A report released today by New York-based PriceWaterhouseCoopers LLC indicates that a majority of healthcare organizations are under-prepared to protect patient privacy and secure data as new uses for digital information emerge, and access to confidential patient information expands. A key takeaway of the report, “Old Data Learns New Tricks,” is that existing privacy and security controls no longer suffice to comply with today’s privacy laws and patient consent agreement agreements. The report says that healthcare organizations need to update their practices and adopt a more integrated approach to make sure that patient information is secure.
The PwC report is based on a survey of 600 executives from U.S. hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies.
Among its findings were:
• Theft accounted for 66 percent of total reported health data breaches over the past two years. Also, medical identity theft appears to be on the rise. Over one third (36 percent) of provider organizations (hospitals and physician groups) confirmed that they have experienced patients seeking services using somebody else’s name and identification.
• More than half (55 percent) of health organizations surveyed have not addressed privacy and security issues associated with the use of mobile devices, and less than one-quarter have addressed privacy and security implications of social media.
• More than half (54 percent) of health organizations surveyed reported at least one issue with information privacy and security over the past two years.
• The most frequently reported issue among providers was the improper use of protected health information by an internal party. Over the past two years, 40 percent of providers reported an incident of improper internal use of protected health information.
• The most frequently reported issue among health insurers and pharmaceutical and life science companies was the improper transfer of files containing personal health information to unauthorized parties. Over the past two years, one in five (21 percent) pharmaceutical and life sciences companies and one in four (25 percent) of health insurers improperly transferred files containing protected health information.
Top concerns of health organization executives who were interviewed by the report’s authors included:
• Access in EHRs and sharing of health information. Only 58 percent of providers and 41 percent of health insurers reported including appropriate EHR use as a component of their employee training. Of the healthcare organizations that are sharing data externally, only one quarter have executed data-sharing agreements with all participants.
• Business Associates. Of the 11 million people affected by data breaches in 2009, 55 percent were affected by data breaches involving business associates. Only 39 percent of healthcare organizations perform pre-contract assessments and just 26 percent conduct post-compliance assessments.
• Secondary data. Nearly three-quarters of healthcare organizations said they are using or intend to use some form of secondary data, but only half or less than half have addressed or are addressing privacy and security.
• Virtual touchpoints. Although healthcare organizations are trying to meet the needs and demands for mobile health and social media, many are struggling with how to manage privacy and security concerns, which may slow progress toward efficiency and flexibility. Fewer than half of the organizations surveyed have included approved uses of social media and mobile devices in company privacy training.
The report’s authors outline four guidelines that can serve as strategies for healthcare organizations.
Integrate privacy, security, and compliance approaches and frameworks. Industry-wide, 69 percent of healthcare organizations said they have integrated, to some extent, their approaches to compliance, privacy security, and identity theft. Only 28 percent said they have done so to a great extent. Providers have largely underinvested in integrated approaches, focusing only on HIPAA compliance. Yet organizations that have followed an integrated strategy have seen a 10-percent reduction in the number of privacy and security incidents during the past two years, according to James Koenig, director and co-leader of the Health Information Privacy and Security Practice of PwC and an author of the report.
Make minimum controls and standards a prerequisite for potential partners and business associates with whom an organization may share data. Organizations should decide what data to encrypt and maintain a minimal set of internal and external privacy controls. Also, leveraging standards such as HITRUST and ISO can help create a framework that can help an organization to go beyond compliance and manage risk more effectively.
Make all workers privacy champions. Healthcare organizations need to educate and hold their employees accountable for privacy. Privacy and security initiatives should be incorporated into each business unit. In the survey, only 58 percent of providers and 41 percent of health insurers reported using EHR use as a component of their privacy training for employees.