More Patient Data Risks, Lawsuits Predicted In 2012

Top 9 Health IT Stories Of 2011

According to experts in healthcare law and information privacy and security, healthcare IT managers can expect to see more patient data breaches in 2012, along with more lawsuits filed by patients as the availability of patient information exchanged over social media sites and mobile devices grows.

These conclusions, published by ID Experts, offer a glimpse into what health CIOs can expect as they seek to protect patient data during a year that promises more of the same challenges they faced last year. In 2011, the healthcare industry had its fair share of patient data breaches, and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) stepped up its oversight activities, handing down fines to healthcare organizations that were lax in meeting their patient privacy obligations.

Rick Kam, president and co-founder of ID Experts and chair of the American National Standard Institute’s (ANSI’s) PHI Project, gave InformationWeek Healthcare his assessment of the forecasts, noting that "the thread that links all of the predictions together is safeguarding. Protected health information (PHI) is truly a patient safety issue, and healthcare data breaches will reach epidemic proportions this year if precautions are not taken."

[Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs.]

On the legal front, Kirk Nahra, partner at the law firm Wiley Rein LLP, predicts that the number of class-action lawsuits will increase in 2012 as patients sue healthcare organizations for failing to protect their health information.

Adam Greene, partner at Davis Wright Tremaine, said the next 12 months will bring greater attention to the 150 HITECH Act audits and publication of the final rules implementing modifications to the Health Insurance Portability and Accountability Act (HIPAA) regulations. Greene also said 2012 will see the OCR more aggressively pursuing enforcement against noncompliance due to "willful neglect." That will result in more financial settlements and fines.

Christine Marciano, president of Cyber Data Risk Managers LLC, said she foresees healthcare organizations increasingly signing up for cyber security and data breach insurance policies to protect themselves and their patients.

However, while insurance can provide some financial protection, other dangers are on the horizon. Larry Walker, president of The Walker Company, a healthcare consulting firm, said this year health providers will continue to outsource many functions, such as billing, to third parties or business associates (BA). But BAs are often considered the weak link in the data privacy and security chain.

Other privacy dangers will come from social media, according to Chris Apgar, CEO and president of Apgar & Associates, LLC. This year will see more physicians and healthcare organizations communicating with patients over social media sites. The misuse of social media will increase, as will the risk of exposure of PHI, Apgar predicts.

Christina Thielst, health administration consultant and blogger, believes the increasing use of tablets, smartphones, and tablet applications in healthcare will force providers to enter agreements that outline written terms of use with employees and contractors using personal devices in a healthcare setting.

With regard to cloud computing, James C. Pyles, principal, Powers Pyles Sutter & Verville PC, said because of security and privacy regulations there will be a demand for more health plans, health care providers, and health care clearinghouses to enter into a carefully worded business associate agreement with a cloud computing vendor before disclosing protected health information. These organizations should ensure that they have adequate cyber security insurance to cover the direct and indirect costs of a breach.

Given these predictions, Kam recommends that health CIOs:

-- Conduct an inventory to find out where protected health information and personally identifiable information exists within their organization and where this information exists at their business associates.

-- Perform a risk assessment to understand where there may be vulnerabilities and risks of unauthorized disclosure, and mitigate the risks you identify.

-- Evaluate relationships with current business associates and contracts to ensure that their organization’s privacy and security requirements are covered. Start with those business associates that present the highest risk.

-- Develop a clear communication plan for reporting unauthorized disclosures caused by the business associates.

When are emerging technologies ready for clinical use? In the new issue of InformationWeek Healthcare, find out how three promising innovations--personalized medicine, clinical analytics, and natural language processing--show the trade-offs. Download the issue now. (Free registration required.)