TL;DR: The HIPAA Omnibus Rule broadened privacy, security, breach notification, and business associate accountability requirements, while also expanding individual rights to access electronic PHI, according to Zluri. For identity teams, the practical lesson is that PHI protection now depends on governed access, offboarding, and auditability across the full data-handling chain.
At a glance
What this is: The HIPAA Omnibus Rule extends privacy and security obligations across covered entities and business associates, while tightening breach notification and patient access rights.
Why it matters: It matters because healthcare identity programmes have to control who and what can reach PHI across human, non-human, and third-party access paths, not just inside one organisation.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read Zluri's overview of the HIPAA Omnibus Rule and compliance changes
Context
The HIPAA Omnibus Rule is a healthcare privacy and security expansion, not just a legal update. It widens accountability to business associates and subcontractors, strengthens breach notification expectations, and pushes organisations toward more disciplined access control over protected health information.
For identity teams, the important shift is that PHI protection now depends on lifecycle governance across the entire access chain. That includes human users, service accounts, and third-party systems that can read, move, or disclose health data under contract and under policy.
In practice, that means access reviews, offboarding, and entitlement visibility matter as much as encryption and policy language. A healthcare programme that cannot answer who has PHI access, how it is granted, and how it is revoked will struggle to satisfy the rule's spirit, not just its audit language.
Key questions
Q: How should healthcare organisations govern access to PHI across business associates?
A: They should treat business associates as first-class identity subjects, not just contractual recipients. That means assigning owners, documenting purpose, limiting scope, and revoking access when the relationship changes. Access reviews need to include subcontractors and delegated systems so PHI exposure does not persist after the work ends.
Q: Why do business associates increase HIPAA compliance risk?
A: Business associates increase risk because they expand the number of identities that can touch PHI while making accountability harder to trace. If access is not lifecycle-managed, an external party can retain entitlements after the business need has disappeared. That creates both privacy exposure and weak audit evidence.
Q: What breaks when PHI access reviews are too infrequent?
A: Infrequent reviews miss stale access, unintended disclosure paths, and third-party entitlements that no longer match current business need. In healthcare, that can turn a routine access issue into a breach or enforcement problem because the organisation cannot show who was authorised to see PHI at the time.
Q: Who is accountable when a business associate mishandles PHI?
A: Accountability is shared, but the business associate is directly liable under the Omnibus Rule for its own compliance failures. Covered entities still need to oversee access, contracts, and revocation, because poor governance upstream often becomes the evidence gap downstream.
Technical breakdown
Business associate liability and access boundaries
The Omnibus Rule matters because it pushes responsibility beyond the covered entity. Business associates and subcontractors that touch PHI are no longer just downstream processors in a contractual sense, they become direct compliance subjects for privacy and security obligations. That changes how access should be modelled: not as a static trust extension, but as a governed chain of identities with clearly bounded authority. In identity terms, the control problem is not only who can authenticate, but who is allowed to retain access after the relationship changes. Practical implication: treat every external access path as a lifecycle-managed identity boundary.
Practical implication: map every business associate entitlement to an owner, purpose, and removal path before PHI access is granted.
Breach notification, risk analysis, and evidence
The rule's breach provisions shift organisations toward faster determination, better documentation, and more defensible risk analysis. When a disclosure or access event occurs, teams need evidence about what data was involved, who accessed it, whether the access was permissible, and whether safeguards were actually operating. That is an identity problem as much as a legal one because the answer depends on logs, entitlement state, and revocation ability. If access controls are opaque, the organisation cannot reliably support breach assessment or notification decisions. Practical implication: build PHI access logging and entitlement review into the evidence pack for breach triage.
Practical implication: ensure access logs and entitlement records are retained long enough to support breach assessment and OCR response.
Patient access rights and controlled disclosure
The rule expands individual rights to request copies of PHI and to constrain certain disclosures. That means identity governance must support precise, auditable access paths for legitimate retrieval while preventing casual oversharing into marketing, fundraising, or unnecessary downstream systems. The control challenge is deciding which identity can disclose what, to whom, and under what condition. For healthcare programmes, this is where policy and access orchestration meet: the right data must be retrievable without turning broad access into broad exposure. Practical implication: align disclosure workflows with least-privilege entitlements and review them as part of lifecycle governance.
Practical implication: review disclosure workflows so access rights and patient restrictions are enforced consistently across systems.
