Report: Data breaches, patient identity thefts still a threat despite new laws
Despite new regulations in the HITECH Act, data breaches and medical identity theft remains at critical levels throughout hospitals in the U.S., where 83.6 percent of providers have data breaches every year, according to a report from identity theft prevention contractor Identity Force.

The Framingham, Mass.-based Identity Force surveyed 220 compliance executives from American Hospital Association-member hospitals in 43 states from March 30 to April 13 to evaluate whether hospitals are in compliance with the HITECH Act and to evaluate whether state and federal data breach and security laws and regulations have had an impact on identity theft-related matters.

The annual survey found that 41.5 percent of hospitals have 10 or more data breaches each year--a 120.7 percent increase over the prior survey--and that 20.3 percent of hospitals have 20 or more breaches annually.

“The frequency of data breaches at hospitals far exceeds what is publicly reported,” stated the report. “This under-reporting is likely no different than other sectors of our economy, however it raises great concern that patients’ personally identifiable information is extremely vulnerable.”

Released this week, the report stated that, to date, only 15.7 percent of hospitals feel they are in compliance with the HITECH Act and that 30.5 percent are only at the “evaluating options” stage. However, the report also found that 46.9 percent of hospitals are in the final stages of compliance, nearly two months behind the enforcement deadline.

According to Identity Force, 56.3 percent of hospital compliance officers believe that the new healthcare reform law will either result in no change or will increase medical identity theft at their institutions. “Existing regulations and the new healthcare reform law will not solve medical identity theft,” read the report.

For actual breaches, the report suggested that the number of investigations of potential fraud to be “surprisingly low despite the fact that medical identity theft is the fastest growing form of identity fraud.” Also, 71 percent of hospitals on average investigate fewer than 50 cases of possible misuse of identity annually, and more than 34 percent still do not keep government-issued picture ID records on the majority of their patients, the report found.

Additionally, Identity Force remarked that 48.3 percent of hospitals do not know if their vendors and business associates are in compliance with the HITECH Act.

“The pandemic of data breaches and medical identity theft is getting worse in hospitals across the U.S. and new laws and regulations instituted over the past three years have done little, if anything, to cure the problem,” the report concluded.

Based on these dire findings, the report recommended a variety of approaches for hospitals to protect patients and themselves, including:
  • Expand activities and efforts to eliminate data breaches from tactical triage to strategic action, with the goal of building a breach-free culture;
  • Be proactive with patient identification issues;
  • Executives should not rely on the new healthcare reform law to stem identity theft and data breaches;
  • Hospitals that cannot easily add the new laws to their organization’s compliance efforts should examine finding a partner to help and implement best practice policies and procedures; and
  • Business associates and vendors need to be fully trained on best practices and procedures to prevent data breaches and medical identity theft.