Which Rule Expanded HIPAA to Business Associates? The Omnibus Rule Explained

If you have wondered which rule expanded HIPAA to business associates, the answer is the 2013 HIPAA Omnibus Rule. This landmark update made business associates and their subcontractors directly responsible for safeguarding Protected Health Information (PHI) and complying with the HIPAA Privacy Rule and HIPAA Security Rule. It also strengthened Business Associate Agreement requirements and enforcement.

Understanding what changed—and what you must do—helps you manage vendor risk, tighten PHI safeguards, and avoid costly compliance gaps.

Overview of the Omnibus Rule

The HIPAA Omnibus Rule, issued in 2013 to implement key provisions of the HITECH Act, finalized sweeping updates to the Privacy, Security, Breach Notification, and Enforcement rules. It clarified obligations for vendors that create, receive, maintain, or transmit PHI on behalf of covered entities, closing long‑standing gaps in the regulatory framework.

Key effects of the Omnibus Rule included stronger breach notification standards, expanded definitions of who is covered, and the imposition of direct liability on business associates. It also required updates to Business Associate Agreements to reflect new duties and risk allocation.

• Extended HIPAA compliance to business associates and qualifying subcontractors.
• Strengthened breach notification through a risk‑based assessment standard.
• Mandated updated contracts and documentation across the vendor ecosystem.
• Enhanced enforcement with audits and tiered penalties for noncompliance.

Expansion of Business Associate Definition

The Omnibus Rule broadened “business associate” to include any person or entity that creates, receives, maintains, or transmits PHI for a covered entity, whether or not the vendor actually views the data. This captured modern services—especially cloud, hosted, and managed solutions—that store PHI.

Examples commonly qualifying as business associates include:

• Cloud service providers, data centers, and backup vendors that maintain PHI.
• Billing companies, coding services, practice management and EHR vendors.
• Health information exchanges, e-prescribing gateways, and registry operators.
• Legal, actuarial, accounting, analytics, and consulting firms handling PHI for a covered entity.
• Shredding, scanning, and data destruction vendors that process PHI.

Vendors acting as mere conduits (for example, basic postal or telecom carriers that simply transmit information without persistent storage) generally do not qualify. However, once a vendor “maintains” PHI—even if encrypted and not routinely accessed—it is typically a business associate under the Omnibus Rule.

Compliance Requirements for Business Associates

After the Omnibus Rule, business associates must implement the HIPAA Security Rule in full and comply with key provisions of the HIPAA Privacy Rule. This creates direct, independent obligations—no longer limited to contract terms with a covered entity.

• Perform a documented risk analysis and apply risk management to all systems that create, receive, maintain, or transmit PHI.
• Implement administrative, physical, and technical PHI safeguards, including access controls, encryption where appropriate, audit logging, and contingency plans.
• Limit uses and disclosures to what the Business Associate Agreement and law permit; apply minimum necessary standards.
• Train workforce members, manage sanctions, and maintain written policies and procedures.
• Report breaches to the covered entity consistent with the Breach Notification Rule’s risk‑of‑compromise assessment.
• Support individual rights when required (for example, facilitating access, amendments, or accounting of disclosures through the covered entity).

These changes mean you must treat HIPAA as a program—governed by leadership, measured by controls, and validated by evidence—rather than a set of ad hoc tasks.

Subcontractor Responsibilities under HIPAA

The Omnibus Rule extended HIPAA downstream: any subcontractor that a business associate engages to create, receive, maintain, or transmit PHI becomes a business associate in its own right. Subcontractor compliance is therefore mandatory, not optional.

• Execute written agreements with subcontractors that “flow down” all applicable Privacy and Security Rule obligations.
• Require subcontractors to implement Security Rule controls and report breaches promptly.
• Verify Subcontractor Compliance through due diligence, security questionnaires, and, where appropriate, audits.
• Ensure subcontractors cascade the same requirements to any further downstream vendors.

