The Financial Impact of Breached Protected Health Information

The PHI Project Overview

Trust is the foundation of the health care delivery system. Organizations responsible for safeguarding protected health information (PHI)—guardians of trust—require, now more than ever, a solid business case for enhanced PHI security. The ANSI PHI Project, entitled The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security now provides the information and tools for the “PHI protectors” to make a more compelling business case for requesting investments and resources to strengthen privacy and security programs that will resonate in the C-Suite and in the board room.

The Problem:

The health care delivery system is founded upon trust—a trust that those receiving health information will keep it confidential and secure. This trust is now being tested as the health care industry moves to adopt electronic health records, access federal incentives, and facilitate better patient care. With the evolution to electronic health systems, PHI is now more susceptible than ever to accidental or intentional disclosure, loss or theft.

The Solution:

The American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) have created an initiative (the “PHI Project”)—involving a cross-section of more than 100 health care industry leaders—to evaluate the financial impact of breached protected health information.

The result of this collaboration is a report that provides those responsible for protecting PHI - CISOs, CIOs, IT Security, privacy and compliance personnel - with information to help them better understand the potential risks and liabilities resulting from data breaches. It provides them with PHIve (PHI value estimator), a five-step method to help them assess their organizations’ specific security risks and build a business case for the appropriate level of privacy and security investments needed to mitigate those risks and liabilities. It gives health care executives a way to validate appropriate spending levels for patient privacy and security.

Key Findings:

• Health care organizations (providers, payers and business associates) are entrusted with safeguarding patient privacy, but their security efforts are not keeping pace with the growing risks of exposure of PHI as a result of electronic health record (EHR) adoption, the number of organizations handling PHI, and the growing rewards of PHI data breach.
• PHI data breaches are growing in frequency and in magnitude, having a huge financial, legal, operational, clinical and reputational impact to the breached organization.
• This “PHI Project” provides health care organizations with a five-step method – PHIve (PHI Value Estimator) – for evaluating the “at-risk” value of their PHI. This tool estimates the overall potential costs of a data breach to an organization, and provides a methodology for determining an appropriate level of investment to strengthen privacy and security programs and reduce the probability of a breach.