from all business associates.
• Centralize vendor oversight with ongoing monitoring, attestations, and remediation tracking.

Direct Liability for Business Associates

What changed

Business associates are now directly liable for compliance with the HIPAA Security Rule and for certain Privacy Rule provisions. They must use and disclose PHI only as permitted, support access, amendment, and accounting of disclosures, and provide prompt breach notices to covered entities. Noncompliance can trigger civil penalties and corrective action plans.

Minimum necessary applies to business associates, and obligations extend downstream to subcontractors. Written policies, workforce training, and auditable documentation are no longer optional—they are table stakes.

What you should do now

• Perform a formal risk analysis and implement safeguards, audit logging, and contingency plans to demonstrate HIPAA Security Rule Compliance.
• Designate a security official, train staff, and document sanctions for violations.
• Amend BAAs to require the same controls and breach reporting by all subcontractors.
• Test your escalation and notification workflows so covered entities receive timely, complete incident information.

Prohibition on Sale of PHI

What changed

The Omnibus Rule prohibits the sale of PHI without a valid, specific Authorization for PHI Disclosure. “Sale” includes receiving direct or indirect remuneration in exchange for PHI. Limited exceptions exist (for example, public health activities, research with cost-based remuneration, treatment/payment, and providing individuals copies of their PHI for cost-based fees), but most remunerated data-sharing requires explicit authorization.

Marketing and fundraising rules are also tighter. If a third party financially remunerates you to send a communication, it generally requires a patient authorization, distinct from routine treatment or care coordination notices.

What you should do now

• Map all data flows and revenue streams involving PHI; identify any remunerated disclosures.
• Implement or update authorization forms to clearly describe the purpose, scope, and remuneration involved.
• Train teams on permissible communications and when an authorization is mandatory.
• Set up periodic reviews to confirm continuing necessity and compliance for each disclosure.

Enhanced Breach Notification Requirements

What changed

The Omnibus Rule retools the Breach Notification Rule with a presumption of breach unless you can document a low probability that PHI has been compromised. Organizations must conduct and retain a four-factor risk assessment: the nature/extent of PHI, who received it, whether it was actually viewed or acquired, and how effectively the risk was mitigated.

When notification is required, you must inform affected individuals without unreasonable delay and no later than 60 days after discovery. Report to HHS as required, and for incidents affecting 500 or more residents of a state or jurisdiction, notify prominent media. Encryption or destruction that renders PHI unusable can qualify for safe harbor, but you must align with recognized standards.

What you should do now

• Build an incident response plan with intake, triage, risk assessment, and decision logs ready to execute.
• Embed breach reporting timelines and required content into Business Associate Agreements.
• Deploy technical controls—encryption, DLP, access monitoring—to reduce breach likelihood and leverage safe harbors.
• Practice tabletop exercises so teams can meet notification timelines with accurate, complete information.

Strengthened Patient Rights

What changed

Patients gain stronger access rights, including receiving PHI in electronic form when maintained electronically, within required timeframes, and for a reasonable, cost-based fee. Business associates that maintain ePHI must assist covered entities in fulfilling access and amendment requests.

Out-of-Pocket Payment Restrictions require you to honor a patient’s request to restrict disclosure to a health plan when the individual pays for a service in full out-of-pocket. You must flag and segment records and adjust billing workflows to prevent prohibited sharing.

The rule also implements GINA provisions by treating genetic information as PHI and prohibiting its use or disclosure for underwriting by health plans. Expect updates to your Notice of Privacy Practices and clearer opt-outs for fundraising communications.

What you should do now

• Enable electronic access (for example, through portals or secure delivery) and document turnaround times and fees.
• Implement record-segmentation controls and billing flags to enforce Out-of-Pocket Payment Restrictions.
• Revise your Notice of Privacy Practices and train staff on new rights and limitations.
• Confirm business associates can support access, amendments, and restrictions operationally.

Increased Enforcement and Penalties

What changed

OCR has expanded audit and enforcement tools, and the HIPAA Penalty Structure now applies in four escalating tiers, from lack of knowledge to willful neglect. Penalties can reach high caps per violation category per year, with higher exposure for uncorrected or repeated violations. Business associates face the same enforcement posture as covered entities.

What you should do now

• Document everything: governance decisions, risk analyses, technical safeguards, training, and vendor oversight.
• Close gaps tied to willful neglect quickly and track remediation to completion.
• Measure and report on key controls—access reviews, audit logs, encryption coverage, and incident metrics.
• Periodically re-evaluate BAAs and vendor controls to keep pace with operational changes.

Bottom line: the Final HIPAA Omnibus Rule pushes accountability across your ecosystem. Tighten vendor governance, elevate breach readiness, empower patients, and operationalize privacy and security as a continuous, measurable program.

FAQs

What changes does the Omnibus Rule make to business associate definitions?

It expands the definition to include any entity that creates, receives, maintains, or transmits PHI for a covered entity, and it extends obligations to subcontractors that handle PHI. Cloud and data-hosting providers are business associates even when they do not routinely view the data. Your Business Associate Agreement must require downstream subcontractors to adopt the same safeguards.

How does the rule affect liability for business associates?

Business associates are directly liable for complying with the Security Rule and for certain Privacy Rule duties, including limiting uses/disclosures, supporting individual rights, and issuing timely breach notices. They can face investigations, corrective action plans, and monetary penalties under the HIPAA Penalty Structure, and must flow down obligations to subcontractors.

What are the new breach notification requirements under the Omnibus Rule?

The rule presumes a breach unless you document a low probability of compromise using a four-factor risk assessment. Notifications to affected individuals must occur without unreasonable delay and within 60 days of discovery, with additional reports to HHS and, for larger incidents, the media. The Breach Notification Rule recognizes encryption/destruction safe harbors when PHI is rendered unusable.

How are patient rights enhanced by the Omnibus Rule?

Patients can obtain electronic copies of their PHI for a reasonable, cost-based fee and within required timeframes. They may restrict disclosure to health plans for services paid in full out-of-pocket, and genetic information cannot be used or disclosed for underwriting by health plans. These changes require updated processes, systems, and staff training to honor requests consistently.