Topics
Reimbursement
Elevance, UnitedHealth among insurers accused of alleged price fixing
Elevance, UnitedHealth among insurers accused of alleged price fixing
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
CommonSpirit, University of Utah Health team on access
CommonSpirit, University of Utah Health team on access
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Almost a quarter of Americans underinsured, survey finds
Survey: Almost a quarter of Americans underinsured
Patient Engagement
HHS, Illinois reach agreement on disability rights laws
HHS, Illinois reach agreement on disability rights
Pharmacy
Express Scripts, Caremark, OptumRx fight back in lawsuit against FTC 
Express Scripts, Caremark, OptumRx sue FTC 
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Sep 22, 2011

PwC: Health industry under-prepared to protect privacy

Mike Miliard, Editor, Healthcare IT News

A new report from PwC's Health Research Institute, indicates most health organizations aren't properly prepared to protect patient privacy and secure personal health information.

Old privacy and security controls no longer suffice to comply with existing privacy laws and patient consent agreements, say to PwC officials – who emphasize that health organizations need to update practices and adopt a more integrated approach to ensure that patient information doesn't fall into the wrong hands.

The report, titled "Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground," shows how existing privacy and security controls have not kept pace with new realities in healthcare: increased access to information in electronic health records; greater data collaboration with external partners and business associations; the emergence of new uses for digital health information to improve the quality and cost of care; and the rise of social media and mobile technology to better and more efficiently manage patient health.

A recent nationwide PwC Health Research Institute survey of 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies found:

  • Theft accounted for 66 percent of total reported health data breaches over the past two years. Also, medical identity theft appears to be on the rise. Over one third (36 percent) of provider organizations (hospitals and physician groups) confirmed that they have experienced patients seeking services using somebody else's name and identification.
  • More than half (55 percent) of health organizations surveyed have not addressed privacy and security issues associated with the use of mobile devices, and less than one-quarter have addressed privacy and security implications of social media.
  • More than half (54 percent) of health organizations surveyed reported at least one issue with information privacy and security over the past two years.
  • The most frequently reported issue among providers was the improper use of protected health information by an internal party. Over the past two years, 40 percent of providers reported an incident of improper internal use of protected health information.
  • The most frequently reported issue among health insurers and pharmaceutical and life science companies was the improper transfer of files containing personal health information to unauthorized parties. Over the past two years, one in five (21 percent) pharmaceutical and life sciences companies and one in four (25 percent) of health insurers improperly transferred files containing protected health information.

"Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur," said James Koenig, director and co-leader, Health Information Privacy and Security Practice, PwC. "Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error - loss of a computer or device, lack of knowledge or unintended unauthorized disclosure."

Continued on next page.

A culture of confidentiality
PwC's research found considerable concern for the "knowledgeable insider." On average, improper use of personal health information by an internal party was the leading privacy/security issue experienced by healthcare organizations over the last two years. Because of lack of awareness or training, breaches can result easily and with greater probability from mishandling of paper documents, people talking in the elevator, or comments made via social media channels. In addition, risks of data breaches and the complexity of consent agreements rises when information is shared with business associates, the source of more than half of reported health data breaches affecting more than 11 million people since 2009.

PwC's survey found:
 

  • More than half of healthcare organizations allow access to social networking while at work; less than half have a policy covering the use of social media outside of work.
  • Less than half (37 percent) of health organizations surveyed incorporate approved uses of mobile devices and social media as part of company privacy training.
  • Only 58 percent of providers and 41 percent of health insurers say they include the appropriate use of electronic health records (EHR) as part of employee privacy training.
  • Only 36 percent of health organizations perform a pre-contract assessment of their business associates such as business partners and vendors, and just 26 percent conduct post-contract compliance assessments.

Opportunities and risks
Digitized health data is becoming one of the most highly valued assets in the health industry, and, according to PwC, all kinds of organizations are now converging around the shared use of the information to enable new care delivery models such as accountable care organizations, outcomes-based reimbursement and the advance of wellness, preventive and personalized care.

Organizations also are discovering the potential in secondary uses of the information beyond treating patients, such as in clinical studies, post-market surveillance of drugs and the development of new products and services to better understand patient health and behaviors. Yet PwC found that while many organizations are sharing information, the complexity of consent further increases and few organizations have established proper restrictions and consent agreements to control proper access. PwC's research found that:

  • Only 17 percent of providers, 19 percent of payers and 22 percent of pharmaceutical/life sciences companies have a process in place to manage patients' consent for how their information can be used.
  • Nearly three quarters (74 percent) of healthcare organizations surveyed said they already do or intend to seek secondary uses for health data; however, less than half have addressed or are in the process of addressing related privacy and security issues.
  • Sixty-one percent of pharmaceutical and life sciences companies, 40 percent of health insurers and 38 percent of providers currently share information externally. Of those organizations that share data externally, only two in five pharmaceutical and life sciences companies (43 percent) and one in four insurers (25 percent) and providers (26 percent) have identified contractual, policy or legal restrictions on how the data can be used.

A new approach
PwC's research found that the recent increase in breach enforcement actions have prompted health organizations to focus more on privacy and security, and that there is growing recognition of privacy and security compliance as central to maintaining a trusted brand.

"To protect patient trust and their own brand reputation, organizations need to go beyond minimum regulatory requirements and adopt an integrated approach that combines privacy, security and compliance within a culture where all employees see themselves as champions of confidentiality and where privacy is part of the patient experience," said Peter Harries, principal and co-leader, Health Information Privacy and Security Practice, PwC.

Organizations with integrated approaches to privacy and security say they have realized the benefits, including a significant increase in data security and a slight decrease in the number of privacy/security issues, depending on the extent of their integration. PwC found that health insurers were more likely than providers and pharmaceutical/life sciences companies to have integrated their approach to a great extent.

A full copy of PwC's report can be found here.

News
Ending racism in healthcare often begins with medical education - and is the target of a new national project Ending racism in healthcare often begins with medical education - and is the target of a new national project Inequities can be found in every facet of the industry, but targeting medical students and residents can help stem the tide.