What is your PHI worth?

By Rick Kam
09:41 AM

A difficult question, to be sure, but it’s a critical one. Healthcare organizations’ privacy programs are still understaffed and underfunded, even while millions of patients’ (PHI) are compromised. Securing PHI is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the recent Third Annual Benchmark Study on Patient Privacy and Data Security.

Jim Pyles, principal at Powers, Pyles, Sutter and Verville, PC, points out that the changing healthcare industry means that liability risks around PHI privacy are continuing to escalate. He says that electronic data breaches are reaching what he calls “epidemic proportions,” particularly with the growing use of electronic records and hard-to-secure mobile devices, as well as the growth of electronic health information systems.

On the legal front, organizations face new challenges with the recent release of the HIPAA Final Omnibus Rule, which gives focus to the issue of PHI security — and which gives the HHS Office for Civil Rights increased enforcement power. Mr. Pyles notes how audits, investigations, fines, and financial settlements relating to violations or alleged violations of federal privacy laws are increasing and driving up the cost of health care.

How do you quantify the value of PHI?
Dick Wolfe, a professor of health care administration at Washington Adventist University, said that many privacy professionals struggle to get sufficient money, time, people, and other resources because the financial impact of PHI protection programs is not always clear.

[Related: Rick Kam's 11 data security tipes for a healthy organization in 2013]

“A successful PHI privacy effort can safeguard an organization’s financial resources against fines and court judgments, protect its reputation as a trusted member of the professional community, protect the career prospects and reputations of individual staff, and earn the respect of accrediting and compliance agencies,” Wolf said. “The task for privacy advocates is to make a strong case to managers that funding effective PHI protection is the right and smart thing to do.”

Once board-level executives understand the value of PHI to their organization, they can make the appropriate level of investment to protect it. Indeed, patient information needs to be as secure as the drug cabinet. You just don’t give people the key and let them have access to it.

5 steps to secure PHI
Mr. Wolfe says an organization needs to go through these steps to develop an effective PHI protection effort:

  1. Formulate a clear concept of how the effort will work. An effective PHI protection program typically involves changes in work processes, technological procedures, and security methods, but, often, cultural changes in the organization are also necessary before real progress can be made.
  2. Develop a written statement of the benefits levels to be gained for the organization and for staff members, by embracing an effective PHI protection effort.
  3. Set reasonable goals and develop a timeline to establish how progress will be judged.
  4. Learn from other organizations and profit from their experiences, both positive and negative.
  5. Recognize that PHI protection is a long-term campaign: lessons will be learned, and changes will have to be made along the way.

With the U.S. Department of Health and Human Services Office for Civil Rights looking to increase enforcement, this is a seminal year for PHI privacy efforts. Making the appropriate level of investment in the people, processes, and tools to protect, detect, and respond to privacy and security incidents must become a top priority in 2013.

Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Related articles:

Q&A: On remaining ambiguities in the final HIPAA rule

Not merely lost: What happens to stolen medical records

Are providers rips for a massive medical records heist?

Q&A: Predicting a HIPAA cloud, BAA 'tipping point' comes HIMSS13

Podcast: Probing the final HIPAA rule on privacy and security