The fourth year of a benchmark survey assessing progress in protecting health information brings mixed results.

The cost of data breaches has fallen and most surveyed providers are aware of breaches that have occurred with only 10 percent saying they haven’t had one in the past two years. But criminal attacks on information systems continue to rise and providers fear that the Affordable Care Act and accountable care organizations increase the risk to protected health information because of more data sharing.

“The ACO is all about sharing data and it expands the types of data you are sharing as well,” says Larry Ponemon, founder of Ponemon Institute, a privacy and security research firm. This worry about higher risks to PHI is exacerbated because providers have low confidence in the security of health information exchanges. Nearly three-quarters of surveyed providers report they are only somewhat confident or not confident of HIE security.

Ponemon Institute conducted the survey with sponsorship from data breach prevention and resolution firm ID Experts. Ninety-one hospitals and clinics, most of them part of a health care network but 17 percent being standalone organizations, participated in the survey that included 388 interviews with compliance, information technology, patient services and privacy leaders.

Based on survey results, Ponemon estimates that the average cost of a data breach for responding organizations in the past two years is about $2 million, down from $2.4 million in last year’s report. Increased HIPAA auditing from the HHS Office for Civil Rights is spurring some organizations to improve their data management and protection, Larry Ponemon says. “There’s a general acknowledgement of the goal to become more HIPAA compliant.”

For instance, 51 percent of respondents say they are fully compliant with the post-incident risk assessment requirement in the updated HIPAA Omnibus Rule. Still, that leaves 49 percent only partially compliant or non-compliant, with 39 percent saying their incident assessment process is not effective and lacks consistency.

(See also: 6 Steps to Showing HIPAA Privacy/Security Compliance)

Rick Kam, president at ID Experts, notes that many providers--more than third of large hospitals, for instance--have gotten cyber liability insurance and are getting legal assistance, which helps control costs. But while organizations are getting better at managing PHI, 73 percent of respondents don’t believe their business associates are competently complying with HIPAA, and they are right, Kam says. “Business associates are creating a blind spot. A lot of companies are trying to figure out if they are a BA and their responsibilities.”

Larry Ponemon is pleased that providers are becoming more cognizant of data loss and identity theft. But he worries that there remains a lot of poor mobile device security policies in organizations, as many have given up policing the policies and are relying on network security measures.

Full results of the “Fourth Annual Benchmark Study on Patient Privacy and Data Security” are available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access