HIPAA Omnibus Rule
The 2013 final rule that implemented the HITECH Act amendments to HIPAA, making business associates directly liable and tightening the breach notification standard.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Primary sources
- 2
- Workspace handoff
- compliance binder →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
The Omnibus Rule added direct HIPAA liability for business associates, shifted breach analysis from "harm" to a "probability of compromise" four-factor test, restricted marketing and sale of PHI, and modernized the Privacy and Security Rule provisions.
How it shows up in your practice
Most modern HIPAA obligations on vendors flow from the Omnibus Rule. Use it as the reference point when explaining why subcontractors need their own BAAs and why vendors face their own OCR investigations.
Sources
- HHS — HIPAA Omnibus Rule (2013)https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the
- HHS — Business Associateshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Confirm Omnibus-Rule compliance in the Compliance Binder
Open compliance binder →Related terms
- HIPAA & PrivacyBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- HIPAA & PrivacyBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- HIPAA & PrivacySubcontractor Business AssociateA business associate that creates, receives, maintains, or transmits PHI on behalf of another business associate.
- HIPAA & PrivacyHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- GlossaryBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- GlossarySubcontractor Business AssociateA business associate that creates, receives, maintains, or transmits PHI on behalf of another business associate.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
- GlossaryVendor Risk AssessmentThe process of evaluating a vendor's security and privacy posture before sharing PHI or granting system access.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.