What is the HIPAA Omnibus Rule? History and Requirements
Learn how the HIPAA Omnibus Rule impacts covered entities and business associates, plus actionable steps for compliance in 2025 and beyond.
The HIPAA Omnibus Rule, enacted in 2013, expanded the Health Insurance Portability and Accountability Act (HIPAA) by strengthening patient privacy rights and increasing accountability for healthcare organizations and their partners. This rule clarified the responsibilities of covered entities and business associates, introduced new restrictions on how protected health information (PHI) is used and shared, and established tougher penalties for non-compliance.
With cyber threats and data breaches on the rise, ensuring compliance with the HIPAA Omnibus Rule is more important than ever. In this guide, we’ll break down the history of the HIPAA Omnibus Rule, its key mandates, and what your business needs to do to stay compliant.
Quick Refresher: What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, was designed to modernize the healthcare industry by improving the portability of health insurance and setting national standards for protecting patient health information. Over time, it has evolved into the primary regulation governing the privacy and security of protected health information in the U.S.
HIPAA applies to covered entities, including healthcare providers, health plans, and clearinghouses, as well as their business associates — third-parties that handle PHI on their behalf. Non-compliance can lead to severe penalties, including fines and reputational damage.
The Other HIPAA Rules
HIPAA consists of several rules, including the HIPAA Omnibus Rule, that define how organizations must handle PHI:
HIPAA Privacy Rule: Establishes patients’ rights over their health information, including access to medical records and control over how PHI is shared.
HIPAA Security Rule: Mandates administrative, physical, and technical safeguards to protect electronic PHI (ePHI).
HIPAA Breach Notification Rule: Requires organizations to report PHI breaches to affected individuals, the government, and, in some cases, the media.
HIPAA Enforcement Rule: Defines the penalties for HIPAA violations, ranging from financial fines to criminal charges.
HIPAA Omnibus Rule: Strengthens HIPAA by expanding compliance obligations to business associates, reinforces patient privacy rights, and enforces stricter penalties for violations.
New to HIPAA? We’ve created a HIPAA compliance checklist resource to help you kick off your compliance journey.
What is the HIPAA Omnibus Rule?
Established in 2013, the HIPAA Omnibus Rule introduced some of the most significant updates to HIPAA since its inception. Designed to close regulatory gaps, it broadened the law’s scope to address modern privacy concerns, particularly the rise of electronic health records (EHRs) and third-party data handlers.
The rule imposed stricter requirements on business associates, expanded patient rights, and strengthened enforcement measures to ensure greater accountability in protecting PHI.
The History and Role of the Omnibus Rule
Before the Omnibus Rule, business associates (third-party vendors handling protected health information (PHI) on behalf of covered entities) operated under indirect oversight, with limited liability for HIPAA violations. The Omnibus Rule eliminated this loophole, making business associates directly responsible for compliance, along with their subcontractors.
The rule also reinforced patients’ rights by expanding their access to medical records and allowing them greater control over how their PHI is used, particularly for marketing purposes and fundraising efforts. Additionally, it updated breach notification requirements and introduced tougher financial penalties for noncompliance.
How the Omnibus Rule Impacts Covered Entities and Business Associates
The HIPAA Omnibus Rule significantly reshaped compliance obligations for covered entities and business associates, imposing stricter privacy standards, greater accountability, and higher penalties. Below, we take a closer look at how these changes impact healthcare organizations and their third-party partners.
Direct Liability Provisions
Perhaps the biggest change in the Omnibus Rule was making business associates directly responsible for HIPAA compliance. This means that any company handling PHI on behalf of a healthcare organization can face the same fines and legal consequences as covered entities.
Additionally, subcontractors of business associates must also comply with HIPAA—storage providers, consultants, and third-party IT vendors all must meet HIPAA security standards, even if they don’t directly interact with patients.
To ensure compliance, business associates must:
Conduct regular risk assessments to identify security vulnerabilities.
Train employees on HIPAA privacy and security rules.
Implement technical safeguards like encryption, multi-factor authentication, and access controls.
