Securing PHI Feels A Lot Like Y2K

Seems like the comments being made on posts and being emailed to me have been really interesting lately. As I often like to do, I want to highlight those that provide interesting stuff in the comments since many people don’t read all the comments. Here’s one such comment from ip-doctor on my post about de-identified healthcare data.

I am interested in knowing how readers answer John’s question re position on use of de-identified data. My guess is that people don’t know it’s going on and will object to it happening in principle.

Securing PHI feels a lot like Y2K. No doubt breaches occur, and, when they do, they are certainly costly for the offending HCO, but how many examples are there of leaked information being used to harm someone? Seems like the same proscriptions vs. extortion, blackmail, and libel would prevent individuals from using illegally obtained PHI to harm patients.

In fact, the odds that there is a Person A who wishes to harm Person B AND who somehow comes up with Person B’s sensitive PHI AND is able to use it to harm Person B without Person B having ample legal recourse against Person A are hopelessly LONG. Breaches of thousands/hundreds of thousands/millions of records are too large and unspecific to be “used” for nefarious purposes.

We need to secure PHI, but we are hoisting ourselves on our own petards if we let legitimate concerns about the use of patient data block or slow our adoption of EMRs and HCIT for ACOs and PCMHs. Just as there are real benefits associated with use of de-id’ed patient data, there are (significant, hidden) costs with not sharing health data.

The irony here is that the most common, undeniably harmful use of sensitive PHI has been to deny coverage to patients with pre-existing conditions. Kind of makes sense. It is, after all, health information.

Nothing like sharing a post about the fears and challenges associated with sharing data and privacy and following up with a post that talks about how it might not be as big of a risk as many like to make it. Of course, the happy place is somewhere in the middle where we do a good job securing the data while as HIPAA outlines, we avoid placing an undue burden on patient care.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • More irony – based on the changes made to regulations in the health insurance industry, by January 1st, 2014 (I believe) insurance companies will no longer be able to deny coverage for pre-existing conditions, thus removing that argument against information sharing from the equation (in theory!). See for more.

  • Information security appropriately applied will easily contain all requirements for compliance…At issue today is the minimalist view of information systems built to meet compliance requirements which becomes the measure of PHI being properly secured, which is completely wrong-headed.

  • Jon,
    You bring up a good point. Will we care if the insurance companies get our information if they can’t deny us insurance? I haven’t looked at the law, but just because they can’t deny us doesn’t mean they can’t jack up our insurance rates so high that they effectively deny us, right? Or does the law have a provision for that too?

Click here to post a comment