Securing Private Health Information
According to the HIPAA Privacy Rule, any healthcare provider who electronically transmits health information may only disclose protected health information (PHI)
- for treatment, payment and operations,
- for public interest,
- as a limited data set,
- to the individual or
- as authorized by the individual.
Use and disclosure outside of these limitations constitutes a breach subject to civil money penalties (up to $1.5M per year) and potentially criminal prosecution (up to 10 years).
When privacy and security incidents occur, healthcare organizations suffer from lost business, reputation and profits. Already small margins shrink further as customers lose faith in your system and seek care elsewhere. While patient care is likely your number-one priority, successfully securing protected health information (PHI) and complying with regulations is critical, too.
%
increase in number of patient records breached from 2018 to 2019
%
of healthcare organizations experienced a breach since 2016
$ Million
average cost of a healthcare breach
%
of patients seek care elsewhere after a breach
How Do I Secure PHI?
To secure PHI, healthcare organizations need to deal with predictable and unanticipated risks.
Many risks to patient privacy are well known and can be concretely defined. Some access must be addressed every time impermissible access occurs to comply with HIPAA. Other access can be monitored for trends that signal an uptick or difference from peers and acted upon at a given threshold.
of Americans would switch to a company prioritizing data privacy[i]
Common Patient Privacy Use Cases
Despite being familiar, these threats are common and difficult to track, particularly when you lack the appropriate resources or rely on manual methods. Some key examples of known impermissible access that FairWarning has been helping health systems address for many years include:
