Share this article on:
Healthcare organizations and insurers face major financial penalties for HIPAA data breaches which they inadvertently – or willfully – cause; however the results of a recent survey indicate that the fines issued by Attorney Generals and the Office for Civil Rights pale into insignificance compared to the loss of income that results from patients changing healthcare provider after a data breach.
The survey, conducted by TransUnion, found that 7 out of 10 patients (65%) were willing to change healthcare providers if the company was affected by a data breach. While not all of those individuals would actually change provider, the figures are worrying and send a message to HIPAA covered entities that data security and patient privacy must be made a priority.
The survey showed that older patients were less willing to make the change. Almost two thirds of respondents over the age of 55 said they would be unlikely to switch provider, while 73% of individuals in the 18-34 age category said they would make the switch following a data breach.
The discrepancy has been attributed to the difficulty in changing provider and an unwillingness to change, especially where there has been a long history of treatment. According to TransUnion Healthcare president, Gerry McCarthy, “Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new healthcare provider” he also said, “With more than 80 million millennials recently entering the healthcare market, providers that are not armed with the proper tools to protect and recover from data breaches run the risk of losing potentially long-term customers.”
The survey was conducted on 1,228 patients based in the United States who had received medical care in the past two years at a doctor’s surgery, clinic or hospital.
The survey highlighted a number of issues patients have with healthcare providers and insurance companies, including unrealistic expectations of healthcare providers when it comes to issuing notifications to patients affected by data breaches.
31% of the survey’s respondents expected their healthcare provider to notify them of a breach within 3 days of it occurring, while almost half (46%) believed those notifications should be sent within 24 hours. The Office for Civil Rights demands that breach notification letters are issued without unnecessary delay, but allows up to 60 days for the breach to be reported and notifications issued.
Other requirements of the HIPAA Breach Notification Rule include the provision of credit monitoring services and medical identify theft protection to mitigate any damage caused by the breach.
Organizations suffering a breach of HIPAA data are required to provide notice on a website, as well as offer patients a free telephone service for any queries they have. According to the survey, 72% of patients believed they should be offered these services free of charge, while 55% also expected a website to be set up with information about the breach.
Patients are now more aware of their rights following a data breach and believe that quick notification is essential. According to McCarthy, “The hours and days immediately following a data breach are crucial for consumers’ perceptions of a healthcare provider,”
Swift action is therefore essential following a data breach if the covered entity wants to retain patients. Fortunately, according to McCarthy, “With the right tools, hospitals and providers can quickly notify consumers of a breach, and change consumer sentiments toward their brand.”