NHI Mgmt Group analysis
Business associate exposure is an identity governance problem, not just a contract problem. The Omnibus Rule makes downstream parties directly accountable, which means PHI security can no longer stop at the covered entity's perimeter. Access granted to contractors, billing partners, and IT providers must be treated as governed identity with purpose, scope, and removal. The implication is that healthcare programmes need lifecycle control over third-party access, not just legal language in agreements.
PHI access becomes a lifecycle issue the moment organisations rely on subcontractors. The rule's expanded coverage reveals that many healthcare environments are functionally multi-tenant from an identity perspective. A third party that keeps access after a service change creates the same governance failure as any orphaned credential. Practitioners should understand that offboarding and recertification are compliance controls, not administrative extras.
Controlled disclosure is the named concept this rule reinforces. PHI must be retrievable for care, audit, and patient rights, but not so broadly that business use bleeds into disclosure sprawl. That balance fails when identity systems cannot distinguish legitimate retrieval from secondary use. The implication is that healthcare teams need disclosure-aware identity governance across human and non-human access paths.
Access evidence is now part of compliance evidence. The rule's breach and enforcement posture rewards organisations that can prove who accessed PHI, under what authority, and whether that access ended when it should have. Weak entitlement visibility turns every audit into a reconstruction exercise. The practical conclusion is that auditability must be built into identity operations, not appended after a request arrives.
From our research:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- For lifecycle governance, the NHI Lifecycle Management Guide explains how to structure provisioning, rotation, and offboarding controls around identity evidence.
What this signals
The next stage for healthcare identity programmes is to make PHI access auditable end to end, including third-party access paths, delegated systems, and non-human identities. The compliance question is no longer whether access exists, but whether it can be proven, scoped, and withdrawn without delay.
Disclosure boundary drift: when PHI is copied into multiple systems, the original policy intent often gets lost. Teams should watch for entitlement growth that outpaces the business associate agreement, because that is where audit gaps and privacy leakage usually begin.
In healthcare, NIST Cybersecurity Framework 2.0 remains useful as a language for governance, but the operational burden sits in identity lifecycle controls. Organisations that cannot connect PHI access to ownership, review cadence, and revocation evidence will keep rediscovering the same compliance gaps.
For practitioners
- Inventory every PHI access path Map covered entities, business associates, subcontractors, and IT providers that can touch PHI. Assign an owner to each path and require a documented business purpose before access is approved.
- Tie offboarding to entitlement removal Make offboarding for vendors and service accounts a mandatory control step when the relationship ends or changes. Confirm that API keys, shared accounts, and delegated roles are revoked, not just marked inactive.
- Use access reviews to validate disclosures Review who can disclose PHI, which systems can copy it, and where restrictions such as patient opt-outs or special disclosures are enforced. Keep evidence of each review for audit and breach assessment.
- Preserve identity evidence for breach analysis Retain logs, approval records, and entitlement snapshots long enough to reconstruct access decisions after a suspected breach. Without that evidence, teams cannot reliably assess impermissible access or support notification decisions.
Key takeaways
- The Omnibus Rule turns PHI protection into an access governance problem that extends across business associates and subcontractors.
- The rule's biggest operational challenge is not policy language, but proving who had access, for what purpose, and when that access ended.
- Healthcare teams that align entitlement reviews, offboarding, and disclosure controls will be better positioned for both breach response and audit readiness.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | PHI access and third-party governance map to least-privilege access control. |
| NIST Zero Trust (SP 800-207) | PHI should be accessed through continuously verified identity and device trust. | |
| NIST SP 800-63 | Identity assurance and federation matter where users or partners access PHI remotely. |
Map PHI entitlements to PR.AC-4 and verify every business associate has a removal path.
Key terms
- Business Associate: A business associate is an external party that performs services for a covered entity and may touch protected health information. In practice, it becomes part of the identity governance perimeter and must be managed with explicit scope, oversight, and removal controls when access is no longer needed.
- Protected Health Information: Protected health information is health data that can identify a person and is covered by HIPAA privacy and security rules. For identity teams, the important point is not just what the data is, but which human and non-human identities can reach it, copy it, disclose it, or keep it after the business need ends.
- Breach Notification: Breach notification is the process for determining, documenting, and reporting impermissible access or disclosure of PHI. It depends on evidence from identity systems, logs, and entitlement records, because organisations must show what happened and whether access was authorised or compromised.
- Disclosure Boundary: A disclosure boundary is the point where permitted internal access becomes an external share, export, or secondary use of data. In healthcare, these boundaries matter because privacy failures often happen when identity controls allow copying or forwarding PHI beyond the original approved purpose.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: What Is HIPAA Omnibus Rule? Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
