Skip to main content

HIPAA Omnibus Rule Checklist

The U.S. Department of Health and Human Services (HHS) has taken action to strengthen privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.

Following is a list of suggested steps to ensure compliance with the new rules. This list is only intended to provide you with a general overview of some of the important provisions of the omnibus final rule. It is not intended in any way to be an exhaustive, or comprehensive, checklist.

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.
  • Designate an individual to be the privacy officer and security officer.
  • Update the Notice of Privacy Practice to include changes in the following: An authorization is required prior to the release of psychotherapy notes; an authorization is required prior to releasing any Protected Health Information (PHI) for marketing, fundraising, or for the sale of any PHI; the patient's right to restrict disclosure of information to a health plan if the service is paid in full by the patient; Health Plans shall not use/disclose genetic information for underwriting notice; and, Breach Notification. (Click here for a sample Notice of Privacy Practice.)
  • Redraft HIPAA policies and procedures to address the changes in the Notice of Privacy Practice, risk assessment, Business Associates, and the patients' right to access to electronic information.
  • Update patient medical record request to include the option of providing an electronic copy to patient. (Click here for a sample Medical Record Release.)
  • Update Business Associate Agreements (BAA) with Business Associates that use/disclose patient PHI. Business Associates include businesses that provide data transmission services and require routine access to PHI. The BAA requires Business Associates to comply with HIPAA, comply with the security rule, execute BAA with their subcontractors, and report breaches of PHI. (Click here for a sample Business Associate Agreement.)
  • Encrypt PHI to federal standards and ensure that your Electronic Health Record (EHR) is certified.
  • Update breach notification compliance plan.
  • Create a log book to carefully document breach risk assessment results and breach notifications. This information must be kept for at least six years.
  • Implement a process for requests to disclose immunization records to schools as required by law.
  • Implement a form for patient requests to restrict disclosure of PHI to a health plan.
  • Implement a HIPAA Privacy and Security Awareness Training Program for all employees and document same. Educate and train staff on new regulations.


Authored by
CAP's Risk Management & Patient Safety Department


If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.

Have you received your $100 incentive checks yet?

If you wish to check your status or enroll in the Risk Management Institute incentive program, e-mail the physician's membership number and/or first and last name to: or call 800-252-7706, extension 8502.