Share this article on:
The HIPAA Breach Notification Rule requires covered entities to issue notifications to individuals after their ePHI has been exposed or stolen, but what about credit monitoring and identity theft protection services? Must they be offered?
HIPAA does not stipulate whether credit monitoring and identity theft protection services should be provided to individuals impacted by a data breach. The decision whether or not to provide those services is left to the discretion of the covered entity.
However, following a breach of unsecured protected health information, HIPAA-covered entities are required to provide breach victims with details of the steps that should be taken to mitigate risk and protect themselves from harm.
Those steps include obtaining a credit report from credit reporting agencies – Equifax, Experian, and TransUnion. The credit reporting bureaus must provide consumers with a free credit report once every 12 months if requested.
Breach victims should be instructed to monitor their accounts for any sign of fraudulent activity and should be told what to do if suspicious activity is identified. They should also be told to monitor their Explanation of Benefits statements for benefits that they have not received. Information should also be provided on placing a fraud alert and freeze on their credit files.
While HIPAA does not require covered entities to offer credit monitoring and identity theft protection services, state laws may differ. From October 1, 2015, a breach of Connecticut residents’ names and Social Security numbers requires the breached entity to provide a minimum of 12 months of “appropriate identity theft prevention services, and if applicable, identity theft mitigation services.”
In California, while it is not mandatory to provide credit monitoring and identity theft protection services to breach victims, if those services are provided they must be free of charge and for a minimum of 12 months. State laws are frequently updated, so covered entities should keep up to date with new legislation introduced in the states in which their patients and members reside.
Even though it may not be mandatory for healthcare organizations to provide identity theft protection services to breach victims, many choose to do so. Providing those services can help to reducing the fallout from a data breach.
Credit monitoring services should be provided to data breach victims for 12 or 24 months, if credit/debit card numbers, Social Security numbers, and/or bank account information is believed to have been stolen.
Credit monitoring services inform breach victims when credit monitoring companies receive notifications of applications for credit, loans, or when personal information is changed – changes of address or phone number for example.
Identity theft protection services cover a much broader range of activities, some of which may not show up on credit reports. These include the use of personal documentation such as Social Security numbers, Driver’s license numbers, medical ID numbers, and passport numbers.
The decision about which services to offer should be based on the level of risk breach victims are likely to face. The level of risk will be determined by the nature of the attack, the likelihood of data being used for identity theft and fraud, the risk of data being sold on, and types of data that have been exposed.