Project will investigate patient health information breaches
■ Unlike cases involving financial data, little is known about the implications of lost information such as a diagnosis or medical history.
By Pamela Lewis Dolan — Posted April 13, 2011
- WITH THIS STORY:
- » Related content
Many studies have looked at the financial impact on a health care organization that has data such as patients' Social Security numbers and account information lost or stolen. But what is the effect on a patient who has sensitive health care information exposed? And what will those implications mean to the health care organizations charged with keeping that information private?
A recently formed collaboration plans to find out.
The American National Standards Institute and the Shared Assessments Programs have formed the ANSI/Shared Assessments PHI Project. The goal is to bring together a committee of professionals from across the health care spectrum to examine the impact of breached personal health information.
Data security companies, identity theft protection providers, research organizations, legal experts, standards developers and health care professionals will contribute to a report intended to help health care organizations understand how to protect such information and respond when it is breached.
The first step in learning how to protect health data is understanding exactly what is at risk, said Rick Kam, president and co-founder of the Portland, Ore.-based data breach management firm ID Experts and co-chair of the initiative. He added that the industry already knows the impact of a lost Social Security number.
"But what if a hospital loses your HIV diagnosis? What is the impact?" Kam asked. "There's a lot of anecdotal stories out there but nothing concrete."
The group plans to tackle the issue by dividing participants into five subcommittees. They will examine legal protections related to personal health information, where the risks of exposure are in the health care ecosystem and the financial impact to individuals whose health information is exposed. Surveys of organizations and possibly consumers will be conducted by another committee. A final committee will pull the information together and draft a report.
Kam expects the first phase of the work -- a report that details how health care organizations can calculate the financial impact of a breach -- within three months. "Then we'll see where we go," he said, adding there will be two or three phases before the effort is completed.
Most of the work will take place through conference calls. The committees are open to anyone. So far, about 150 people have signed up. Interested parties can send an email to join ([email protected]" target="_blank">link).