Notifications
Clear all
Topic starter
12/06/2026 9:05 pm
TL;DR: The HIPAA Omnibus Rule broadened privacy, security, breach notification, and business associate accountability requirements, while also expanding individual rights to access electronic PHI, according to Zluri. For identity teams, the practical lesson is that PHI protection now depends on governed access, offboarding, and auditability across the full data-handling chain.
NHIMG editorial — based on content published by Zluri: What Is HIPAA Omnibus Rule?
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should healthcare organisations govern access to PHI across business associates?
A: They should treat business associates as first-class identity subjects, not just contractual recipients.
Q: Why do business associates increase HIPAA compliance risk?
A: Business associates increase risk because they expand the number of identities that can touch PHI while making accountability harder to trace.
Q: What breaks when PHI access reviews are too infrequent?
A: Infrequent reviews miss stale access, unintended disclosure paths, and third-party entitlements that no longer match current business need.
Practitioner guidance
- Inventory every PHI access path Map covered entities, business associates, subcontractors, and IT providers that can touch PHI.
- Tie offboarding to entitlement removal Make offboarding for vendors and service accounts a mandatory control step when the relationship ends or changes.
- Use access reviews to validate disclosures Review who can disclose PHI, which systems can copy it, and where restrictions such as patient opt-outs or special disclosures are enforced.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The rule-by-rule breakdown of HIPAA Omnibus privacy, security, and breach notification changes
- The specific business associate and subcontractor obligations that affect healthcare vendor management
- The detailed penalty structure and notification thresholds that compliance teams need for policy mapping
- The article's FAQ section on OCR enforcement and the meaning of omnibus in healthcare
👉 Read Zluri's overview of the HIPAA Omnibus Rule and compliance changes →
HIPAA Omnibus Rule and access governance: what teams need now?
Explore further
12/06/2026 10:55 pm
Business associate exposure is an identity governance problem, not just a contract problem. The Omnibus Rule makes downstream parties directly accountable, which means PHI security can no longer stop at the covered entity's perimeter. Access granted to contractors, billing partners, and IT providers must be treated as governed identity with purpose, scope, and removal. The implication is that healthcare programmes need lifecycle control over third-party access, not just legal language in agreements.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when a business associate mishandles PHI?
A: Accountability is shared, but the business associate is directly liable under the Omnibus Rule for its own compliance failures. Covered entities still need to oversee access, contracts, and revocation, because poor governance upstream often becomes the evidence gap downstream.
👉 Read our full editorial: HIPAA Omnibus Rule: what it means for access governance
