Happy Leap Year! We’re jumping into a challenging 12 months — lawsuits are up, budgets are down, and advances in technology have made protecting medical data a whole lot harder. Our list of top trends in 2012 reveals difficulties ahead; read and proceed with caution.

1. More data breaches, bigger impact. The new benchmark study by the Ponemon Institute finds that the frequency of data breaches in healthcare organizations surveyed has increased by 32 percent since 2010, with hospitals and healthcare providers averaging four data breaches a year. These data breaches cost the healthcare industry an estimated $6.5 billion.

[See also: HIMSS 2011 year in review and Predictions for 2012 -- 3 data-centric HIT game changers.]

On a per-provider basis, the cost of data breaches is also high. The average economic impact of a data breach increased 10 percent from last year to $2.2 million, the Ponemon study found. Data breaches also lead to diminished reputation, lower productivity, and loss of patient goodwill—all of which may contribute to patient churn, at an average lifetime value of more than $113,000 per patient.

2. Tighter budgets, fewer resources. According to Moody's, the median revenue growth rate for hospitals is only 4 percent, its lowest in 20 years, and long-term revenue growth is expected to decline. With this dismal financial outlook, data breaches are likely to increase: 73 percent of respondents in the Ponemon study reported lacking sufficient resources to prevent or detect unauthorized patient data access, loss, or theft. In fact, 53 percent of organizations cite lack of budget as their biggest weakness in preventing data breaches.

3. The growth of enforcement and penalties by the Office of Civil Rights (OCR). While “audit” was a scary word in 2011, it will be frightening in 2012. In accordance with the HITECH Act, the Department of Health and Human Services must allow for periodic audits of covered entities—and business associates, later on—to ensure compliance with HIPAA Privacy and Security Rules and breach notification standards. The pilot program, which includes up to 150 audits, started in November 2011, but 2012 will see the brunt of the number.

But we’re talking more than audits; the OCR has no problem issuing stiff penalties to violators. Early in 2011, Cignet Health was fined $4.3 million for denying patients access to their medical records. At about the same time, Massachusetts General agreed to pay $1 million for the loss of 192 patients’ PHI.

4. More class-action litigation. If multi-million dollar regulatory fines weren’t enough, class-action lawsuits appear to be on the rise. Stanford Hospital and Clinics, for instance, is facing a $20 million lawsuit, seeking $1,000 per affected record. The breach happened when the medical data of 20,000 patients was posted on a student homework website.

5. Growing dependence on business associates. Gone is the idea of “it’s easier to do it myself.” Economic realities are causing healthcare provides to outsource many of their functions, such as billing, to a business associate. However, 69 percent of organizations who participated in the Ponemon study say they have little or no confidence in their business associates’ ability to secure patient data. Several data breaches in 2011 point to errors caused by business associates. Yet, it is the covered entities that face class-action lawsuits.

6. Cloud computing an option, but proceed with caution. With tighter budgets, cloud computing is an attractive option for healthcare providers, although it’s been slow to take off. According to a new study by CompTIA, 57 percent of respondents are familiar with cloud technology, but only 5 percent actually use it. However, the cloud’s applicability for Health Information Exchange (HIE)—a main component of the Electronic Medical Records or Electronic Health Records (EMR/EHR) meaningful use initiatives—may drive that figure up, according to CompTIA.

[Q&A: How a health 'data spill' could be more damaging than what BP did to the Gulf.]

But beware: privacy and legal issues abound, such as compliance with HIPAA privacy and security regulations. A covered entity would have to enter into a business associate agreement with a cloud computing provider before the provider could store PHI data in its facility, according to one group of legal privacy experts. And if a cloud computing provider’s terms of service conflict with HIPAA’s regulations, the covered entity could incur a HIPAA violation.

7. A wider use of mobile devices in medicine. Both the CompTIA and Ponemon studies found that the use of mobile technologies in healthcare is growing: More than 80 percent of respondents in the Ponemon study say they use mobile devices that collect, store and/or transmit some form of PHI. Of particular interest, nearly one-third of healthcare providers use mobile devices to access EMR/EHR systems, according to the CompTIA study. And 20 percent plan to use their mobile devices to access EHR systems within the next year, the study says. But, as with business associates, beware of security holes; half of the respondents in the Ponemon study say they don’t do anything to protect these devices.

Conclusion
2012 promises to be full of challenges. Preparation is the best defense—and offense, for that matter. Healthcare professionals can make a big impact to minimize their risk of a data breach, such as performing annual risk assessments, having an incident response plan in place, and reviewing their contracts and agreements with business associates. Get ready, get set, and let’s take the plunge into the year ahead.
 

Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Christine Arevalo is director of healthcare identity management and a founding employee of ID Experts. She has experience managing risk assessments, complex crisis communication strategies, and data breach response for healthcare organizations.