In January 2013, HHS dropped the largest single regulatory update in HIPAA's history — and most organizations still haven't fully absorbed what it demands. The HIPAA Omnibus Rule didn't just tweak language. It overhauled breach notification standards, extended direct liability to business associates, tightened rules around marketing and fundraising, and gave patients new rights over their own health information. If your compliance program was built before 2013 and never meaningfully updated, you're operating on a framework that regulators left behind more than a decade ago.
I've audited organizations in 2024 and 2025 that were still running business associate agreements drafted in 2009. That's not a minor paperwork gap — it's a compliance failure that OCR has penalized repeatedly and aggressively.
What the HIPAA Omnibus Rule Actually Changed
The Omnibus Rule was a final rulemaking published on January 25, 2013, with a compliance deadline of September 23, 2013. It implemented provisions from the HITECH Act of 2009, the Genetic Information Nondiscrimination Act (GINA), and several other modifications HHS had been developing for years. You can read the full final rule on the HHS Omnibus Rule page.
Here's what matters most for your organization right now.
Business Associates Became Directly Liable
Before the Omnibus Rule, business associates operated in a gray zone. Covered entities were responsible for ensuring their BAs followed the rules, but BAs themselves weren't directly subject to HIPAA's Security Rule or most of the Privacy Rule. The Omnibus Rule ended that arrangement.
Business associates — and their subcontractors — became directly liable for compliance. That means an IT vendor handling your ePHI, a billing company processing claims, or a cloud storage provider hosting patient records can all face OCR investigations and civil monetary penalties on their own. No more hiding behind the covered entity.
In my experience, this is the provision that catches the most organizations off guard. I've seen small practices assume their shredding company or EHR vendor "handles all that." They don't — not unless there's a current, compliant business associate agreement in place and that BA has its own HIPAA compliance program.
The Breach Notification Standard Flipped
The original interim breach notification rule used a "harm standard." If a covered entity determined that a breach posed no significant risk of harm, they could skip notification. The HIPAA Omnibus Rule replaced this with a presumption that every impermissible use or disclosure of PHI is a reportable breach unless the organization can demonstrate a low probability of compromise through a four-factor risk assessment.
Those four factors are:
- The nature and extent of the PHI involved
- Who received or accessed the information
- Whether the PHI was actually acquired or viewed
- The extent to which risk has been mitigated
This matters because the burden shifted. You no longer get to decide a breach "wasn't that bad." You have to prove it, document it, and be prepared to defend that analysis to OCR.
The $4.8 Million Lesson in Ignoring the Omnibus Rule
New York-Presbyterian Hospital and Columbia University collectively paid $4.8 million in 2014 after a breach exposed the ePHI of 6,800 patients. The investigation revealed failures in technical safeguards, risk analysis, and workforce oversight — all areas the Omnibus Rule reinforced. OCR's resolution agreement with New York-Presbyterian made clear that organizations had to treat the post-Omnibus landscape as fundamentally different from what came before.
That case set a tone. OCR wasn't just issuing guidance — they were enforcing the expanded requirements the HIPAA Omnibus Rule codified.
Patient Rights Got Sharper Teeth
The Omnibus Rule expanded the right of individuals to receive electronic copies of their PHI when that information is maintained electronically. If a patient asks for their records in electronic format, you must provide them. Period.
It also restricted the sale of PHI, requiring individual authorization before a covered entity could receive remuneration in exchange for PHI in most situations. And it tightened the rules around marketing — eliminating the "healthcare operations" loophole that some organizations had been using to send fundraising and promotional communications without proper authorization.
Genetic Information Now Counts as PHI
One of the quieter but significant changes: the Omnibus Rule implemented GINA provisions by explicitly prohibiting health plans from using genetic information for underwriting purposes. Genetic data is now treated as protected health information. If your organization handles genetic testing results, pharmacogenomic data, or family health histories, this provision applies directly to your workflows.
