Healthcare Industry is Under-Prepared to Protect Patient Privacy

Risk of Data Breaches Rises with New Access to Digital Health Information

New healthcare information landscape requires integrated approach that combines compliance, privacy/data usage, security and ID theft

According to a new report released September 22, 2011, by the Health Research Institute at PwC US, the majority of health organizations are under-prepared to protect patient privacy and secure data as new uses for digital health information emerge and access to confidential patient information expands.

Old privacy and security controls no longer suffice to comply with existing privacy laws and patient consent agreements, says PwC. Health organizations need to update practices and adopt a more integrated approach to ensure that patient information doesn't fall into the wrong hands.

In its report entitled Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground, PwC says that existing privacy and security controls have not kept pace with new realities in healthcare, which include:

• Increased access to information in electronic health records;
• Greater data collaboration with external partners and business associations;
• Emergence of new uses for digital health information to improve the quality and cost of care; and
• Rise of social media and mobile technology to better and more efficiently manage patient health.

The PwC Health Research Institute survey of 600 executives from U.S. hospitals and physician organizations, health insurers, and pharmaceutical and life sciences firms nationwide found:

• Theft accounted for 66 percent of total reported health data breaches over the past two years.
• Medical identity theft appears to be on the rise. Over one third (36 percent) of provider organizations (hospitals and physician groups) confirmed that they have experienced patients seeking services using somebody else's name and identification.
• More than half (55 percent) of health organizations surveyed have not addressed privacy and security issues associated with the use of mobile devices, and less than one-quarter have addressed privacy and security implications of social media.
• More than half (54 percent) of health organizations surveyed reported at least one issue with information privacy and security over the past two years.
  • The most frequently reported issue among providers was the improper use of protected health information by an internal party. Over the past two years, 40 percent of providers reported an incident of improper internal use of protected health information.
  • The most frequently reported issue among health insurers and pharmaceutical and life science companies was the improper transfer of files containing personal health information to unauthorized parties. Over the past two years, one in five (21 percent) pharmaceutical and life sciences companies and one in four (25 percent) of health insurers improperly transferred files containing protected health information.

"Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur," said James Koenig, director and co-leader, Health Information Privacy and Security Practice, PwC.

"Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error - loss of a computer or device, lack of knowledge or unintended unauthorized disclosure."

Creating a Culture of Confidentiality

PwC's research found that there is considerable concern for the "knowledgeable insider." On average, improper use of personal health information by an internal party was the leading privacy/security issue experienced by healthcare organizations over the last two years.

Because of lack of awareness or training, breaches can result easily and with greater probability from mishandling of paper documents, people talking in the elevator, or comments made via social media channels.

In addition, risks of data breaches and the complexity of consent agreements rises when information is shared with business associates, the source of more than half of reported health data breaches affecting more than 11 million people since 2009.

PwC's survey found:

• More than half of healthcare organizations allow access to social networking while at work; less than half have a policy covering the use of social media outside of work.
• Less than half (37 percent) of health organizations surveyed incorporate approved uses of mobile devices and social media as part of company privacy training.
• Only 58 percent of providers and 41 percent of health insurers say they include the appropriate use of electronic health records (EHR) as part of employee privacy training.
• Only 36 percent of health organizations perform a pre-contract assessment of their business associates such as business partners and vendors, and just 26 percent conduct post-contract compliance assessments.

Opportunity and Risks of Sharing Health Information

Digitized health data is becoming one of the most highly valued assets in the health industry, and, according to PwC, all kinds of organizations are now converging around the shared use of the information to enable new care delivery models such as accountable care organizations, outcomes-based reimbursement and the advance of wellness, preventive and personalized care.

Organizations also are discovering the potential in secondary uses of the information beyond treating patients, such as in clinical studies, post-market surveillance of drugs and the development of new products and services to better understand patient health and behaviors. Yet PwC found that while many organizations are sharing information, the complexity of consent further increases and few organizations have established proper restrictions and consent agreements to control proper access.

PwC's research found that:

• Only 17 percent of providers, 19 percent of payers and 22 percent of pharmaceutical/life sciences companies have a process in place to manage patients' consent for how their information can be used.
• Nearly three quarters (74 percent) of healthcare organizations surveyed said they already do or intend to seek secondary uses for health data; however, less than half have addressed or are in the process of addressing related privacy and security issues.
• Sixty-one percent of pharmaceutical and life sciences companies, 40 percent of health insurers and 38 percent or providers currently share information externally.
  • Of those organizations, only two in five pharmaceutical and life sciences companies (43 percent) have established contractual, policy or legal restrictions on how the data can be used.
  • Only one in four insurers and providers (25 and 26 percent respectively) have established such restrictions.

A New Integrated Approach to Healthcare Privacy and Security

PwC's research found that the recent increase in breach enforcement actions have prompted health organizations to focus more on privacy and security, and that there is growing recognition of privacy and security compliance as central to maintaining a trusted brand.

"To protect patient trust and their own brand reputation, organizations need to go beyond minimum regulatory requirements and adopt an integrated approach that combines privacy, security and compliance within a culture where all employees see themselves as champions of confidentiality and where privacy is part of the patient experience," said Peter Harries, principal and co-leader, Health Information Privacy and Security Practice, PwC.

Organizations with integrated approaches to privacy and security say that they have realized the benefits, including a significant increase in data security and a slight decrease in the number of privacy/security issues, depending on the extent of their integration.

PwC found that health insurers were more likely than providers and pharmaceutical/life sciences companies to have integrated their approach to a great extent.

About PwC's Health Research Institute (HRI)

PwC Health Research Institute (www.pwc.com/hri) provides new intelligence, perspectives, and analysis on trends affecting all health-related industries. The Health Research Institute helps executive decision makers navigate change through primary research and collaborative exchange. Our views are shaped by a network of professionals with executive and day-to-day experience in the health industry.

About PwC's Health Industries Group

PwC's Health Industries Group (www.pwc.com/healthindustries) is a leading advisor to public and private organizations across the health industries, including healthcare providers, pharmaceuticals, health and life sciences, payers, employers, academic institutions and non-health organizations with significant presence in the health market. Follow PwC Health Industries at http://twitter.com/PwCHealth.

About the PwC Network

PwC firms provide industry-focused assurance, tax and advisory services to enhance value for their clients. More than 161,000 people in 154 countries in firms across the PwC network share their thinking, experience and solutions to develop fresh perspectives and practical advice. See www.pwc.com for more information.

© 2011 PwC. All rights reserved. "PwC" and "PwC US" refer to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Press Release posted at: http://www.marketwatch.com/story/health-industry-under-prepared-to-protect-patient-privacy-risk-of-data-breaches-rise-with-new-access-to-digital-health-information-says-pwc-2011-09-22

Download a copy of the complete article by clicking here or on the PDF button at top right.