Healthcare organizations are struggling with two key concerns today: how to protect patient information and how to better understand the financial harm caused when protected health information (PHI) is lost or stolen. A new project – led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and its Healthcare Working Group – has been launched to explore the financial impact of unauthorized PHI access. The goal for the “ANSI/Shared Assessments PHI Project” is to identify frameworks for determining the economic impact of any disclosure or breach of protected patient data.
The ANSI/Shared Assessments PHI Project got underway last week with a meeting of its advisory committee. The initiative brings together professionals from across the industry: data security companies, identity theft protection providers and research organizations, legal experts on privacy and security, standards developers, and others.
This effort will culminate in a report targeted at those responsible for and entrusted with protecting and handling PHI. The report will help inform the healthcare industry in making investment decisions to protect PHI, as well as improve responsiveness if and when this patient information is breached.
Rick Kam, president and co-founder of ID Experts, is chairing the initiative. “Organizations that are custodians of healthcare data are grappling with how to calculate their risk exposure when PHI is lost or stolen,” commented Kam. “The ANSI/Shared Assessments PHI Project will inform their investment decisions to protect PHI and will provide guidance on how to respond if this data is compromised.”
The group plans to tackle the problem by identifying existing legal protections related to PHI, defining points of compromise in the healthcare ecosystem where there are risks of exposure, and assessing the financial impacts of the disclosure of PHI. A survey is also contemplated to support the fact-finding process.
Read more on ANSI.
Very interesting article. There actually is a Damages Estimator available to healthcare providers. This calculator was released toward the end of 2010 and delineates/itemizes the financial harm of inappropriate access to PHI – the costs beyond the fines, if you will. This Damages Estimator was developed in collaboration with healthcare providers that previously negotiated settlements with HHS and validated related soft and hard costs. Based upon figures that a user enters, the calculator will project the financial impact to their own institution should they discover a major privacy breach.
It will be interesting to see if the new effort replicates the FairWarning estimates. But even when you tell people, “Look, this is going to cost you BIG TIME if you don’t adequately secure data and protect privacy,” there will still be breaches because of entities do not invest enough time, $, and resources to get it right.
Agreed. I suspect that the ANSI examination will be similar to the Damages Estimator – meaning less about evangelizing fear and more about identifying legitimate institutional risk.