Financial loss could be the best impetus for fixing poor security hygiene, ANSI suggests.
Faced with the reality that health care data breach legislation is unlikely to emerge, the American National Standards Institute on Monday set forth a financial reason for providers to protect their patients' online privacy.
The cost of patient data losses during the past year ranged between $8,000 and $300,000 per health care organization, mostly due to credit or identity theft monitoring and forensic and legal fees, according to a new report from the standards body.
A December 2011 study by Ponemon Institute LLC found that 96 percent of health care providers had suffered at least one breach during the past two years.
There is growing consensus that current health care privacy legislation is inadequate for safeguarding patient data on the Internet. The Obama administration has set rules to cover gaps in the 1996 Health Insurance Portability and Accountability Act that address the improper reuse of data by medical business partners, and the economic stimulus package also added e-health care protections.
According to the ANSI study, the complexity of these regulations is partly to blame for a lack of compliance. In addition, privacy activists note that the new rules cover only the contractors of doctors and health plans and not commercial online health records, Internet companies and app developers.
Data breach protections for personal health information are not in either the Democratic or Republican versions of pending comprehensive cybersecurity reforms.
"Moving legislation through Congress in this area is probably going to be pretty difficult," said Larry Clinton, president of Internet Security Alliance, a trade group that partnered with ANSI on the report. He said a sophisticated cost analysis of a breach scaled to the size of a provider's practice might be a better motivator to improve health care security.
When asked to name the most significant barriers to maintaining the privacy and security of patient information, 59 percent of the more than 100 ANSI study participants who responded cited a lack of funding. More than 100 health care industry participants responded.
"The regulated industry felt that the laws were so complex that they were impossible to comply with," said James C. Pyles, a Washington health care lawyer and lobbyist who helped lead the study. The regulations "are not preserving the public's trust and not giving the industry a fair shake."
In reaction to federal and state laws, one respondent said, "we do not have the employee resources or the funds to deal with additional federal regulations."
The federal government is shoveling more than $25 billion into incentives for the health care industry to adopt digital medical records.
In medical identity theft, scammers steal either physician identification numbers or patient ID information to fraudulently bill for medical services. ANSI provided the example of a clerk in a Florida medical clinic who lifted the medical IDs of 1,100 patients and then sold them to others, triggering $2.8 million in false Medicare claims.
Just last fall, Science Applications International Corp. admitted to exposing the health care records of 4.9 million Military Health Care System beneficiaries, when computer tapes were stolen from an SAIC employee's car, the federal contractor admitted.