Pharmacy professionals deal with this more than most realize, especially as pharmacogenomic testing becomes routine. Our HIPAA & HITECH training for pharmacy professionals covers these specific obligations in detail.
What Does the HIPAA Omnibus Rule Require?
The HIPAA Omnibus Rule requires covered entities and business associates to update privacy and security policies, revise business associate agreements, apply the breach notification presumption, honor patient requests for electronic PHI, obtain authorization before selling PHI, restrict marketing communications, treat genetic information as PHI, and train all workforce members on these updated requirements. Compliance has been mandatory since September 23, 2013.
The Business Associate Agreement Problem That Won't Go Away
Here's what I see constantly: organizations that signed BAAs years ago and filed them away. The Omnibus Rule required every existing business associate agreement to be updated by September 2014. If your BAAs still reference the "Secretary's guidance" instead of the four-factor risk assessment, or if they don't include subcontractor requirements, they're non-compliant.
And non-compliant BAAs aren't just a technical violation. They represent a gap in your entire compliance chain. If your business associate suffers a breach and your agreement doesn't reflect Omnibus Rule requirements, OCR will look at you just as hard as they look at the BA.
I recommend a full BAA audit at least annually. Pull every agreement, check the language against current requirements, and verify that each BA has provided evidence of their own compliance program. It's tedious work. It's also the work that keeps you out of a corrective action plan.
Training Requirements After the Omnibus Rule
The Omnibus Rule didn't create the training requirement — that existed in the original Privacy Rule. But it dramatically expanded what training must cover. Your workforce needs to understand the breach notification presumption, the expanded patient rights, the restrictions on marketing and sales of PHI, and their personal responsibilities under the tighter framework.
Generic, one-size-fits-all training doesn't cut it. A nurse managing clinical workflows faces different HIPAA risks than a billing specialist or a behavioral health counselor. That's why role-specific training matters. Our HIPAA training for nurses and HIPAA training for mental and behavioral health professionals address the distinct scenarios each role encounters daily.
Document Everything — OCR Will Ask
Training completion records, policy update logs, BAA revision dates, risk assessment documentation — OCR expects all of it. The Omnibus Rule reinforced that compliance isn't something you declare; it's something you prove. In every investigation I've reviewed, documentation (or the lack of it) played a central role in the outcome.
Thirteen Years Later, the Gaps Are Still There
We're now thirteen years past the Omnibus Rule's compliance deadline, and I still encounter organizations that haven't fully implemented its requirements. Some don't realize their Notice of Privacy Practices needs updating. Others haven't revised their breach response procedures to reflect the four-factor assessment. A surprising number have never even conducted a formal risk analysis — a requirement that predates the Omnibus Rule but was reinforced by it.
OCR's enforcement data on the HHS enforcement highlights page shows that failure to conduct risk analysis remains the single most common finding in enforcement actions. The Omnibus Rule didn't invent this obligation, but it raised the stakes for ignoring it.
Your Action Plan for Omnibus Rule Compliance
If you're reading this and wondering whether your organization has gaps, here's a practical checklist:
- Audit every business associate agreement. Confirm Omnibus-era language, subcontractor flow-down provisions, and breach notification obligations.
- Review your breach response procedure. Make sure it uses the four-factor risk assessment, not the old harm standard.
- Update your Notice of Privacy Practices. It must reflect the expanded patient rights and restrictions on sales and marketing of PHI.
- Conduct or refresh your risk analysis. This is non-negotiable and should be updated whenever your environment changes.
- Train your entire workforce on current requirements — not the rules as they existed in 2005. Role-specific training from the HIPAACertify course catalog makes this actionable.
- Document everything. If you can't prove it happened, it didn't happen.
The HIPAA Omnibus Rule wasn't a suggestion or a set of best practices. It was a regulatory overhaul that redefined the obligations of every covered entity and business associate in the country. The organizations that treated it seriously in 2013 have spent the last thirteen years avoiding penalties, passing audits, and protecting patients. The ones that didn't are still catching up — often after OCR comes knocking.