When OCR announced a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University in 2014, it was one of the first major enforcement actions reflecting the expanded authority granted under the HIPAA Omnibus Rule of 2013. That case — involving PHI disclosed through a shared network — signaled a new era of accountability. More than a decade later, the regulatory framework established by the Omnibus Rule remains the backbone of HIPAA enforcement.

Healthcare organizations that treat the Omnibus Rule as old news are making a costly mistake. Nearly every major OCR enforcement action since 2013 relies on provisions this rule either created or strengthened.

What the HIPAA Omnibus Rule of 2013 Actually Changed

Published on January 25, 2013, and effective March 26, 2013 — with a compliance deadline of September 23, 2013 — the Omnibus Rule finalized provisions from the HITECH Act of 2009. It represented the most significant update to HIPAA since the original Privacy and Security Rules took effect.

The rule made four sweeping categories of changes that every covered entity and business associate must understand:

  • Direct liability for business associates. Before the Omnibus Rule, business associates were only contractually bound to protect protected health information. The rule made them directly liable under the HIPAA Security Rule and certain provisions of the Privacy Rule, with penalties enforced by OCR.
  • Strengthened breach notification requirements. The rule replaced the previous "harm standard" with a more objective risk assessment. Under the new standard, any impermissible use or disclosure of PHI is presumed to be a breach unless your organization can demonstrate a low probability that the information was compromised — based on a four-factor risk assessment.
  • Expanded individual rights. Patients gained the right to request electronic copies of their records when maintained electronically, and the right to restrict disclosures to health plans for services paid out of pocket in full.
  • Modified the Notice of Privacy Practices. Covered entities were required to update their Notice of Privacy Practices to reflect the new patient rights and breach notification procedures established by the rule.

Business Associate Liability: The Provision Most Organizations Still Get Wrong

In my work with covered entities, the single most common compliance gap I encounter is outdated or missing business associate agreements (BAAs). The HIPAA Omnibus Rule of 2013 didn't just suggest that business associates comply with the Security Rule — it made them legally accountable under federal law.

This means your cloud hosting provider, your billing company, your IT managed services vendor, and your shredding service are all subject to the same Security Rule requirements your organization follows. OCR has enforced this aggressively. In 2022, Business Associate CHSPSC LLC paid $2.3 million following a breach affecting over 6 million individuals — with OCR citing failures in risk analysis and access controls.

Every BAA executed before September 23, 2013, should have been updated to reflect Omnibus Rule requirements. If your organization is still operating under legacy agreements, you have an active compliance gap.

The Breach Notification Standard That Changed Everything

Before the Omnibus Rule, covered entities could avoid breach notification by arguing that a disclosure caused no harm. OCR recognized this standard was too subjective. The revised Breach Notification Rule under 45 CFR §§ 164.400-414 now requires organizations to evaluate four factors:

  • The nature and extent of the PHI involved
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed
  • The extent to which the risk to the PHI has been mitigated

If your risk assessment cannot demonstrate a low probability of compromise, you must notify affected individuals, HHS, and — for breaches affecting 500 or more individuals — the media. Healthcare organizations consistently struggle with documenting this four-factor analysis. Without written documentation, OCR treats the incident as a reportable breach by default.

Genetic Information and Marketing Restrictions

The Omnibus Rule also incorporated protections under the Genetic Information Nondiscrimination Act (GINA), prohibiting health plans from using genetic information for underwriting purposes. It tightened restrictions on using PHI for marketing and fundraising, requiring explicit authorization for most communications that involve financial remuneration from a third party.

These provisions often fall off compliance checklists, but OCR has not forgotten them. Organizations that engage in patient outreach, partner marketing, or population health communications should audit these activities against the Omnibus Rule's marketing authorization requirements.

How to Verify Your Organization's Omnibus Rule Compliance

More than a decade after the compliance deadline, your organization should be able to confirm the following:

  • Current BAAs with every business associate that reflect Omnibus Rule provisions, including breach reporting obligations and Security Rule compliance language.
  • Updated Notice of Privacy Practices distributed to patients and posted in your facility, reflecting the rights granted under the Omnibus Rule.
  • Documented breach risk assessments using the four-factor test for every impermissible use or disclosure of PHI — not just large-scale incidents.
  • Completed risk analysis under 45 CFR § 164.308(a)(1)(ii)(A), which the Omnibus Rule reinforced as the foundation of Security Rule compliance.
  • Workforce training that covers Omnibus Rule requirements, including the minimum necessary standard, breach identification, and patient rights to electronic access and payment restrictions.

If your workforce training hasn't been updated to reflect these requirements, your compliance program has a critical vulnerability. Enrolling your team in HIPAA training and certification that covers current regulatory requirements — including the Omnibus Rule — is the most direct way to close that gap.

The Omnibus Rule Is Not Historical — It Is Current Law

OCR's enforcement priorities in 2024 and 2025 continue to rely on provisions established by the HIPAA Omnibus Rule of 2013. The Right of Access Initiative, business associate enforcement actions, and breach notification investigations all trace back to this rule. Treating it as a one-time compliance event from a decade ago leaves your organization exposed.

Compliance is not a point-in-time activity. The Omnibus Rule created ongoing obligations — BAA management, breach assessment documentation, patient rights fulfillment, and workforce awareness — that require continuous attention. If your organization needs a structured approach to meeting these requirements, HIPAA Certify's workforce compliance program provides the framework to operationalize what the Omnibus Rule demands.

The organizations that face OCR penalties aren't the ones that never heard of the Omnibus Rule. They're the ones that implemented it once and assumed the work was done.