Study: Health Care Orgs "Largely Unprepared" for Data Breaches

Health insurers may want to think twice before trusting hospitals with any sensitive data. According to new research released yesterday by HIMSS Analytics, business associates of health care organizations are largely unprepared to meet the new data breach-related obligations included in the HITECH Act.

Results of a national survey of hospitals and business associates to check the state of health care vulnerability to data breach revealed that 33% of business associates surveyed were not aware that they need to adhere to federal HIPAA privacy and security requirements, compared to 87% of health providers. Business associates are defined as groups that handle private patient information for health care organizations, including billing and credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, accounting firms, temporary office personnel and offshore transcription vendors.

Survey results found that hospitals and health providers are taking action in the following ways:

• 85% of health providers said they would take steps to ensure that data held by business associates will not be breached

• 47% of hospitals said they would actually terminate their contracts with their business associates for violations

“Business associates could represent a risk to healthcare organizations, especially hospitals,” said Lisa Gallagher, HIMSS senior director, privacy and security. “The lack of awareness of new federal regulations by business associates, coupled with the large number of third-parties hired by hospitals to control costs through outsourcing, points to a potential area of concern. Hospitals, in partnership with their business associates, need to actively prepare to comply with the new rules when these breaches happen.”

The research also found that:

• 50% of large hospitals experienced at least one data breach this year

• 68% of all hospitals indicated that the HITECH Act’s expanded breach notification requirements will result in the discovery and reporting of more incidents, and 57% reported that they now have a greater level of awareness of data breaches and breach risk

• 90% indicated they have changed or plan to change policies and procedures to prevent and detect data breaches

“This study highlights the tremendous risk exposure for health care organizations” said Bob Gregg, CEO of ID Experts, which is a service provider specializing in the prevention of data breaches that commissioned the study. “Despite an increase in risk assessments conducted, data breach is on the rise and patients are at a high risk level for medical identity theft and fraud where an unknown person will use an identity to illegally receive benefits or services.”

For reprint and licensing requests for this article, click here.
Security risk Analytics Data security Core systems Data and information management Policy adminstration
MORE FROM DIGITAL INSURANCE