PORTLAND, OR –
A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach and governance have identified the top seven trends in healthcare information privacy for 2011.
They suggest that as health information exchanges take form, millions of patient records – soon to be available as digital files – will create the potential for unauthorized access, violation of new data breach laws and exposure to the threat of medical and financial identity theft.
"Endemic failure to keep pace with best practices and advancing technology has resulted in antiquated data security, governance (and) policy plaguing the healthcare industry," said Larry Ponemon, chairman and founder of the Ponemon Institute.
"Millions of patients are at risk for medical and financial identity fraud due to inadequate information security," he said. "Information security in the healthcare industry is at the fulcrum of economic, technological and regulatory influence and, to date, it has not demonstrated an ability to adapt to meet the resulting challenges – but it must. The reputation and well-being of those organizations upon which we rely to practice the healing arts depends on it.”
The top predictions for 2011 include:
Health information exchanges, many of which will be launched by inexperienced and understaffed organizations, will force more attention on security and privacy.
"The healthcare industry is on the verge of a major shift," said Ernie Hood, vice president and CIO of the Group Health Cooperative, one of the nation's largest consumer-governed healthcare systems. "Organizations are venturing into the electronic world for the first time as practices implementing electronic health records and states are launching health information exchanges. A surge of new data will be brought online by a lot of inexperienced organizations fueled by monetary government incentives. Mistakes are a certainty.”
There will be increased fines and regulatory action by state attorneys general and regulatory agencies.
"In 2011, we can expect that the Department of Health and Human Services’ Office for Civil Rights will be gearing up its proactive audits," said Cliff Baker, managing partner for Meditology, a healthcare IT risk management and deployment services firm. "Where does this leave OCR audits in 2011? They're probably directed at those organizations that have breaches attributable to known and published high-risk areas. Look for those organizations to be dealing with OCR auditors camped out at their facilities in 2011."
Data breaches and associated costs will increase as penalties for information security negligence are acted on.
"As healthcare information becomes more mobile, issues with security will only become increasingly complex," said Sandeep Tiwari, CEO of Zafesoft, a provider of information security and control software. "Healthcare is a mammoth space that changes and moves slowly, but when it does, it moves en masse. In the case of PHI/PII the laws were ahead of the technology.”
"To date, there have been no secure audit trails, which impacts the effectiveness of the laws. If we can't track how and when private and personal information is accessed, we will never secure it," Tiwari said.
Hospital governing boards will exert their power to manage data breach risks in order to increase accountability and fiduciary responsibility.
"Patient health information data breaches are one of the most significant legal and public trust risks facing hospital governing boards, which are legally and ethically accountable for the results of a breach. The board of trustees has a fundamental fiduciary responsibility to ensure that patients' health information is safe and secure at all times," said Larry Walker, president of The Walker Company, a governance consultant to healthcare organizations.
"To do this, boards must establish the prevention of data breaches as a critical organizational priority, ensure that financial resources sufficient to achieve the objective are made available and require periodic updates from senior management on data breach risks and methods being utilized to close potential breach gaps. This should be one of the critical agenda items for hospital and health system boards in 2011," said Walker.
A significant "data spill" is inevitable and will bring national attention to the issue.
"2011 will be the year that Americans recognize they can't control personal health information in health IT systems and data exchanges," said Deborah Peel, MD, practicing physician and founder of Patient Privacy Rights, a health privacy watchdog. "Will 2011 be the year that data security and privacy are the top of the nation's agenda? I hope so. The right to privacy is the essential right of individuals in vibrant Democracies. If we don't do it right in healthcare, we won't have any privacy in the digital age.”
There will be heightened patient awareness and concern over the security of private medical data.
"I am seeing organizations shift their focus from implementation of electronic health records to a focus on the next phase of meaningful use, specifically how they are going to share patient records though health information exchanges," said Rick Kam, president and co-founder of ID Experts, a provider of data breach solutions.
"There will also be more concern over accountability if PHI is breached. How will a patient know who is responsible when a health information exchange has a data breach? Who will they hold accountable to fix the problem and for the financial, reputational and other damage they experience?" Kam asked.
The finalization of data breach notification rules by the Department of Health and Human Services could remove the controversial "harm threshold" provision that determines whether notification is required when an incident occurs, Kam said. If removed, he added, this will create a risk of over-notification and desensitization of patients.
