Healthcare industry unprepared for data breach, survey says

November 27, 2009

Companies that work with healthcare organizations and handle private patient information are largely unprepared to meet the new data breach-related obligations included in the Health Information Technology for Economic and Clinical Health Act.

Companies that work with healthcare organizations and handle private patient information via services related to billing, credit, benefits, legal needs, claims processing, insurance brokering, data processing, pharmacy needs, accounting, temporary office personnel placement, and offshore transcription are largely unprepared to meet the new data breach-related obligations included in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

This is the finding of a national surveyof such “business associates” and hospitals by HIMSS Analytics, a wholly owned, not-for-profit subsidiary of the Healthcare Information and Management Systems Society (HIMSS).

One-third of the business associates surveyed were not aware that they need to adhere to federal Health Insurance Portability and Accountability Act privacy and security requirements, compared with 87 percent of healthcare providers, according to the research, which was commissioned by ID Experts, a data protection company. Eighty-five percent of healthcare providers said that they will take steps to ensure that data held by business associates will not be breached. Nearly half of the hospitals (47 percent) said they would terminate their contracts with their business associates for violations.

“This study highlights the tremendous risk exposure for healthcare organizations,” said Bob Gregg, chief executive officer of ID Experts. “Despite an increase in risk assessments conducted, data breach is on the rise, and patients are at high risk for medical identity theft and fraud, where an unknown person will use an identity to illegally receive benefits or services.”

Results of another survey, the 2009 HIMSS Security Survey, also suggest that many organizations may not be ready to meet some of the HITECH components of the American Recovery and Reinvestment Act legislation and other security challenges.

Nearly all respondents reported that their organizations actively work to determine the cause/origin of security breaches. Only half reported having a plan in place for responding to threats or incidents related to a security breach, however.

One-third of respondents reported that their organizations have had at least one known case of medical identity theft. Most of these organizations reported not experiencing direct consequences from the breach, however.