Report examines potential risks of privacy and security breaches of personal health data.

The Deloitte Center for Health Solutions has published a report,

“Privacy and Security in Health Care: A Fresh Look.” The

report identifies the risks associated with privacy and security

breaches in health care. It offers guidance about preparedness for

health plans, life science organizations, health information technology

solutions providers, as well as federal and state health agencies, to

help minimize potential privacy and security threats as health reform

drives increased exchange of online health information.

The Deloitte report identifies some of the reasons why preparedness

for privacy and security risk is inadequate at some health care

organizations, including lack of internal resources (human resources and

capital); lack of internal control over patient information; lack of

upper management support; outdated policies and procedures or

non-adherence to existing ones; and inadequate personnel training.

Privacy and security regulations have historically focused on

internal security processes, but currently culpability has been expanded

to downstream entities. As health care delivery transitions to

performance-based compensation, increased transparency, and increased

use of EHRs and personal health records, new privacy and security rules,

regulations, laws and standards will be added in each sector. To address

the challenge of protecting against potential privacy and security

breaches in the new era of health reform, Deloitte’s report

outlines a basic approach for health care industry stakeholders to

assess their current preparedness across three key areas:

* Risk Management – Help identify and assess data security risks to

develop appropriate security controls to mitigate or avoid risk. This

allows health care organizations to make informed decisions on how to

allocate security resources to improve data protection.

* Security and Privacy Program – Develop and implement policies,

procedures and training needs to mitigate or avoid risk. This helps

create a baseline for standards to secure handling of sensitive patient

information and awareness of privacy and security procedures across the


* Compliance – Verify organization conformance to its policies and

standards. This helps reduce organizational risk; creates customer trust

and confidence in an organization’s protection of personal health

information; and reduces potential for financial penalties due to

reasonable cause or willful neglect.

Reflecting the importance of safeguarding consumers’ personal

health information, the Deloitte Center for Health Solutions 2010

Consumer Survey found that while more than half (57 percent) of

consumers want access to an online PHR connected to their doctor’s

office, one-third (33 percent) are concerned about privacy and security

of an online PHR.