Rules & Requirements —
Exploring the HIPAA Omnibus Rule
The HIPAA Omnibus Rule expands business associate liability BAAs, and strengthens breach and privacy protections.
Share this article
Exploring the HIPAA Omnibus Rule
"Enacted in 2013" compresses three distinct dates that actually matter: the Omnibus Rule was published in the Federal Register on January 25, 2013, became effective March 26, 2013, and carried a general compliance deadline of September 23, 2013. For business associate agreements already in place before the rule was published, there was a further transition period extending compliance to September 22, 2014 — a detail worth knowing if your organization is still operating under a BAA that predates this rule and was never revisited.
What the Omnibus Rule Actually Is
It's not a standalone law — it's HHS's single rulemaking that finalized four previously separate proposed and interim rules at once: the HITECH Act's privacy and security provisions (proposed in 2010), the interim breach notification rule, the interim enforcement rule, and new requirements implementing the Genetic Information Nondiscrimination Act (GINA). Understanding it as a consolidation, rather than a single new law, explains why its provisions touch so many different parts of HIPAA simultaneously — privacy, security, breach notification, and enforcement all changed at once because all four were finalized together.
Business Associate Liability: The Most Consequential Change
Before this rule, a business associate's HIPAA violation was the covered entity's liability, not the business associate's own. The Omnibus Rule changed this directly: business associates and their subcontractors became directly liable for HIPAA compliance, subject to the same enforcement and penalties as covered entities. This extended liability down the chain — a subcontractor with no direct relationship to the covered entity, brought in by a business associate to handle some part of the work, is covered too. Understanding HIPAA Business Associate Agreements covers what a compliant BAA needs to contain under this expanded structure.
The Breach Notification Standard Changed Fundamentally
This is the change with the most practical consequence and the one most often described too vaguely. Before the Omnibus Rule, organizations only had to notify if a breach posed significant risk of harm — a "harm threshold" that gave room for judgment calls about whether a given incident was serious enough to report. The Omnibus Rule eliminated that threshold and replaced it with a presumption of breach: any impermissible use or disclosure of unsecured PHI is now presumed to be a reportable breach unless a documented risk assessment specifically demonstrates a low probability that the information was compromised. This shifted the default from "report if clearly harmful" to "report unless you can prove otherwise" — a meaningfully higher bar, and one that requires the risk assessment itself to be documented, not just performed informally.
Expanded Patient Rights
The rule strengthened several individual rights at once: patients gained the right to request and receive an electronic copy of their PHI, and the right to restrict disclosure of information to their health plan for services they paid for entirely out of pocket. It also tightened the rules around using PHI for marketing and fundraising — requiring authorization for most marketing uses, prohibiting the sale of PHI without authorization, and requiring a clear, explicit opt-out mechanism on every fundraising communication. Notice of Privacy Practices documents had to be updated to reflect all of this, which is why this rule's effects extend well beyond business associate contracts into every covered entity's patient-facing documentation.
GINA Integration
The rule folded Genetic Information Nondiscrimination Act protections directly into HIPAA, designating genetic information as a category of protected health information and prohibiting health plans from using it for underwriting purposes. Organizations handling genetic testing data, increasingly common as genetic and genomic services have expanded, need to treat this information with the same PHI protections as any other health data — a category that's easy to overlook if compliance programs were built before this provision existed.
What This Means for a Compliance Program Today
Even though this rule is now over a decade old, it remains the structural baseline most current HIPAA compliance work assumes. The presumption-of-breach standard shapes how incident response plans should be built — assuming reportability unless proven otherwise, not the reverse. The expanded business associate liability is why vendor management and BAA currency matter as much as they do; Estimating HIPAA Compliance Costs and the BAA enforcement cases covered in Who Enforces HIPAA and How to Stay Compliant both reflect liability rules this rule established.
Aligning With Other Frameworks
The business associate liability structure this rule created has a direct parallel in how SOC 2 and ISO 27001 treat vendor and subprocessor risk — both frameworks require similar due diligence and contractual flow-down for third parties handling sensitive data, even though the specific legal mechanism (a BAA versus a vendor security addendum) differs. Organizations managing vendor risk across multiple frameworks often find the underlying due diligence process — assessing a vendor, documenting the relationship, monitoring it over time — transfers directly, even where the specific paperwork doesn't.
In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.
HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.
Read more about HIPAA compliance with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




