Protected Health Information should come with a disclaimer – “Handle with Care”

by Rick Kam

Trust is the cornerstone of a solid doctor-patient relationship.  If you read anything in the news or listen to experts talk about data breaches in healthcare and other industries, you hear a lot of “doom and gloom” about companies not protecting patient’s sensitive data.  It’s a big problem that has huge financial implications costing healthcare more than $6.5 billion dollars annually!

The problem is, too many people are talking about the problem and there have been no real efforts on trying to fix it.  That “fix it” mentality is what brought the members of the PHI Project together to kick off a project to find answers.

When we launched the PHI Project, there was very little data available specifically on the impact of a breach of health records to a healthcare enterprise.  Especially the unauthorized disclosure of sensitive patient information such as prescription or mental health records. And there was virtually no data on the impact on a healthcare entity if they had an unintended disclosure of medical records resulting in medical fraud and medical identity theft.

Medical identity theft is when someone else uses your medical identity – like your health insurance numbers - to obtain healthcare services and prescriptions. Medical identity theft is costly for the breached enterprises but it can have deadly consequences for patients.

Consider this: imagine getting the wrong blood transfusion if you were in a car accident because the medical ID thief’s data was merged with your electronic health record.

We realized that our energy could have the most impact by providing the information and tools to help the people that protect patient privacy - CISOs, chief privacy officers, compliance officers and CIOs  -or as we call them, “PHI Protectors.” They need a business case to make additional and appropriate investments. We are advocating in this report that the context of the management conversation must change from a cost and regulatory compliance discussion to an investment decision.  A decision to make additional investments to protect patient privacy and the reputation of the healthcare organizations entrusted with PHI. 

Our message in this report is this: protecting PHI can be done effectively with the appropriate financial investment.  An organization’s reputation for PHI protection is a market advantage and key to the generation of revenue, the retention of patients, and the productivity of the workforce. 

Our hope is that PHI protectors will read this report and use the information and tools to develop more compelling business cases for enhanced investment to protect sensitive patient information. And in the end, protect patients.


PHI Project press release

Download the PHI Project report here.

About the Author

Rick Kam's avatar
Rick Kam

Rick Kam, CIPP, is founder and president of ID Experts. He is an expert in privacy and information security. His experience includes leading organizations in policy and solutions to address protecting PHI/PII and resolving privacy incidents and identity theft. He is the chair of the ANSI PHI Project, Identity Management Standards Panel and the Santa Fe Group Vendor Council ID Management working group. He is also an active member of the International Association of Privacy Professionals and is a member of the Research Planning Committee for the Center Identity which is part of the University of Texas Austin.

There are no comments for this entry yet.

Add a Comment

Your comment may need to be approved before it will appear on the site. Thanks for waiting.




Submit the word you see below *