As new uses for digital health information emerge and access to confidential patient information expands, health organizations—including insurers--are under-prepared to protect patient privacy and secure data, according to a new report released today by the
The long-used privacy and security controls are no longer sufficient to comply with existing privacy laws and patient consent agreements, says PwC. The Institute recommends that health organizations review and update practices and adopt a more integrated approach to ensure that patient information doesn’t fall into the wrong hands.
In its report entitled
The report includes information from a recent nationwide PwC Health Research Institute survey of 600 executives from U.S. hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies.
According to the survey results, organizations are discovering the potential in secondary uses of the information beyond treating patients, such as in clinical studies, post-market surveillance of drugs and the development of new products and services to better understand patient health and behaviors. Yet, PwC found that while many organizations are sharing information, the complexity of consent further increases and few organizations have established proper restrictions and consent agreements to control proper access. PwC’s research found that:
• Only 17 percent of providers, 19 percent of payers and 22 percent of pharmaceutical/life sciences companies have a process in place to manage patients’ consent for how their information can be used.
• Nearly three quarters (74 percent) of health care organizations surveyed said they already do or intend to seek secondary uses for health data; however, less than half have addressed or are in the process of addressing related privacy and security issues.
• Sixty-one percent of pharmaceutical and life sciences companies, 40 percent of health insurers and 38 percent or providers currently share information externally. Of those organizations that share data externally, only two in five pharmaceutical and life sciences companies (43 percent) and one in four insurers (25 percent) and providers (26 percent) have identified contractual, policy or legal restrictions on how the data can be used.
Other research results:
• Theft accounted for 66 percent of total reported health data breaches over the past two years. Also, medical identity theft appears to be on the rise.
• More than one third (36 percent) of provider organizations (hospitals and physician groups) confirmed that they have experienced patients seeking services using somebody else’s name and identification.
• More than half (55 percent) of health organizations surveyed have not addressed privacy and security issues associated with the use of mobile devices, and less than one-quarter have addressed privacy and security implications of social media.
• More than half (54 percent) of health organizations surveyed reported at least one issue with information privacy and security over the past two years.
• The most frequently reported issue among providers was the improper use of protected health information by an internal party. Over the past two years, 40 percent of providers reported an incident of improper internal use of protected health information.
• The most frequently reported issue among health insurers and pharmaceutical and life science companies was the improper transfer of files containing personal health information to unauthorized parties. Over the past two years, one in five (21 percent) pharmaceutical and life sciences companies and one in four (25 percent) of health insurers improperly transferred files containing protected health information.
“Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur,” said James Koenig, director and co-leader, Health Information Privacy and Security Practice, PwC. “Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error loss of a computer or device, lack of knowledge or unintended unauthorized disclosure.”
PwC’s research found that there is considerable concern for the “knowledgeable insider.” On average, improper use of personal health information by an internal party was the leading privacy/security issue experienced by health care organizations over the last two years. Because of lack of awareness or training, breaches can result easily and with greater probability from mishandling of paper documents, people talking in the elevator, or comments made via social media channels. In addition, risks of data breaches and the complexity of consent agreements rises when information is shared with business associates, the source of more than half of reported health data breaches affecting more than 11 million people since 2009. PwC’s survey found:
• More than half of health care organizations allow access to social networking while at work; less than half have a policy covering the use of social media outside of work.
• Less than half (37 percent) of health organizations surveyed incorporate approved uses of mobile devices and social media as part of company privacy training.
• Only 58 percent of providers and 41 percent of health insurers say they include the appropriate use of electronic health records (EHR) as part of employee privacy training.
• Only 36 percent of health organizations perform a pre-contract assessment of their business associates such as business partners and vendors, and just 26 percent conduct post-contract compliance assessments.
Because digitized health data is becoming one of the most highly valued assets in the health industry, all types of organizations are now converging around the shared use of the information to enable new care delivery models such as accountable care organizations, outcomes-based reimbursement and the advance of wellness, preventive and personalized care, notes PwC.
PwC’s research found that the recent increase in breach enforcement actions have prompted health organizations to focus more on privacy and security, and that there is growing recognition of privacy and security compliance as central to maintaining a trusted brand.
“To protect patient trust and their own brand reputation, organizations need to go beyond minimum regulatory requirements and adopt an integrated approach that combines privacy, security and compliance within a culture where all employees see themselves as champions of confidentiality and where privacy is part of the patient experience,” said Peter Harries, principal and co-leader, Health Information Privacy and Security Practice, PwC.
