The Security Scrutinizer with Howard Anderson

Another Reason to Prevent Breaches

Attorney Warns of an 'Insurance Crisis'

If you need one more reason to take additional steps to prevent health information breaches, here's something to consider. An attorney argues that if breaches, and their high costs, are not brought under control, "I think where we are headed is to an insurance crisis."

Speaking at the Health Privacy Summit June 13 in Washington, Jim Pyles, principal at the healthcare law firm Powers, Pyles, Sutter & Verville, argued that liability insurers will think twice about covering healthcare organizations for the risks involved in using information technology if the costs of dealing with breaches continue to grow.

The Department of Health and Human Services' Office for Civil Rights reports that since the HITECH Act breach notification rule took effect in September 2009, there have been 288 major health information breaches affecting a total of almost 11 million individuals.

Speaking on the same panel, Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, noted that roughly two-thirds of these major breaches stemmed from the loss or theft of portable devices or media.

"There is a tremendous education gap," she stressed. Although electronic health records systems contain numerous security features, including encryption, "the protections are only as good as the implementation," she noted. "And that's where we see a lot of the problems." Security technology must be supported by policies and procedures, "and that's another area of weakness," she added.

The bottom line? If it's been a while since you reviewed your organization's privacy and security policies and procedures, conducted a risk assessment took action to mitigate risks and educated your staff about privacy protections, don't delay. Otherwise, you could wind up on the federal "wall of shame" and face the high costs of dealing with the aftermath of a breach.

Clear Privacy Guidelines Needed

Pyles also contended that HIPAA, the HITECH Act and other regulations designed to protect patient privacy are far too complex. "We need a simple set of privacy standards that are understandable by patients and understandable by those who have to comply with them."

And Gallagher said that physicians and other providers are uncomfortable educating patients about their privacy rights because of their own lack of understanding.

The time has come for federal regulators to work together to articulate a clear set of easily understandable health information privacy standards and then educate providers about how to comply - as well as how to keep their patients well-informed about their rights.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.