HIPAA Omnibus Rule: Key Updates for Covered Entities and BAs

Every year, a large number of data breaches happen in the US healthcare system. This puts the privacy of millions of patients at risk. And it is found most of the mishaps happen among business associates. Now, this is worrying! This is why the federal government took decisive action and implemented the HIPAA Omnibus Rule as part of HIPAA’s ongoing regulatory updates, strengthening the existing framework to better protect patient data and hold business associates directly accountable.

In this article, we discuss what the Omnibus Rule is and the new changes you need to be aware of.

Let’s dive in…

What is the Omnibus Rule of HIPAA?

The Omnibus Rule precludes the use or disclosure of genetic information in accordance with the GINA Act and modifies HIPAA’s privacy, security rule, and enforcement rules to enhance their effectiveness and flexibility.

The goal of the Omnibus Rule HIPAA is to harmonize all previously passed regulations into one cohesive rule made up of tighter security protocols that are easy to understand and comply with. The HIPAA Omnibus rule became effective in 2013.

All healthcare entities have had to become familiar with its provisions, and failure to comply resulted in serious legal and financial implications.

The HIPAA Omnibus Rule is a landmark achievement for protecting the confidential health information of consumers in the digital era. As healthcare systems increasingly rely on APIs, email, and third-party integrations to transmit PHI, the rule reinforces that PHI must be protected both at rest and in transit across all systems and networks, not just within the walls of a healthcare facility.

The final Omnibus Rule was created as a more stringent measure to protect the vital health information of patients and to provide them access to their own health records.

This is in response to the Health Information Technology for Economic and Clinical Health (HITECH) Act, a 2009 law that expanded the use of electronic health records and recognized that existing HIPAA protections were insufficient to address the privacy and security risks that came with widespread digital health data. The Omnibus Rule effectively operationalized HITECH’s mandates into enforceable HIPAA requirements.

This rule put more responsibility on the shoulders of service providers and employers, the new rule strengthened existing policies, consequently increasing data security and most importantly, providing individuals the necessary access to retrieve their coveted health records.

The final Omnibus Rule was published on January 25, 2013, and took effect on March 26, 2013. Covered entities and business associates were given until September 23, 2013, to achieve full compliance, including updating Business Associate Agreements, revising Notice of Privacy Practices, and implementing any required policy and procedural changes.

What is the Purpose of HIPAA Omnibus Rules?

The Omnibus Final Rule was born out of a need to protect confidential patient information that has been entrusted to health care providers and their business partners. 

The HIPAA Omnibus Rule – also known as the Omnibus Final Rule – updates and expands upon HIPAA’s Privacy, Security, Enforcement, and Breach Notification Rules. Enacted as the HIPAA Omnibus Rule of January 2013, it introduced significant changes, including direct liability for business associates, making them accountable for safeguarding protected health information (PHI). The rule also provides individuals with additional rights concerning their PHI, allowing them to request copies of their medical information and get an overview of how their personal data may have been shared or used.

What are the new changes in the HIPAA omnibus rules?

The HIPAA Omnibus Rule demands healthcare professionals to alter their Business Associate Agreements, verify that Business Associates are complying with the HIPAA Security Rule, and receive assurances of updated Notice of Privacy Practices.

Here are the changes in detail:

Breach notification

The era of reporting significant security breaches has changed dramatically with HHS’s new approach to breach notification. Prior to the Omnibus Rule, only a breach affecting 500 or more individuals necessitated an official notification; any lesser number was disregarded.

The Omnibus Rule fundamentally changed this by introducing a presumption that any impermissible use or disclosure of PHI constitutes a reportable breach unless the organization can demonstrate a low probability that the PHI has been compromised. The burden of proof falls on the covered entity or business associate to prove the incident does not require notification, not the other way around.

To make this determination, organizations must perform and document a four-factor risk assessment evaluating:

• The nature and extent of the PHI involved: What type of data was exposed, including the types of identifiers and the likelihood of re-identification
• Who accessed or could have accessed the PHI: Whether the recipient was authorized or had an obligation to protect the data
• Whether the PHI was actually viewed or used: Evidence that the data was not actually accessed can reduce the probability of compromise
• Whether the risk has been mitigated: For example, if the data was encrypted, destroyed, or otherwise rendered unusable before it could be exploited

If the risk assessment cannot demonstrate a low probability of compromise across all four factors, breach notification is required. This change is likely to result in a significant increase in reported security incidents, which is precisely the outcome the rule was designed to achieve.

