Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

HIPAA Omnibus Changes – Just One Week Left

One week. That’s all that remains between now and September 23rd, the date at which the HIPAA Omnibus regulations go into effect. Covered entities under the law should have already completed most of the long-term compliance work under regulations – e.g., updating their Business Associate Agreements, revising their Notices of Privacy. Practices, completing a detailed risk assessment – but the biggest change that goes into effect in seven days is the shift in a presumption in what constitutes a breach.

2 min read
hipaa omnibus changes|hipaa omnibus changes for healthcare security

One week. That’s all that remains between now and September 23rd, the date at which the HIPAA Omnibus regulations go into effect. Covered entities under the law should have already completed most of the long-term compliance work under regulations – e.g., updating their Business Associate Agreements, revising their Notices of Privacy. Practices, completing a detailed risk assessment – but the biggest change that goes into effect in seven days is the shift in a presumption in what constitutes a breach.

In many ways, we’re coming off what seemed to be the summer of the data breach. A large number of breaches was reported from both covered entities and business associates, and the wave of reported breaches was punctuated by the second biggest ever in healthcare with Advocate. However, despite the increasing number and magnitude of these breaches, these were reported to HHS under a very conservative standard. On September 23 this radically changes.

The Current State of Healthcare Security

Under the current standard, whenever a covered entity or a business associate learns of a security incident, the law allows the entity to presume that a data breach did not occur unless the data compromised presents a significant risk of financial or reputational harm. So let’s say one of your healthcare providers loses his phone. Despite the fact that he was text messaging other providers regarding a patient, the trace amount of PHI and the lack of things like social security numbers probably will allow you to hide under this presumption and designate the event as a security incident and not a data breach. Over the last few years, thousands of providers did just that.

The Omnibus Standard in Healthcare Security

hipaa omnibus changes for healthcare security

Under the Omnibus standard, this event would most definitely be a data breach. That is because the Omnibus requires covered entities to presume a data breach occurred unless, through a risk assessment, they can demonstrate that it was unlikely that the data in question was compromised. We’ve talked about this before, but presumptions are everything in the legal world. It’s a staggering difference - think “innocent until proven guilty” and “guilty until proven innocent.”

Combined with the looming HIPAA Audit Program, this presumption change presents a major compliance risk to covered entities and business associates alike. Account for your possible PHI weak points now to avoid being in the unenviable position of having to prove your innocence months down the road.

Frequently Asked Questions

Find answers to common questions about this topic.

Under the old standard, entities could presume no breach occurred unless there was significant risk of harm. The new Omnibus standard requires entities to presume a breach did occur unless they can prove through risk assessment that data compromise was unlikely.

Business associates are now directly liable under HIPAA and must update their agreements to reflect new compliance requirements. Both covered entities and business associates must ensure their contracts address the stricter breach notification and risk assessment standards.

Organizations must immediately conduct a thorough risk assessment to determine if the incident constitutes a breach. They can only avoid breach reporting requirements if they can demonstrate that data compromise was unlikely through documented analysis.

Yes, all HIPAA covered entities regardless of size must comply with the Omnibus rule changes. Small practices face the same breach presumption standards and must complete risk assessments, update privacy notices, and revise business associate agreements.

Non-compliance can result in significant penalties through HHS enforcement actions and the HIPAA Audit Program. Organizations may face fines, corrective action plans, and increased regulatory scrutiny for failing to properly assess and report breaches.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

role of peer to peer encryption in the hipaa omnibus era|peer-to-peer encryption in healthcare
Best Practices

The Role of Peer-to-Peer Encryption in the HIPAA Omnibus Era

It’s every compliance officer’s worst nightmare. You’re sitting at your desk on a weekday afternoon, perhaps catching up on the latest posts on the qliqSOFT blog, when all of a sudden your CIO calls you up and frantically explains how one of your vendors suffered a major data breach. Over thirty thousand patient records are lost, and there is no way to know what has been done with the data so far.

Krishna KurapatiKrishna Kurapati
3 min read
hipaa hitech breaches in healthcare|
Best Practices

Breaches and the HIPAA/HITECH Omnibus Deadline

90 days. That’s all the time healthcare organizations have between now and the September 23 HIPAA Omnibus compliance date. Understandably, most healthcare compliance officers are focusing on the significant changes spelled out in the regulations: obtaining business associate agreements, updating notices of privacy practices, and training staff members on the changes to the law.

Krishna KurapatiKrishna Kurapati
2 min read
wellpoint hipaa breach alert|wellpoint hipaa breach settlement
Best Practices

HIPAA Breach Alert: WellPoint fined $1.7M

In what is believed to be one of the larger HIPAA breach settlements in recent memory, health insurer WellPoint has agreed to settle with HHS for $1.7M stemming from a 2009 and 2010 incident where WellPoint impermissibly disclosed the ePHI of over 600,000 individuals through an unsecured online application. During its investigation, OCR found that WellPoint had not enacted the appropriate administrative, technical, and physical safeguards mandated under HIPAA.

Krishna KurapatiKrishna Kurapati
1 min read
2m left