What the HIPAA Omnibus Rule Means for Covered Entities Today

The HIPAA Omnibus Rule reshaped day-to-day compliance by extending obligations beyond covered entities to vendors, tightening breach standards, elevating patient rights, and sharpening enforcement. If you handle protected health information, the Rule defines how you manage Business Associate Agreements, assess incidents, update Notices of Privacy Practices, and secure electronic systems under active Office for Civil Rights Enforcement.

Business Associates' Direct Liability

The Omnibus Rule makes business associates—and their subcontractors—directly liable for complying with the HIPAA Security Rule and key Privacy Rule provisions. You must treat vendors that create, receive, maintain, or transmit PHI as regulated partners, not just contract counterparties.

• Execute and maintain comprehensive Business Associate Agreements that “flow down” obligations to subcontractors.
• Require business associates to implement administrative, physical, and technical safeguards and to document those controls.
• Ensure business associates report security incidents and potential breaches to you without unreasonable delay.
• Limit uses and disclosures to the minimum necessary and align with your policies and authorizations.
• Verify business associate readiness to respond to OCR investigations and support access, amendment, and accounting requests.

Practically, this means robust vendor due diligence, written onboarding checklists, and routine reviews of business associate performance, including evidence of training, audits, and risk management.

Breach Notification Requirements

The Omnibus Rule presumes an impermissible use or disclosure of Unsecured Protected Health Information is a breach unless a documented risk assessment shows a low probability of compromise. Your Risk Assessment Procedures should examine the nature and extent of PHI, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent of mitigation.

• Immediately contain the incident, preserve logs, and initiate forensic triage.
• Complete a written risk assessment and determine if notification is required.
• If required, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Notify the Office for Civil Rights for all breaches; for 500 or more affected individuals in a state or jurisdiction, also notify prominent media.
• Maintain a breach log; for incidents affecting fewer than 500 individuals, report to OCR annually within the required timeframe.

“Unsecured” means PHI not rendered unusable, unreadable, or indecipherable (for example, not properly encrypted or destroyed). Strengthening encryption and key management reduces your breach exposure and notification obligations.

Enhanced Patient Rights

The Omnibus Rule reinforces a patient’s right to timely access and obtain an electronic copy of ePHI in the requested form and format when readily producible. You should be able to transmit records securely to patients or to a designated third party, aligning access workflows with Electronic Health Records Security controls.

Patients may require you to restrict disclosure of treatment services to a health plan when they—or someone on their behalf—pay in full out of pocket. Build this option into intake, billing, and release-of-information processes to prevent inadvertent plan disclosures.

The Rule implements Genetic Information Nondiscrimination principles by treating genetic information as PHI and restricting use or disclosure for underwriting purposes. Update policies, training, and system flags so staff recognize and correctly handle genetic data across clinical, research, and billing contexts.

Marketing and Sale of PHI

Most marketing communications using PHI require prior, written patient authorization, particularly when a third party provides financial remuneration. Limited exceptions exist (for example, face-to-face communications and nominal promotional gifts), and treatment or care coordination messages must be carefully scoped to remain compliant.

The sale of PHI is generally prohibited without explicit authorization. “Sale” includes disclosures where you receive direct or indirect remuneration in exchange for PHI, with narrow exceptions such as public health activities and certain research disclosures limited to cost-based fees. Before any outreach:

• Determine whether the communication is marketing or treatment-related.
• Assess if any remuneration is involved and whether an exception applies.
• Secure appropriate authorization language and provide the right to revoke.

Increased Penalties for Non-Compliance

The Omnibus Rule strengthened a tiered civil monetary penalty framework that scales with culpability—from reasonable cause to willful neglect—with corrective actions and audits enforced by OCR. Resolution agreements often include multi-year corrective action plans with reporting and verification.

Frequent triggers include missing or outdated Business Associate Agreements, inadequate Risk Assessment Procedures, failure to notify after a breach, or incomplete Notices of Privacy Practices. Reducing exposure requires governance and proof of performance:

• Assign accountable owners for privacy, security, and vendor management, with board or executive oversight.
• Deliver role-based training and document attendance, comprehension, and periodic refreshers.
• Conduct internal audits, remediate gaps, and retain evidence of completion.
• Exercise incident response and breach notification playbooks; time each step.
• Centralize policy management and version control to demonstrate continuous compliance.

Strengthened Security Requirements

The Security Rule’s risk analysis and risk management expectations are explicit under the Omnibus framework: identify threats and vulnerabilities, rate risk, implement controls, and monitor effectiveness. Treat “addressable” specifications—like encryption—as required unless you document a reasonable and equivalent alternative.

• Implement strong encryption for data at rest and in transit, with key management and device/Media controls for laptops, mobile devices, and backups.
• Harden Electronic Health Records Security with access controls, multi-factor authentication, and automatic logoff.
• Enable audit controls, retain logs, and regularly review alerts for anomalous access.
• Apply secure configuration baselines, patch management, and vulnerability scanning.
• Vet vendors, include security requirements in Business Associate Agreements, and verify with evidence (reports, tests, attestations).
• Test disaster recovery and data restoration; document outcomes and improvements.
• Deliver continuous workforce security awareness with phishing and privacy exercises.

Updated Privacy Notices

The Omnibus Rule requires Notices of Privacy Practices to describe uses and disclosures that require authorization (including marketing and sale of PHI), the right to opt out of fundraising communications, breach notification duties, the right to restrict disclosures for services paid out of pocket, and patients’ e-access rights.

Keep your notice clear, concise, and accessible. Post the current version in facilities, provide it on request, and ensure your website displays the latest notice. When material changes occur, revise the notice and redistribute or otherwise make it available as required.

In short, the HIPAA Omnibus Rule operationalizes privacy and security across your entire ecosystem—vendors, technology, and workflows. By tightening vendor oversight, formalizing breach Risk Assessment Procedures, honoring expanded patient rights, and maintaining accurate Notices of Privacy Practices, you strengthen compliance and trust while reducing enforcement risk.

FAQs.

What responsibilities do business associates have under the Omnibus Rule?

Business associates are directly liable for complying with the Security Rule and certain Privacy Rule provisions. They must implement safeguards, limit uses and disclosures, report incidents and breaches to the covered entity, maintain required documentation, ensure subcontractor compliance through Business Associate Agreements, support access and accounting requests, and cooperate with Office for Civil Rights Enforcement activities.

How soon must covered entities report a breach of PHI?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach of Unsecured Protected Health Information. You must also notify OCR; for incidents affecting 500 or more individuals in a state or jurisdiction, notify prominent media as well. Breaches affecting fewer than 500 individuals are logged and reported to OCR annually within the required timeframe.

What patient rights were enhanced by the HIPAA Omnibus Rule?

Patients gained stronger rights to obtain electronic copies of ePHI in a requested format, to have information sent to a designated third party, and to require restrictions on disclosures to health plans for services paid in full out of pocket. The Rule also treats genetic information as PHI under Genetic Information Nondiscrimination principles and requires updated Notices of Privacy Practices that explain these rights and breach notifications.