HIPAA Omnibus rule and Business Associates

According to this rule, HIPAA Privacy Rules and Security Rules enforcement must now be directly applied to business associates who provide assistance to healthcare entities, and their subcontractors. This marked a significant shift prior to the Omnibus Rule; business associates were largely governed through their contracts with covered entities rather than being directly regulated by HIPAA.

Under the Omnibus Rule, business associates are now directly responsible for:

• Protecting PHI using security controls: Implementing the same administrative, technical, and physical safeguards required of covered entities
• Reporting breaches: Notifying covered entities of any impermissible use or disclosure of PHI within the required timeframes
• Limiting how PHI is used or shared: Using or disclosing PHI only as permitted by their BAA and the HIPAA Privacy Rule
• Ensuring subcontractor compliance: Extending HIPAA obligations down the supply chain by ensuring any subcontractors handling PHI on their behalf are also bound by equivalent protections

Existing business associate agreements must be updated to reflect these expanded obligations. Moreover, covered entities are urged to improve their review processes for measuring business associate compliance and to apply liability protections in business associate contracts.

Subcontractor responsibility and the chain of compliance

The Omnibus Rule extends HIPAA obligations beyond the immediate business associate relationship. If a business associate engages a subcontractor — any vendor or third party that creates, receives, maintains, or transmits PHI on the business associate’s behalf — that subcontractor must also comply with HIPAA. This creates a chain of responsibility that follows PHI wherever it flows, ensuring that no vendor in the supply chain can handle patient data outside of HIPAA’s protections simply because they are one step removed from the covered entity.

What a business associate agreement must cover

At the heart of this chain of compliance is a properly drafted Business Associate Agreement. Under the Omnibus Rule, a BAA must clearly define:

• Permitted uses of PHI: How the business associate is authorized to use or disclose PHI and for what purposes
• Security requirements: The safeguards the business associate must implement to protect PHI in accordance with the HIPAA Security Rule
• Breach reporting responsibilities: The timeframes and procedures for notifying the covered entity of any impermissible use or disclosure of PHI
• Restrictions on further sharing: Conditions under which PHI may or may not be shared with additional parties
• Subcontractor obligations: Requirements for the business associate to ensure any subcontractors handling PHI are bound by equivalent protections through their own BAAs

A BAA that fails to address these elements is not only incomplete, it leaves both the covered entity and the business associate exposed to direct liability under the Omnibus Rule.

Marketing restrictions

The HIPAA Privacy Rule has been amended by the Omnibus Rule to create tighter restrictions on the use of PHI for marketing purposes. If a third party, such as a pharmaceutical company, is compensating a covered entity for any given communication while promoting its own product, then patient authorization is required. This empowers individuals to control how their PHI is used.

The Omnibus Rule also introduced two additional patient protections in this area:

• Fundraising communications: Patients must be given a clear and easy option to opt out of any fundraising communications from a covered entity. Once a patient opts out, the covered entity cannot send further fundraising materials to that individual.
• Sale of PHI: The rule explicitly restricts the sale of PHI. Organizations generally cannot sell patient data to third parties without obtaining explicit written authorization from the patient, regardless of the purpose or the amount of compensation involved.

Together, these restrictions reinforce the principle that PHI belongs to the patient, not the organization holding it.

Reasonable disclosures

Allowing quick and efficient release of student immunization records to schools is key in ensuring the health and safety of students is given paramount importance while complying with state laws. Reasonable disclosure has made the process of sharing student immunization information with schools very simple. 

Now, covered entities have the ability to release immunization records with documented agreement from a parent or guardian. This helps streamline communication between healthcare organizations and educational institutions as required by state law.

Genetic information

The Genetic Information Nondiscrimination Act in 2008 shields individuals from discrimination due to their genetic make-up. The Omnibus Rule ensures protections by incorporating this sensitive information into HIPAA’s privacy regulations.

