Risks of Privacy and Security Breaches of Personal Health Data

Nov. 9, 2011
The potential for personal health data breaches is significant and increasing, according to a report issued in January by Deloitte Center for Health Solutions, Washington, D.C., as healthcare providers move to automated health care.

The potential for personal health data breaches is significant and increasing, according to a report issued in January by Deloitte Center for Health Solutions, Washington, D.C., as healthcare providers move to automated health care.

The report, Privacy and Security in Health Care: A Fresh Look, summarizes various security studies over the past year that point to a lack of preparedness on the part of providers for mitigating privacy and security risks. Root causes vary, but include a lack of internal human and capital resources, lack of internal controls over patient information, lack of upper management support, outdated policies and procedures, and inadequate personnel training.

Selected findings of recent studies include:

  • Nearly 85 percent of hospitals are not in compliance with the HITECH Act; and 41 percent of hospitals have at least 10 data breaches annually, according to a 2010 National Survey of Hospital Compliance Executives, which polled 220 hospital executives from 43 states.
  • Last September the Ponemon Institute, in a Benchmark Study on Patient Privacy and Security said that 60 percent of hospitals had two or more data breaches in the last two years; and that data breaches cost organizations on average $1 million annually.
  • A 2010 HIMSS Security Survey, conducted between September and October, found that nearly 50 percent of respondents indicated that less than 3 percent of their IT budget is allocated for information security. The study polled 272 executives from hospitals, medic al practices, payers, home health agencies, military health facilities and HIEs. It concluded that, although awareness of new privacy and security provisions has increased over the prior year, preparedness has not kept pace.

The Deloitte report notes that privacy and security regulations have historically focused on internal security processes. This is no longer true today, as today culpability has been expanded to downstream entities. It recommends three strategies that healthcare organizations can follow to guard against privacy risks:

  • Risk management: Identify and assess data security risks and develop appropriate security controls. This allows organizations to make informed decisions on how to allocate their security resources.
  • Security and privacy program: Develop and implement policies, procedures and training. This creates baseline standards for secure handling of sensitive patient data, and creates awareness within the organization of data privacy and security policies.
  • Compliance: Validate effective risk management and governance. This reduces organizational risk, creates customer trust in an organization’s protection of PHI; and reduces the potential for financial penalties.

The report concludes that as healthcare reform improves the quality, efficiency and coordination of healthcare delivery and payment systems, each participant will be exposed to increased privacy and security risks. It urges stakeholders to take steps now to mitigate those risks.
 

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?