Update: Privacy and Security of Protected Health Information
Omnibus Final Rule and stakeholder considerations
The transforming U.S. health care system is producing an immense volume of information and much rides upon its availability, integrity and confidentiality. However, new care models, health insurance models, mobile health (mHealth) technologies and permeable boundaries among industry stakeholders increase the complexity of managing protected health information (PHI) and compound an already challenging issue.
The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule greatly expands privacy and security standards, compliance actions, breach notification steps and penalties. The new regulations allow for fines of more than $1 million for health record breaches.The permanent HIPAA audit program commences in 2014, and the importance of ongoing risk analysis is a central feature of these audits. Industry stakeholders should consider evaluating their HIPAA privacy and security controls as soon as possible.
This Issue Brief, an update of a 2011 report by the Deloitte Center for Health Solutions, discusses:
- Health care system changes that are increasing the complexity of safeguarding PHI
- Recently released updates to privacy and security regulations, specifically the Omnibus Final Rule
- Four key security and privacy provisions in the Omnibus Final Rule that warrant stakeholder attention
- Potential economic and reputational damage that may arise if organizations lack appropriate HIPAA security and privacy controls
- Stakeholder considerations, including the use of a Security and Privacy Maturity Model to help organizations assess potential capability gaps, define their security and privacy vision and needs and develop appropriate remediation programs.