Research

The HIPAA Omnibus Rule has made great strides in simplifying consent requirements for research participation. This change allows single forms to cover multiple studies that previously would have required multiple forms. Also, researchers now have a method to obtain prospective consent for future studies. These updates serve as a milestone for guiding the safe collection of PHI.

Penalties

The Omnibus Rule created strict guidelines to ensure that organizations that commit violations face serious consequences. Penalties are structured in tiers based on the severity of the violation and the degree of negligence involved:

• Unknowing violations: Where the covered entity was unaware and could not reasonably have known of the violation, penalties start at $100 per violation
• Reasonable cause: Where the violation was not due to willful neglect, and the organization had reasonable cause, penalties range from $1,000 per violation
• Willful neglect, corrected: Where the violation was due to willful neglect, but was subsequently corrected, penalties start at $10,000 per violation
• Willful neglect, uncorrected: The most serious category, where willful neglect is identified and not corrected, penalties start at $50,000 per violation

Penalties can reach up to $1.5 million per identical violation type per year. While this may seem significant, the tiered structure is designed to distinguish between organizations making good-faith efforts to comply and those engaging in reckless or negligent behavior that endangers patient privacy.

When do regulators get involved?

HIPAA does not mandate routine audits for all organizations in normal circumstances; there is no requirement to undergo periodic regulatory review. However, organizations are expected to maintain compliance at all times and be able to demonstrate it when required.

A breach of PHI can trigger a regulatory review or investigation, particularly for larger incidents or where the risk to affected individuals is assessed as high. When a breach is reported, regulators may request evidence, including:

• Risk assessments conducted before and after the incident
• Security controls and safeguards in place at the time of the breach
• Policies and procedures governing PHI handling
• Vendor agreements and business associate contracts

Maintaining thorough, up-to-date documentation is therefore not just a compliance best practice; it is your primary line of defense in the event of a regulatory investigation. 

Privacy changes

The Omnibus Rule is a critical piece in addressing the security and privacy of PHI. It attempts to answer numerous important questions surrounding the use of PHI, including:

• The use of PHI in marketing and fundraising materials or events
• The selling of PHI without express consent from a patient
• Student immunization record disclosures
• Patient rights regarding disclosure of their PHI to health plans
• An individual’s ability to access their ePHI

Strengthened patient rights

The Omnibus Rule significantly expanded individual rights over personal health information. Patients now have:

• The right to electronic copies of health records: Patients can request their health information in electronic format, enabling easier access and portability across providers
• The right to know how their data is used: Covered entities must provide clear, updated Notice of Privacy Practices explaining how PHI is collected, used, and shared
• The right to restrict sharing with insurers: If a patient pays for a service out of pocket in full, they have the right to request that their PHI not be shared with their health plan for that specific treatment

Organizational compliance obligations

Beyond patient rights, the Omnibus Rule reinforces several operational requirements that organizations must embed into their day-to-day practices:

• Minimum necessary principle: Access to and use of PHI must be limited to the least amount of information necessary to accomplish the intended purpose. This applies to internal access, disclosures to third parties, and requests from other entities
• Workforce training and access controls: Employees and workforce members must be trained on privacy obligations and should only access PHI relevant to their specific role and responsibilities
• Documented policies and procedures: Organizations must establish, maintain, and regularly review written policies and procedures governing how PHI is handled across all touchpoints

PHI retention and disposal

A note on data retention and disposal, while not strictly a change introduced by the Omnibus Rule, these practices are critical to protecting PHI under the broader HIPAA framework:

Organizations should define clear retention schedules specifying how long different categories of PHI are kept, and ensure that data is securely disposed of when it is no longer needed. From a security standpoint:

• Over-retention increases breach impact: The more PHI an organization holds beyond its useful life, the greater the potential damage if a breach occurs
• Improper disposal is a common violation: Failing to securely destroy PHI, whether in physical or electronic format, is one of the most frequently cited HIPAA compliance failures

Treating retention and disposal as a routine operational discipline, rather than an afterthought, significantly reduces both compliance risk and breach exposure.

