The groups are examining the problem by identifying existing legal protections related to protected health information (PHI), defining weaknesses in the healthcare system where there are risks of exposure, and assessing the financial impacts of PHI disclosure.
“There seems to be a hole [in the research] about the impact when protected health information is disclosed in an unauthorized fashion”, said Rick Kam, president of ID Experts and chair of the ANSI/Shared Assessments PHI Project, which is coordinating the research effort.
This research is being driven by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, as well as the Threshold of Harm, under which organizations that have data breaches are required to conduct a risk assessment of the reputational, financial, and medical harm caused by the breach, Kam told Infosecurity.
“One of the missing links in the research is what is the actual impact to an individual whose protected health information has been disclosed. One of the key differentials of this process is to look at the issue from an individual perspective”, he said.
“If there is no clearly defined financial impact from breaches, it is much more difficult to put together a business case to protect it in the first place”, he added.
The ANSI/Shared Assessments PHI Project got underway this month with a meeting of its advisory committee. The initiative brings together professionals from across the industry: data security companies, identity theft protection providers and research organizations, legal experts on privacy and security, standards developers, and others.
“Many of these people are in the trenches of privacy and information security and are in standards committees, such as NIST [National Institute of Standards and Technology]. We are going to ask these experts whether they have seen cases where the breach of protected health information has actually caused some form of damage”, Kam said.
This effort will culminate in a report targeted at those responsible for and entrusted with protecting and handling PHI. The report will help inform the healthcare industry in making investment decisions to protect PHI, as well as improve responsiveness if and when patient information is breached.
The project is also considering conducting a consumer survey, in cooperation with the Ponemon Institute, about the financial impact of patient data breaches. “We are exploring several avenues to test what protected health information and what combinations actually cause reputational, financial, medical, or other harms to consumers”, he said.