Most health organizations are under-prepared to protect patient privacy and secure personal health information as new uses for digital health data emerge and access to confidential patient information expands, according to a new report from PwC's Health Research Institute.

Old privacy and security controls no longer suffice to comply with existing privacy laws and patient consent agreements, say to PwC officials – who emphasize that health organizations need to update practices and adopt a more integrated approach to ensure that patient information doesn't fall into the wrong hands.

The report, titled "Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground," shows how existing privacy and security controls have not kept pace with new realities in healthcare: increased access to information in electronic health records; greater data collaboration with external partners and business associations; the emergence of new uses for digital health information to improve the quality and cost of care; and the rise of social media and mobile technology to better and more efficiently manage patient health.

A recent nationwide PwC Health Research Institute survey of 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies found:

• Theft accounted for 66 percent of total reported health data breaches over the past two years. Also, medical identity theft appears to be on the rise. Over one third (36 percent) of provider organizations (hospitals and physician groups) confirmed that they have experienced patients seeking services using somebody else's name and identification.
• More than half (55 percent) of health organizations surveyed have not addressed privacy and security issues associated with the use of mobile devices, and less than one-quarter have addressed privacy and security implications of social media.
• More than half (54 percent) of health organizations surveyed reported at least one issue with information privacy and security over the past two years.
• The most frequently reported issue among providers was the improper use of protected health information by an internal party. Over the past two years, 40 percent of providers reported an incident of improper internal use of protected health information.
• The most frequently reported issue among health insurers and pharmaceutical and life science companies was the improper transfer of files containing personal health information to unauthorized parties. Over the past two years, one in five (21 percent) pharmaceutical and life sciences companies and one in four (25 percent) of health insurers improperly transferred files containing protected health information.

"Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur," said James Koenig, director and co-leader, Health Information Privacy and Security Practice, PwC. "Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error - loss of a computer or device, lack of knowledge or unintended unauthorized disclosure."

Continued on next page.