Establish an incident response plan for reporting security breaches.
Stricter Business Associate Agreements (BAAs)
The Omnibus Rule introduced more stringent requirements for Business Associate Agreements (BAAs)—contracts that outline how business associates must handle PHI. These agreements must now:
Clearly define what the business associate can and cannot do with PHI.
Include mandatory security controls and data protection policies.
Outline reporting requirements for breaches or unauthorized disclosures.
Specify termination procedures, including the return or destruction of PHI.
Without a properly executed BAA, both the covered entity and business associate can be held liable for HIPAA violations.
Expanded Privacy Obligations
To strengthen patient rights and transparency, the Omnibus Rule required updates to Notice of Privacy Practices (NPPs). Healthcare organizations must now:
Explain patient rights more clearly, including the ability to request restrictions on PHI disclosures.
Provide explicit details on how PHI may be used for marketing, fundraising, or research.
Update policies to reflect breach notification requirements and patient rights.
Ensure patients can access their health records electronically when requested.
Additionally, the rule introduced stricter restrictions on PHI use:
Patients can prevent healthcare providers from sharing PHI with insurers if they pay for services out-of-pocket.
Health plans can no longer use PHI for underwriting purposes.
The rule expanded protections under the Genetic Information Nondiscrimination Act (GINA) by prohibiting health insurers from using genetic information for eligibility, premium adjustments, or coverage decisions.
Marketing and fundraising communications now require explicit patient consent.
The sale of PHI without patient authorization is strictly prohibited.
Tightened Authorization and Consent Rules
HIPAA already required patient authorization for certain PHI disclosures, but the Omnibus Rule reinforced these requirements, so patients have more control over their data. Now, healthcare organizations must:
Use more detailed authorization forms, clearly explaining how PHI will be used.
Obtain explicit consent before using PHI for marketing or third-party purposes.
Provide clear opt-out options, allowing patients to revoke authorization at any time.
Stricter Enforcement and Penalties
The Omnibus Rule significantly increased penalties for HIPAA violations, making it clear that both covered entities and business associates face severe financial consequences for noncompliance.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) now enforces a tiered penalty system based on the level of negligence involved in the violation:
Unknowing Violation: $100 – $50,000 per violation, with an annual cap of $1.5 million.
Reasonable Cause: $1,000 – $50,000 per violation, with an annual cap of $1.5 million.
Willful Neglect – Corrected: $10,000 – $50,000 per violation, with an annual cap of $1.5 million.
Willful Neglect – Uncorrected: $50,000 per violation, with an annual cap of $1.5 million.
Breach Notification and Privacy Safeguards
The HIPAA Omnibus Rule also strengthened breach notification requirements and privacy safeguards to ensure faster reporting and stricter security measures.
Organizations must now follow clearer thresholds, tighter reporting timelines, and stronger security protocols to minimize the risk of unauthorized PHI exposure.
Timelines and Thresholds for Breach Notification
Under the Omnibus Rule, organizations must notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media within specific timeframes:
All breaches must be reported within 60 days unless an exception applies (e.g., the breach is determined to pose a minimal risk of compromise to protected health information (PHI) after a risk assessment).
If a breach affects 500 or more individuals, organizations must notify HHS and local media outlets in addition to the affected parties.
If fewer than 500 individuals are affected, organizations must maintain a log and report the breach annually to HHS.
These updates prevent covered entities and business associates from delaying breach notifications and ensure that individuals receive timely information to protect themselves from identity theft and fraud.
Assessment of Harm and Changes to the "Harm Threshold"
Before the Omnibus Rule, organizations could avoid reporting certain breaches if they determined the risk of harm to individuals was low. This subjective standard was removed; instead of relying on a vague "harm threshold," organizations must evaluate:
The nature and extent of PHI involved, including types of identifiers and likelihood of re-identification.
Who accessed or received the PHI (e.g., an unauthorized individual vs. a trusted business associate).
Whether PHI was actually acquired or viewed during the breach.
The extent to which risk was mitigated (e.g., immediate data deletion, encryption, or containment measures).
