Skip to content Skip to navigation

Data Sharing, Privacy and Security

September 22, 2011
| Reprints
Long-held privacy and security controls no longer suffice, according to report

I recently had an opportunity to speak with James Koenig, director and co-leader of the Health Information and Privacy Security Practice at the New York-based PriceWaterhouseCoopers LLP, who expressed some surprise at two findings in a report on privacy and security in the healthcare industry that was released by PwC today. See the related story on data security.

Overall the report is a call to action for healthcare organizations—U.S. hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies—which it maintains are under-prepared to protect patient privacy and secure data as new uses for digital health information emerge and access to confidential patient information expands. It says that existing privacy and security controls simply have not kept pace with the new realities in healthcare, such as increased access to health information through EHRs, greater data collaboration between external partners and business associates, new uses for digital information to improve quality and cost of care, and the rise of social media and mobile technology.

Of special note, Koenig says, is that 75 percent of the healthcare organizations that responded to the survey indicated that they planned to have secondary or some new uses for the health data, yet only half of those same respondents have addressed or are in the process of addressing privacy and security issues. Koenig notes that there are strong and beneficial purposes for seeing health data aggregated into electronic health records and HIEs, which could promote better care and treatments; but he warns that the risks to privacy and security, which have always existed, will only continue to grow given the larger sets of data that are being aggregated for care and cost-effectiveness purposes. Not addressing privacy and security will slow down the trend for using health information for better care and quality analysis purposes, he says.

Secondly, Koenig notes that taking an integrated approach to privacy and security has distinct benefits. According to the report, 69 percent of healthcare organizations said they have integrated, to some extent, their approaches to compliance, privacy, security, and identity theft. Taking an integrated view means that organizations are making their data secure to avoid breaches, and also making sure that the information is used properly for authorized purposes, he says. One of the big questions, for him, is whether privacy and security should be integrated, “because in most healthcare organizations they have not been close together,” he says. “One is more compliance and legal-driven and the other is more security and IT driven.”

He says the survey’s results make the case that an integrated approach bringing the two together has shown significant risk management and risk benefits. Organizations that have taken steps to integrate the privacy and security silos have seen a 10-percent reduction in the number of privacy and security incidents during the past two years. “This is a major improvement for this best practice approach. In the past people have just talked about it; now the evidence supports it,” he says.

I think that Koenig makes legitimate points, and many healthcare organizations are paying attention, he says: over half of the healthcare organizations that responded intend to heighten their privacy and security measures. He adds that IT infrastructures are changing rapidly, and now is the right time for organizations to re-assess their privacy and security safeguards to make sure they are integrated and built-in, not addressed after the fact.



Data security and health information privacy are not the same thing. Data security is making sure only authorized persons can see a particular bit of information. Health information privacy is about who authorizes that access, and are the interested parties notified when the patients information is accessed authorized or unauthorized.

An important and technically easy way to assist in managing privacy is to simply allow the patient to be notified if their health information is accessed. Most EHRs have logging mechanism already. These logs could be paired with some simple software to send the patient a notice when their information is accessed.