Another Reason to Prevent BreachesAttorney Warns of an 'Insurance Crisis'
Speaking at the Health Privacy Summit June 13 in Washington, Jim Pyles, principal at the healthcare law firm Powers, Pyles, Sutter & Verville, argued that liability insurers will think twice about covering healthcare organizations for the risks involved in using information technology if the costs of dealing with breaches continue to grow.
The Department of Health and Human Services' Office for Civil Rights reports that since the HITECH Act breach notification rule took effect in September 2009, there have been 288 major health information breaches affecting a total of almost 11 million individuals.
We need a simple set of privacy standards that are understandable by patients and understandable by those who have to comply with them.
Speaking on the same panel, Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, noted that roughly two-thirds of these major breaches stemmed from the loss or theft of portable devices or media.
"There is a tremendous education gap," she stressed. Although electronic health records systems contain numerous security features, including encryption, "the protections are only as good as the implementation," she noted. "And that's where we see a lot of the problems." Security technology must be supported by policies and procedures, "and that's another area of weakness," she added.
The bottom line? If it's been a while since you reviewed your organization's privacy and security policies and procedures, conducted a risk assessment took action to mitigate risks and educated your staff about privacy protections, don't delay. Otherwise, you could wind up on the federal "wall of shame" and face the high costs of dealing with the aftermath of a breach.
Clear Privacy Guidelines NeededPyles also contended that HIPAA, the HITECH Act and other regulations designed to protect patient privacy are far too complex. "We need a simple set of privacy standards that are understandable by patients and understandable by those who have to comply with them."
And Gallagher said that physicians and other providers are uncomfortable educating patients about their privacy rights because of their own lack of understanding.
The time has come for federal regulators to work together to articulate a clear set of easily understandable health information privacy standards and then educate providers about how to comply - as well as how to keep their patients well-informed about their rights.