It’s the letter no healthcare office ever wants to have to send and no patient ever wants to get.
But breaches of Protected Health Information (PHI) happen. A thief snatches an unencrypted laptop, a staff member makes a mistake, or a hacker is successful, and patient information gets seen by people who aren’t supposed to see it or used by people who have no to right to use it. Needless to say, breaches can cause serious financial and reputational harm to patients and healthcare practices alike.
As soon as you discover that’s there’s been a breach of PHI, HIPAA requires that “without unreasonable delay” you notify those patients whose information is involved and in danger of being compromised
HIPAA says you must do this in writing — either in a letter sent by first-class mail or by email, if the patient has previously agreed to receive notices from your office via the Internet. Here are HHS guidelines for what that message should include. With each I’ve added examples to illustrate the point:
A brief description of the breach
“On December 12, 2014, our office was broken into and the computer at the main desk was stolen.”
A description of the types of information that were involved in the breach
“We have learned that your name, address, and credit card information may have been compromised.”
A brief description of what you’re doing to investigate the breach, mitigate the damage, and prevent it from happening again
“We have notified the police and have not received any indication that the information has been accessed or used by an unauthorized individual. We sincerely regret that this has happened and want to assure you that we are committed to patient privacy and have policies and procedures in place to do all we can to safeguard your Protected Health Information – PHI.”
The steps your patients will need to take to protect themselves from potential harm
“If you choose, as an added measure of security, we are offering one year of credit monitoring and reporting services at no cost to you. If you have any questions, feel free to contact us.” (Include contact info.)
The particulars of each of these points would, of course, vary depending on the circumstances of the breach and the mitigating steps needed. It’s also a good idea, I think, to ease into the news of a breach by sincerely stating that your office takes patient privacy very seriously and realizes the importance of notifying patients of a potential privacy issue.
And just to continue being on the safe side: Before being sent, a letter like this should be reviewed by appropriate legal counsel familiar with HIPAA compliance and the privacy laws in the state(s) where you provide services.
Here at Touchstone Compliance we have a suite of online tools to help you protect PHI and stop breaches before they happen. To learn more, click here.