Editor’s Note: In a new article in the Journal of the American Medical Association (JAMA), Manatt partner Deven McGraw teams with Dr. David Blumenthal, president of The Commonwealth Fund and former head of the Office of the National Coordinator for Health IT, to examine the vulnerability of personal health information—and what to do to help make health data safe. Key points are briefly summarized below. Click here to read the full article.

Personal health information (PHI) in the United States is not safe, and it needs to be. A nationwide electronic health information system has the potential not only to improve the care of individuals but also to create major new sources of health data for research and healthcare quality improvement. But if patients have concerns that their digitized PHI will be compromised, they will resist sharing it via electronic means, reducing its value in their own care and its availability for research and performance measurement. They also may withhold information about sensitive issues, such as mental health or substance abuse—which surveys suggest already may be happening.

What Should Be Done to Improve PHI Safety?

Part of the responsibility for PHI security lies with clinicians, healthcare organizations and insurers—the primary custodians of health data. Although malicious hacking gets the bulk of media attention, more than 80% of data breaches result from the failure of these entities to observe good data hygiene by implementing basic precautions, such as:

  • Encrypting health data;
  • Prohibiting the storage of personal information on employees’ personal devices, which are vulnerable to loss and theft; and
  • Using sound practices for authenticating authorized users.

Policymakers also bear part of the responsibility to protect patients’ healthcare data. Enacted before the Internet and current electronic methods for recording and transmitting data, the Health Insurance Portability and Accountability Act (HIPAA) is antiquated and inadequate to protect patients’ healthcare privacy and security. For example, the law does not regulate the use of PHI companies, such as Apple, Google, Facebook and Twitter, that are already collecting (intentionally or not) health-related data on patients and could become major custodians of health data in the future.

Beyond the adequacy of HIPAA, the security of the nation’s health information systems is inextricably linked to the ability to fend off cyber threats more generally. National policy on this larger question remains nascent.


The stakes associated with the privacy and security of PHI are huge. Threats to the safety of healthcare data need much more focused attention from both public and private stakeholders.