A Risk Management Approach to Privacy and Security

Topics: Information Technology, IT Market Analysis, Payer and Regulatory Policy, Market Trends, Strategy, Standards and Regulatory Policy

This is a preview of restricted content.

Full access to this content is reserved for Health Care IT Advisor members. Log in now or learn more about Health Care IT Advisor.

By reading this study, members will understand:

  • How to identify institutional vulnerabilities in data privacy and security strategy
  • How to prevent avoidable violations by minimizing leakage opportunity and limiting inappropriate disclosure of patient information
  • How to hardwire breach mitigation by prioritizing early detection, staying alert, and enabling continuous improvement

Executive Summary

Rising Tide of Breaches Threatening Patient Trust

Recent efforts to accelerate adoption of electronic health records and increase the availability of patient health information to providers stem from the hope that such efforts will lead to significant improvements in care delivery. But those efforts will fail to realize their full potential unless patients have confidence in the privacy and security of the sensitive information stored in such a widely accessible format. Further eroding patient trust is the constant stream of breaches of hospital data.

Recent HIPAA Amendments Raising the Stakes for Violators

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, includes provisions governing the privacy and security of patient health information. Congress further strengthened the privacy and security requirements under HIPAA in conjunction with passage of the HITECH Act by providing greater enforcement. For hospitals, the impact of breaches extends beyond HIPAA noncompliance to significant financial and reputational damage.

Hospital Efforts to Prevent Breaches Falling Short

Even hospitals that were fully compliant with HIPAA prior to the HITECH Act are largely unprepared to meet HIPAA’s new requirements. Internal competition for scarce staffing and capital resources pushes data privacy and security far down the list of priorities. Yet, sooner or later, breaches will force institutions with inadequate privacy and security programs to dedicate resources to compliance after a potentially expensive wake-up call.

Taking a Risk Management Approach to HIPAA

To prevent breaches, hospitals must move beyond HIPAA compliance by adopting a risk management approach to data privacy and security. This report provides a framework to assist hospitals in prioritizing violation prevention, designing policies to minimize the impact of a breach, and allocating resources in a manner reflect of the inherent trade-offs in protecting data from a variety of threats.

Essay: The Growing Burden to Safeguard Electronic Data