The change makes it harder to justify non-disclosure, ensuring that more breaches are reported and addressed.
Encryption and Security Measures
To prevent breaches, the Omnibus Rule reinforced encryption and security best practices as primary safeguards for PHI. Recommended security practices for both covered entities and business associates include:
Encrypting PHI both at rest and in transit to make data unreadable in the event of unauthorized access.
Implementing role-based access restrictions to limit PHI exposure.
Maintaining records of who accesses PHI and immediately flagging unauthorized activity.
Developing proactive breach response strategies to mitigate damage and comply with notification timelines.
Get HIPAA Compliance Right With Drata
Staying HIPAA compliant requires continuous monitoring, detailed documentation, and proactive risk management—all of which can be complex and time-consuming. Drata simplifies the process with:
Automated monitoring and evidence collection to streamline audits and security reviews.
Pre-mapped HIPAA-specific controls that align with regulatory requirements.
Asset and personnel tracking to ensure role-based access and security compliance.
Customizable HIPAA policy templates to standardize compliance documentation.
Built-in HIPAA-approved employee training to keep your workforce up to date.
Schedule a Demo to see how Drata automates your HIPAA compliance journey.
HIPAA Omnibus Rule Frequently Asked Questions (FAQs)
Still have questions about the HIPAA Omnibus Rule? We answer the most common queries below.
Why Was the HIPAA Omnibus Rule Passed?
The Omnibus Rule was enacted to modernize HIPAA regulations in response to:
The growing use of electronic health records (EHRs) and cloud-based healthcare systems.
Increased risks of data breaches and unauthorized PHI access.
The need for stronger patient rights, including expanded access to their medical records.
The role of business associates in handling PHI, requiring greater accountability and direct liability.
These updates close compliance gaps and ensure stricter protections for patient health data.
How Do I Update my Notice of Privacy Practices (NPPs) to Comply With the Omnibus Rule?
Organizations must revise their Notice of Privacy Practices (NPPs) to include updates on patient rights, breach notifications, and PHI use restrictions. These updates should:
Explain patients' right to request restrictions on PHI disclosures.
Clarify how PHI may be used for marketing, fundraising, and research.
Detail the organization’s breach notification policy and patient rights following a data breach.
Include information on patients' right to access their PHI electronically.
Are There Penalties for Not Complying With the Omnibus Rule?
Yes. The HIPAA Omnibus Rule introduced a tiered penalty system, with fines ranging from $100 to $50,000 per violation, depending on the level of negligence. Organizations that willfully neglect HIPAA compliance without correction can face penalties up to $1.5 million per year, per violation type.
Is a Business Associate Agreement (BAA) Required for All Vendors?
A Business Associate Agreement (BAA) is required for any third-party vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes cloud storage providers, billing and payment processing firms, IT service providers handling PHI, EHR vendors, and data transmission services.
BAAs must outline how PHI is handled, security obligations, and breach reporting procedures. Failure to establish a properly executed BAA can result in penalties for both the covered entity and the business associate.
How Does the Omnibus Rule Affect Breach Notification Requirements?
The Omnibus Rule removed the "harm threshold" that previously allowed organizations to decide whether they should report breaches. Now, any unauthorized access, use, or disclosure of PHI is presumed to be a breach unless the organization can demonstrate a low probability of compromise.
Covered entities and business associates must:
Notify affected individuals within 60 days.
If a breach affects 500 or more individuals, notify HHS and local media outlets.
If fewer than 500 individuals are affected, maintain a log and report the breach annually to HHS.
What Steps can Business Associates Take to Comply With the Omnibus Rule?
Business associates must now follow the same HIPAA security and privacy standards as covered entities. To stay compliant, they should:
Conduct HIPAA risk assessments to identify vulnerabilities.
Sign BAAs with covered entities and subcontractors to define PHI handling policies.
Implement security controls, including encryption, access restrictions, and audit logs.
Develop a breach response plan to meet HIPAA reporting deadlines.
Train employees on HIPAA regulations to prevent violations.
