Do no harm: HIPAA's role in preventing ID theft

Computerworld - With the deadline for ensuring privacy under the Health Insurance Portability and Accountability Act (HIPAA) recently passed, most health care providers and plan companies are preparing to implement the final rule for security. While many of these organizations are focused on the lack of budgetary and staff resources necessary to fulfill another unfunded federal mandate, most have lost sight of why this level of protection is necessary.
As organizations (known in the legal jargon as "covered entities") begin their risk assessments and risk management planning, it's important to remember one of the key principles of the regulations, and that is patient protection. The standard clearly states that the organization must ensure the confidentiality, integrity and availability of protected health information (PHI) and safeguard it from threats, hazards and unauthorized disclosure, but the act neglects to underscore why it's important to do so.
PHI is composed of the patient's most personal information, which includes most health records and data files that typically include name, address, Social Security number and a combination of the following:

• Insurance information
  
• Payment information
  
• Past and present medical conditions
  
• Past and present treatments
  
• A variety of other individually identifiable health or personal information

Although not expressly stated in the privacy or security rules, HIPAA establishes that PHI is primarily the patient's personal property and not a corporate asset of the regulated organizations. Corporations are therefore required by law to take precautions to protect the privacy of patient information whenever it's used, from back-office transactions to personal patient interactions.
Where's the harm?
Previously, industry experts have focused on harm at the individual level -- in other words, the PHI of a single patient being compromised and made public to the specific detriment of that person.
For example, in 1998, an Atlanta truck driver lost his job after his employer learned from his insurance company that he had sought treatment for a drinking problem. In another example, an employee was automatically enrolled in a mandatory depression program by her employer, Motorola Inc., after her prescription drugs management company reported that she was taking antidepressants. These cases tend to generate sympathy from the general public, but it's frequently an uphill battle for a victim of such exposure to prove substantial harm in the courts and trace the source of that exposure directly back to the health care organization.
Harm to the individual can range from simple embarrassment to financial hardship. The primary source of harm to the individual actually exists at the aggregate level, in databases that contain the files of hundreds or thousands of