avatar Rick Kam, President - CIPP/US March 05, 2012 Subscribe to the ID Experts Blog
Back to blog

Protected Health Information should come with a disclaimer – “Handle with Care”

Trust is the cornerstone of a solid doctor-patient relationship.  If you read anything in the news or listen to experts talk about data breaches in healthcare and other industries, you hear a lot of “doom and gloom” about companies not protecting patient’s sensitive data.  It’s a big problem that has huge financial implications costing healthcare more than $6.5 billion dollars annually!

The problem is, too many people are talking about the problem and there have been no real efforts on trying to fix it.  That “fix it” mentality is what brought the members of the PHI Project together to kick off a project to find answers.

When we launched the PHI Project, there was very little data available specifically on the impact of a breach of health records to a healthcare enterprise.  Especially the unauthorized disclosure of sensitive patient information such as prescription or mental health records. And there was virtually no data on the impact on a healthcare entity if they had an unintended disclosure of medical records resulting in medical fraud and medical identity theft.

Medical identity theft is when someone else uses your medical identity – like your health insurance numbers - to obtain healthcare services and prescriptions. Medical identity theft is costly for the breached enterprises but it can have deadly consequences for patients.

Consider this: imagine getting the wrong blood transfusion if you were in a car accident because the medical ID thief’s data was merged with your electronic health record.

We realized that our energy could have the most impact by providing the information and tools to help the people that protect patient privacy - CISOs, chief privacy officers, compliance officers and CIOs  -or as we call them, “PHI Protectors.” They need a business case to make additional and appropriate investments. We are advocating in this report that the context of the management conversation must changefrom a cost and regulatory compliance discussion to an investment decision.  A decision to make additional investments to protect patient privacy and the reputation of the healthcare organizations entrusted with PHI. 

Our message in this report is this: protecting PHI can be done effectively with the appropriate financial investment.  An organization’s reputation for PHI protection is a market advantage and key to the generation of revenue, the retention of patients, and the productivity of the workforce. 

Our hope is that PHI protectors will read this report and use the information and tools to develop more compelling business cases for enhanced investment to protect sensitive patient information. And in the end, protect patients.


PHI Project press release

Download the PHI Project report here.

Back to blog