The HIPAA Omnibus Rule, finalized in 2013, represents one of the most significant updates to HIPAA since the law was originally enacted in 1996. The rule implemented key provisions of the HITECH Act, expanded direct compliance responsibilities for business associates and their subcontractors, strengthened breach notification requirements, and enhanced patients' rights regarding their health information. While the rule took effect in 2013, its requirements remain an essential part of HIPAA compliance today. The guidance below highlights key areas organizations should review and maintain as part of an ongoing compliance program.
Whether you’re a covered entity or a business associate, these core actions help ensure HIPAA compliance:
- Implement or Update Security Policies and Procedures
Security breaches remain one of the most significant risks for employers and business associates. Historically, most enforcement actions by the U.S. Department of Health and Human Services (HHS) have involved security breaches, many resulting in substantial financial penalties.
To reduce risk, organizations should implement or update their security policies and procedures to ensure alignment with the HIPAA Security Rule. This includes addressing any operational changes since policies were last reviewed. Organizations should also conduct a risk assessment to confirm that policies effectively identify and mitigate potential vulnerabilities. - Establish or Update Business Associate Agreements (BAAs)
Under the HIPAA Omnibus Rule, business associates are required to enter into agreements with the subcontractors who handle protected health information (PHI).
While updates to existing agreements may not always require major legal changes, organizations should use this opportunity to review key terms. This may include provisions related to breach response responsibilities, cost reimbursement, and indemnification for third-party claims. - Update or Implement Privacy Policies and Procedures
Organizations must ensure their privacy policies reflect regulatory updates introduced by the Omnibus Rule. This includes changes to how breaches are assessed and new requirements for providing individuals with access to their PHI, particularly in electronic formats.
Although business associates are not explicitly required by law to maintain formal policies, having clear procedures is essential in practice to ensure employees understand how to meet HIPAA compliance requirements. - Update Notice of Privacy Practices (NPP)
Covered entities are required to update their Notice of Privacy Practices to reflect new individual rights and restrictions on the use of PHI.
If an organization maintains a benefits or public-facing website, the updated notice should be posted there and distributed during the next appropriate communication cycle (such as open enrollment). Organizations without a website should distribute the updated notice within a reasonable timeframe following implementation. - Conduct Employee Training
Employees should be trained on HIPAA requirements relevant to their roles, including any updates introduced by the Omnibus Rule.
Training also provides an opportunity to reinforce best practices and ensure all staff understand their responsibilities in protecting PHI and maintaining compliance.
Disclaimer: This information is provided for educational purposes only and does not constitute legal advice. Bridge Compliance is a compliance platform and does not provide legal counsel. Organizations are solely responsible for ensuring compliance with applicable laws.