What changed in practice

Taken together, the Omnibus Rule’s updates represent a meaningful shift in how HIPAA compliance works on the ground. The practical impact for covered entities and business associates includes:

• More accountability for vendors: Business associates and their subcontractors are now directly liable under HIPAA, not just contractually obligated through their agreements with covered entities
• Stricter breach evaluation requirements: The presumption of breach means organizations must conduct and document formal risk assessments for every incident of impermissible PHI use or disclosure not just significant ones
• More documentation needed for compliance: From updated BAAs to risk assessments, retention schedules, and training records, the Omnibus Rule significantly raised the documentation bar for demonstrating compliance
• Increased risk of penalties for non-compliance: With direct enforcement extended to business associates and a tiered penalty structure that can reach $1.5 million per violation type per year, the financial and reputational stakes of non-compliance are higher than ever

How the Omnibus rule applies: CEs vs BAs at a glance

Area	Covered entities	Business associates
Direct HIPAA liability	Always applicable	Now directly applicable under the Omnibus Rule
BAA requirements	Must execute BAAs with all BAs	Must execute BAAs with subcontractors
Breach notification	Must notify HHS and individuals	Must notify covered entity within 60 days
Security Rule compliance	Required	Now directly required
Privacy Rule compliance	Required	Required for applicable provisions
Penalties	Up to $1.5M per violation type per year	Same penalty structure now applies directly
Subcontractor oversight	Must ensure BAs manage subcontractors	Must ensure subcontractors comply with HIPAA

What organizations must do under the omnibus rule?

Understanding the changes is only half the battle. Here is what covered entities and business associates must actually do to achieve and maintain compliance:

• Update Business Associate Agreements (BAAs): All existing BAAs must be reviewed and updated to reflect the expanded obligations and direct liability provisions introduced by the Omnibus Rule
• Identify all vendors handling PHI: Maintain a complete inventory of business associates and subcontractors who create, receive, maintain, or transmit PHI on your behalf
• Ensure vendors follow HIPAA safeguards: Verify that all vendors have appropriate administrative, technical, and physical safeguards in place and that these are contractually documented
• Perform and document risk assessments: Conduct rigorous risk analyses, particularly following any security incident to determine whether a breach notification obligation has been triggered
• Update Notice of Privacy Practices: Revise and redistribute your NPP to reflect the new patient rights and PHI use restrictions introduced by the Omnibus Rule
• Train employees on updated privacy rules: Ensure all staff are aware of the changes to marketing restrictions, breach notification requirements, and patient rights under the updated rule
• Implement breach response procedures: Establish clear, documented procedures for identifying, assessing, and reporting breaches within the required timeframes.

Find out how Sprinto is helping organizations become and stay HIPAA-Certified

As a cloud-hosted business associate, compliance with the Omnibus rule HIPAA is critical to your success and growth. Sprinto provides the ideal platform to keep up with the regular requirements of keeping your business in line with these regulations. 

Automated processes make sure your rules and security protocols are constantly updated to deliver expected performance, thus enabling you to attain complete overall compliance.

The in-app features allow you to monitor safeguards, manage vendors and subcontractors, as well as provide in-built HIPAA training for staff members. 

Also, a real-time dashboard view of your compliance status is available at all times. Get in touch today to find out how Sprinto can help you get compliant and stay secure!

FAQs

What did HIPAA omnibus rule mandate?

The HIPAA Omnibus Rule introduced changes to the Privacy, Security, and Enforcement Rules to incorporate provisions from the HITECH Act, solidified the Breach Notification Rule, and implemented new standards to reflect the requirements of the GINA Act.

What is the primary purpose of the omnibus rule?

The primary purpose of the HIPAA Omnibus Rule is to strengthen the protection of sensitive patient health information, particularly in digital formats, while expanding patient rights and directly extending HIPAA compliance obligations to business associates and their subcontractors. It consolidates several prior regulatory updates into a single, cohesive rule that raises the bar for data security, breach accountability, and privacy across the entire healthcare ecosystem.

When was omnibus rule passed?

On January 17, 2013, the HHS released the Omnibus Rule that merged and superseded four earlier proposed rules and interim final rules. This rule came into effect on March 26th of the same year.

How long is the omnibus rule?

PHI remains protected for 50 years after the death of an individual. The Omnibus Rule also gives covered entities greater flexibility in disclosing a decedent’s PHI to those who were involved in caring for or paying for the decedent’s treatment prior to their passing.