Practically, you should treat your subcontractor ecosystem as an extension of your own environment—measured by the same standards and monitored continuously.

Written Agreement Obligations

Business Associate Agreements are the backbone of vendor governance under HIPAA. The Omnibus Rule requires BAAs to articulate specific duties, limits on PHI use, and consequences for noncompliance, aligning contracts with regulatory expectations.

• Permitted and required uses/disclosures of PHI, consistent with the Privacy Rule and minimum necessary.
• Commitment to implement HIPAA Security Rule controls and maintain appropriate PHI safeguards.
• Obligation to report breaches, suspected breaches, and security incidents without unreasonable delay.
• Flow‑down clauses requiring subcontractors to agree to the same restrictions and protections.
• Provisions to provide or support access, amendments, and accounting of disclosures when required.
• Return or secure destruction of PHI at termination, if feasible, and retention terms for required documentation.
• Rights to terminate for cause upon a pattern of noncompliance.

Review BAAs regularly, align them with your current services and data flows, and ensure contract language matches operational reality.

Privacy and Security Rule Enforcement

By imposing Direct Liability on business associates, the Omnibus Rule enabled regulators to investigate and penalize vendors independent of covered entities. The Office for Civil Rights (OCR) can audit business associates, initiate investigations, and apply tiered civil monetary penalties based on culpability and corrective action.

• Direct enforcement for Security Rule violations and specified Privacy Rule violations.
• Penalties for failing to provide breach notification, to maintain required documentation, or to execute compliant BAAs.
• Aggravating and mitigating factors include the number of affected individuals, duration, harm, cooperation, and remediation.
• Resolution agreements can require corrective action plans, monitoring, and significant financial settlements.

The result is a formal, auditable expectation that business associates operate mature privacy and security programs—not merely sign contracts.

Impact on Healthcare Industry

The Omnibus Rule reshaped how healthcare organizations and vendors work together. Covered entities expanded vendor risk management, updated procurement processes, and aligned contracts with operational controls. Business associates formalized security architectures, incident response, and compliance reporting.

• For covered entities: structured third‑party risk programs, standardized BAAs, and ongoing oversight of PHI safeguards.
• For business associates: end‑to‑end asset inventories, least‑privilege access, encryption strategies, logging and monitoring, and tested breach response.
• For both: clearer allocation of responsibilities, better visibility into data flows, and stronger resilience against cybersecurity threats.

Taken together, the Omnibus Rule definitively expanded HIPAA to business associates and subcontractors, imposed direct liability, and made the Business Associate Agreement a central control. If you handle PHI for a covered entity, you are expected to implement and prove compliance with the HIPAA Privacy Rule and HIPAA Security Rule in day‑to‑day operations.

FAQs

What entities are considered business associates under the Omnibus Rule?

Any vendor that creates, receives, maintains, or transmits PHI for a covered entity—such as cloud storage providers, billing and coding companies, EHR vendors, consultants, and data destruction services—generally qualifies as a business associate. Mere conduits that only transmit data without persistent storage typically do not.

How did the Omnibus Rule change subcontractor responsibilities?

Subcontractors of business associates that handle PHI became business associates themselves. They must implement HIPAA Security Rule controls, follow relevant Privacy Rule provisions, sign flow‑down agreements, notify upstream parties of breaches, and ensure their own downstream vendors maintain Subcontractor Compliance.

What are the key compliance obligations for business associates?

Core obligations include conducting a risk analysis, implementing administrative, physical, and technical PHI safeguards, limiting uses and disclosures per the BAA and law, training workforce members, maintaining policies and documentation, managing subcontractors through compliant agreements, and providing prompt breach notification.

How does the Omnibus Rule affect HIPAA enforcement?

The Omnibus Rule created Direct Liability for business associates, enabling OCR to audit and penalize them independently for violations of the Security Rule, specified Privacy Rule provisions, and breach notification failures. Enforcement now evaluates both contractual compliance and operational control effectiveness.