7 keys to understanding the financial impact of breached PHI

The recently released report, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security," highlights the need for organizations to adopt a new method to evaluate the value of PHI, said the leaders of the PHI Project, which consists of standards organization ANSI, the Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance.

Here are seven keys to the financial impact of breached PHI, as outlined in the report. 

1. The healthcare ecosystem has expanded to include more organizations, with increased chances of breached PHI. By 2008, 41.5 percent of office-based physicians reported using an EMR system, and today, that number has grown even more with the help of incentive programs. The number of stakeholders in the "healthcare ecosystem" have grown as well, and, according to the report, are responsible for the confidentiality, integrity and availability of data. "The threats to the security of PHI are not specific to one stakeholder group but are ubiquitous throughout the entire ecosystem due to the volume and availability of PHI data..." the report read. "The growing risk of health information privacy liability is occurring at a time when there is significant pressure to reduce spending on healthcare. In addition, the ability to protect health information has not matched the public's expectations for privacy, to the detriment of the finances and reputations of organizations in the healthcare ecosystem." 

2. The laws and regulations have evolved since the enactment of HIPAA. Although protection requirements for PHI evolved slowly at first, said the report, in recent years, they have expanded along with the use of EHRs. When HIPAA was enacted in 1996, only covered entities were subject to established standards for the privacy and security of PHI. "Since then, detailed HIPAA Privacy and Security regulations were issued, subjecting only certain 'covered entities' to both privacy and security standards…and the Genetic Information Non-Discrimination Act of 2008 has been enacted, affording special privacy protections for genetic information." In addition, the American Recovery and Reinvestment Act of 2009 was passed, which included incentives for healthcare providers and practitioners to adopt EHRs, along with the HITECH Act, which enhanced privacy rights and penalties for those who violated those rights. 

[See also: PHI releases first direct-care workforce state data center.]

3. Statistics concerning breaches in recent years, along with the value of personal medical information, has made the public distrusting of the system. The report referenced information collected by the Identity Theft Resource Center, which told data breaches are occurring in healthcare at nearly three times the rate as in banking and finance. It also highlighted interesting statistics, such as a thief who can get $50 on the street for a medical identification number, compared to just $1 for a Social Security number. Stolen information isn't the only kind that puts an organization at risk; "snooping" into a patient's medical records has become yet another liability, with 35 percent of studied breaches including snooping. "Not surprisingly, the frequent reports of massive breaches of [PHI] have eroded the public's confidence in the ability of healthcare providers and organizations to protect the privacy of PHI," the report read. "Approximately 69 percent of Americans have head of, or read of, health records being stolen from healthcare providers…a majority of Americans [54 percent] only trust their healthcare providers 'somewhat.'"

Continued on the next page.