Health care providers today increasingly rely on digital and mobile technologies to deliver patient care – sometimes willingly and sometimes under regulatory pressure. With the proliferation of these technologies come new security and privacy challenges.
The benefits of mobility and online access to patient information cut both ways, as mobility and online access mean that protected health information (PHI) can be more easily compromised when accessible online or made mobile beyond a more secure and stationary environment.
The consequences of a breach of PHI can be severe. Medical identity theft, the fraudulent use of someone’s personal identity to obtain medical services, prescription drugs or devices, is just one potential concern. From 2012 to 2013, medical identity theft increased by 19 percent, with more than 300,000 reported incidences, according to a just released study from the Ponemon Institute.
Aside from the reputational harm a healthcare entity can suffer – more than 50 percent of patients lose trust in their medical provider after a breach – a patient’s health may be jeopardized if their medical file is corrupted or altered as a result of a breach.
The Office of Civil Rights within the Department of Health and Human Services, which enforces the Privacy and Security rules under Health Insurance Portability and Accountability Act (HIPAA) states that within the last three and a half years, there have been approximately 80,000 breaches reported.
Now for the good news…protecting PHI and preventing breaches is not rocket science. But as with any effective security solution, it starts with a thorough risk assessment. In the privacy realm, the first step is to conduct a privacy impact assessment or PIA.
A PIA looks at how information is handled throughout an organization. There are several goals of a PIA. The first is to ensure that information is managed in accordance with applicable legal, regulatory and policy requirements regarding privacy.
This first step will help determine the risks associated with collecting, maintaining and disseminating information in an identifiable form in an electronic information system. And now that these information systems may have mobile devices connected to them, what additional risks and mitigation strategies should be considered. Once risks have been identified, organizations can examine and evaluate alternative processes and security solutions to mitigate potential privacy threats.
Stay tuned for our next installment when we will go into more detail about how to conduct a PIA and examine potential solutions. We will also introduce the concept of “privacy by design” and how adhering to its principles can help healthcare providers protect their patients, comply with privacy regulations under HIPAA and protect their reputations by avoiding privacy breaches.