Blogs Home
Friday, July 15, 2016 12:00 PM

OCR is doing a good thing by making us “Eat our Vegetables”

Written by Karen Pursch, Director, Patient Privacy Solutions

OCR is doing a good thing by making us "Eat our "Vegetables"

Healthcare is, at its core, based on relationships. And, as with any relationship, trust is foundational to building and maintaining a strong relationship. Trust can be fragile and fleeting. It can be either eroded or enhanced in an instant.

Providers have to build a culture of privacy within their organization — one where privacy and security aren’t just occasionally mentioned, but frequently talked about. After all, healthcare providers are stewards of precious information.

Unfortunately, the data that healthcare providers have is also extremely valuable.

The number of data breaches continues to grow, exposing personal data of more than 110 million individuals in 2015. I recently read an article that stated — 11 million patient record breaches in June making it the worst month for information security in 2016. Insider and external threats are real and growing for various reasons.

  • Healthcare data has high value. The 2016 Internet Security Threat Report from Symantec showed that in the healthcare industry there were 120 breaches in 2015 with 4.1 million identities exposed. With such a high number of breaches with low numbers of identities tends to show that the data itself is quite valuable to warrant so many small breaches. This study also showed that healthcare ranked at the top of the list of high risk industries based on the number of incidents caused by hacking or insider theft, which indicates that the motive was to steal data, as opposed to data being accidentally exposed.
  • Healthcare is an easy target. Healthcare has traditionally been behind other industries in information technology and security. The ability of healthcare to compile data has grown far faster then our ability to protect it. The culture of healthcare is to focus on patient health, neglecting the security of patient data.
  • Breaches are expensive and erode trust. Whether the breach is small or large, patient trust is damaged. The TransUnion Healthcare Data Breach Survey of 2015 revealed that 7 out of 10 (65%) would avoid healthcare providers that experienced a data breach.

The loss of patient trust due to these various factors not only affects healthcare organizations financially, but also can negatively impact patient care and reimbursement. At a hospital having a public data breach, patients are less likely to tell their caregivers critical health information they might need to properly care for them. In addition, quality issues and higher 30-day readmissions could mean that organizations would lose up to 2% of Value Based Payments (VBP), and 3% of readmissions. This will lead to lower HCAHPS scores meaning fewer new patients and lower reimbursement.

HIPAA Compliance a Competitive Advantage

After nearly a two-year delay, the Department of Health and Human Services' Office of Civil Rights has begun OCR HIPAA audits of healthcare organizations and their business associates. OCR is doing a good thing by making us "Eat our Vegetables." The OCR HIPAA audits are critical to protecting patients' health information, and most healthcare professionals do not take the audits seriously because of the poor state of cybersecurity in healthcare.

Patient trust should be used as a competitive advantage. Good performance in an audit can become a marketing tool for healthcare organizations.

Please register for a webcast on July 19, to see how you can use Privacy Analytics to reduce breaches in your healthcare organization.