http://webstore.ANSI.org/phi Health privacy has long been perceived as the right of individuals and a necessity for effective, high quality health care. Individuals are willing to disclose the most intimate details about themselves to their doctors only with the trust that their health information will remain private and secure, whether it resides in a file at their doctor’s office, on a hospital chart, or in a claims form at their insurance provider. Indeed, protecting health information privacy has been a core component of the minimum standards for the ethical practice of medicine for thousands of years. As the health care industry moves to adopt electronic health records (EHRs), thereby creating multiple and more expansive databases in numerous locations, there is an increase in the number of people with access to protected health information (PHI), and many more opportunities for this information to be accidentally or intentionally disclosed, lost, or stolen. This new technological capability does not alter professional ethics, and indeed emboldens the resolve to protect the privacy and security of health information to preserve access to quality health care. Daily headlines suggest that not all organizations entrusted with PHI protection are upholding their responsibility. Health information data breaches are increasing in number and in magnitude. Insufficiently trained staff are much to blame, but the fraudulent use or sale of PHI is also on the rise. Such breaches can cause significant harm, both to the individuals whose information was breached and to the organizations responsible for protecting it. Regulations promulgated in the last few years provide incentives for an organization’s “meaningful use” of EHRs, as well as increased enforcement and penalties for non-compliance with state and federal security regulations. Unfortunately, efforts to assure the confidentiality and integrity of PHI content have not kept pace. Individuals responsible for protecting the security of PHI face a number of challenges that may inhibit their ability to meet that responsibility, including legal and regulatory complexity, as well as lack of time, resources, and leadership commitment. This report provides information that will enable organizations in the health care sector to build a strong business case for the benefits of investing in PHI protection and turning compliance with privacy and security laws to their market advantage. The report explores the reputational, financial, legal, operational, and clinical repercussions of a PHI breach on an organization, and offers a 5-step method – PHIve (PHI Value Estimator, pronounced “five”) – for evaluating the “at risk” value of their PHI. This tool estimates the overall potential costs of a data breach to an organization, and provides a methodology for determining an appropriate level of investment to reduce the probability of a breach.