Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

Breaches and the HIPAA/HITECH Omnibus Deadline

90 days. That’s all the time healthcare organizations have between now and the September 23 HIPAA Omnibus compliance date. Understandably, most healthcare compliance officers are focusing on the significant changes spelled out in the regulations: obtaining business associate agreements, updating notices of privacy practices, and training staff members on the changes to the law.

2 min read
hipaa hitech breaches in healthcare|

90 days. That’s all the time healthcare organizations have between now and the September 23 HIPAA Omnibus compliance date. Understandably, most healthcare compliance officers are focusing on the significant changes spelled out in the regulations: obtaining business associate agreements, updating notices of privacy practices, and training staff members on the changes to the law. While healthcare facility managers must make sure that these listed requirements are met, they should also be concentrating on how the newest wrinkle in HIPAA will drastically affect their organizations in years to come. This, of course, is the new definition of “breach.”

How HIPAA reacted before the Omnibus

hipaa hitech omnibus

Before the Omnibus and faced with a PHI security incident, compliance officers performing a risk assessment had a relatively straightforward question to ask themselves when determining if the incident rose to the level of a data breach. If the incident was unlikely to cause major financial or reputational harm to the patient whose data had been compromised, HIPAA said that no breach had occurred. No breach, no breach notification measures necessary.

Sensing a level of abuse here, HHS greatly departed from the old standard by issuing a new breach definition in the Omnibus. Now, facilities faced with a security incident must assume it is a breach unless, through a risk assessment, it can be shown that there is a “low probability that the PHI has been compromised.” In effect, HHS changed the rebuttable presumption from no breach to breach. Think guilty until proven innocent.

Getting Rid of HIPAA Breach with More Secure Channels for Messaging

This new definition goes into effect in September. What it also means is that if you are a healthcare facility and are currently allowing providers to exchange PHI through unsecured channels, each and every such transmission will now be presumed a HIPAA breach unless you can prove otherwise. Think about that for a minute. Given that the average provider uses more than five mobile devices, a simple bar napkin calculation will show that most facilities are about to be subject to a tidal wave of potential risk. If you haven’t addressed your mobile risks yet, you should do so immediately – because the stakes are about to get much higher.

Frequently Asked Questions

Find answers to common questions about this topic.

Organizations that fail to comply by the deadline face increased regulatory scrutiny, potential penalties, and heightened breach notification requirements. The new breach presumption standard makes non-compliance particularly risky for mobile device and messaging practices.

Under the Omnibus rule, organizations must now assume any PHI security incident is a breach unless they can prove there's a low probability of compromise. This reverses the previous standard where incidents were presumed not to be breaches unless harm was likely.

Yes, unsecured messaging channels containing PHI are now presumed to be breaches under the Omnibus definition. Healthcare facilities must implement secure communication platforms or face potential breach notification requirements for each transmission.

Organizations should immediately implement secure messaging platforms, establish mobile device management policies, and conduct risk assessments of current communication practices. Staff training on secure communication protocols is also essential before September 23.

With the average provider using over five mobile devices and the new breach presumption standard, facilities using unsecured channels could face hundreds or thousands of potential breach notifications. Each unsecured PHI transmission is now presumed a reportable incident.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

hipaa omnibus changes|hipaa omnibus changes for healthcare security
Best Practices

HIPAA Omnibus Changes – Just One Week Left

One week. That’s all that remains between now and September 23rd, the date at which the HIPAA Omnibus regulations go into effect. Covered entities under the law should have already completed most of the long-term compliance work under regulations – e.g., updating their Business Associate Agreements, revising their Notices of Privacy. Practices, completing a detailed risk assessment – but the biggest change that goes into effect in seven days is the shift in a presumption in what constitutes a breach.

Krishna KurapatiKrishna Kurapati
2 min read
role of peer to peer encryption in the hipaa omnibus era|peer-to-peer encryption in healthcare
Best Practices

The Role of Peer-to-Peer Encryption in the HIPAA Omnibus Era

It’s every compliance officer’s worst nightmare. You’re sitting at your desk on a weekday afternoon, perhaps catching up on the latest posts on the qliqSOFT blog, when all of a sudden your CIO calls you up and frantically explains how one of your vendors suffered a major data breach. Over thirty thousand patient records are lost, and there is no way to know what has been done with the data so far.

Krishna KurapatiKrishna Kurapati
3 min read
2m left