When your practice determines that a privacy breach is reportable, notification to patients must be provided within 60 calendar days from the date of discovery of the incident. The notice to patients must include:
- a brief description of the breach;
- the types of information that were involved;
- a brief description of what your practice is doing to investigate the breach, mitigate any harm, and prevent further breaches (corrective actions); and
- contact information for the practice’s Privacy Officer (in the event the patient has questions regarding the breach).
It is also required that your practice provide notice of any steps that affected individuals should take to protect themselves from potential harm that might result from the breach. This article addresses the types of protective measures available to patients following a breach, when they should be recommended, and who should provide for them.
Providing Credit Monitoring & Identity Theft Protection Services
The Breach Notification Rule does not stipulate whether credit monitoring and identity theft protection services should be provided for patients who have had their PHI breached. The decision whether or not to provide those services is left to the discretion of your practice. However, your practice is required to provide patients with details of the steps that should be taken (by them) to mitigate further risk and protect themselves from harm.
Credit monitoring may not be necessary for all confirmed breaches. Breach of credit card numbers and Social Security numbers (SSNs) present the most risk for identity theft or fraud. According to fraud experts, simply having full name and address does not enable theft or fraud. However, having full name, address, date of birth (DOB) and SSN would place someone at significant risk of identity theft.
Note that some states have enacted legislation requiring credit monitoring to be offered for all data breaches. Your state medical or dental society can provide information on your state’s position.
Consider the Public Relations (PR) Factor
Providing credit monitoring can reverse any ill will that the privacy breach has caused by demonstrating a genuine concern for the patient’s privacy. This relatively simple action may lessen the likelihood that the patient will file a privacy complaint with the Office for Civil Rights (OCR) or complain to others about your practice. An OCR complaint could result in significant administrative time to respond to an investigation and could potentially result in civil monetary penalties.
Place yourself in the patient’s shoes. If you have to send them notification of a confirmed breach, you’ve just told them that your practice has improperly disclosed their PHI and perhaps, as a protective measure, they should monitor their credit. Offering credit monitoring at no expense to the patient alleviates a burden that resulted from actions of the practice.
While the credit reporting bureaus – Equifax, Experian, and TransUnion – must provide consumers with a free credit report once every 12 months upon request, ongoing credit monitoring services include providing alerts to patients whenever the company receives notification of an application for credit, loans, or when personal information, such as an address or phone number is changed.
Identity theft protection services cover a much broader range of activities, some of which may not show up on credit reports. These include the use of personal documentation such as SSNs, as well as driver’s license, medical ID, and passport numbers.
The decision about which services to offer should be based on the level of risk breach victims are likely to face. The level of risk will be determined by the nature of the attack, the types of data that have been exposed, the likelihood of data being used for identity theft and fraud, and the risk of data being sold.
If you attempt to sign up for a credit monitoring service on the patient’s behalf, the company may see it as an attempt at credit or identity theft. It is recommended that you inform the patient of your willingness to reimburse them for such services, or you could offer an up-front payment to the patient once they have selected a service.
The cost of a one-year plan can range from $100 to $250 for an individual. Considering the cost of dealing with an unhappy patient and a possible OCR inquiry, one year of credit monitoring can be a wise investment for the practice.
The Federal Trade Commission (FTC) recommends that if someone is concerned about identity theft, data breaches, or someone gaining access to their credit report without permission, they might consider placing a credit freeze on their report. Depending on the nature of the breach, you might recommend that your patients consider a credit freeze.
A credit freeze will not prevent thieves from making charges to existing accounts, but this free tool lets people restrict access to their credit reports, which in turn makes it more difficult for identity thieves to open new accounts in the person’s name. A credit freeze does not affect a person’s credit score nor prevent the person from getting a free annual credit report. A credit freeze does not keep a person from opening a new account, renting an apartment, or buying insurance, however a person might need to temporarily lift a freeze to accomplish these things. It is free to lift a credit freeze and free to place it again.
A freeze remains in place until the person asks the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, the bureau must lift the freeze within three business days from receipt of the request.
You may direct patients to the FTC recommendations at:
All potential breaches should be investigated and documented. Final determinations on whether an incident requires notification of patients and protective measures is at the discretion of your practice.