The HIPAA Breach Notification Rule obligates covered entities to issue alerts to individuals after their ePHI has been exposed or illegally taken, but what about credit monitoring and identity theft protection services? Must they be provided?
HIPAA does not state whether credit monitoring and identity theft protection services should be given to people impacted by a data breach. The decision whether or not to provide those services is left to the discretion of the covered body.
However, after a breach of unsecured protected health information, HIPAA-covered entities are required to supply breach victims with details of the steps that should be taken to mitigate risk and protect themselves from damage.
Those measures include obtaining a credit report from credit reporting agencies – Equifax, Experian, and TransUnion. The credit reporting bureaus must provide consumers with a free credit report once every year if requested.
Breach victims should be told to review their accounts for any sign of fraudulent activity and should be told what to do if suspicious activity is spotted. They should also be told to look into their Explanation of Benefits statements for benefits that they have not received. Data should also be given in relation to placing a fraud alert and freeze on their credit files.
While HIPAA does not obligate covered entities to offer credit monitoring and identity theft protection services, state laws may not be the same. From October 1, 2015, a breach of Connecticut residents’ names and Social Security numbers requires the breached body to provide a minimum of one year of “appropriate identity theft prevention services, and if applicable, identity theft mitigation services.”
In California, while it is not obligatory to provide credit monitoring and identity theft protection services to breach victims, if those services are supplied they must be free of charge and for a minimum of 1 year. State laws are frequently amended, so covered entities should keep up to date with new legislation passed in the states in which their patients and members live.
Even though it may not be mandatory for healthcare groups to provide identity theft protection services to breach victims, many choose to do so. Providing those services can help to cutting down the fallout from a data breach.
Credit monitoring services should be made available to data breach victims for 12 or 24 months, if credit/debit card numbers, Social Security numbers, and/or bank account information is believed to have been illegally taken.
Credit monitoring services advise breach victims when credit monitoring firms receive notifications of applications for credit, loans, or when personal information is amended – changes of address or phone number for instance.
Identity theft protection services includes a much broader range of activities, some of which may not show up on credit reports. These incorporate the use of personal documentation such as Social Security numbers, Driver’s license numbers, medical ID numbers, and passport details.
The decision about which measures to offer should be based on the level of dangers breach victims are likely to be in. The level of risk will be determined by the manner of the attack, the chance of data being used for identity theft and fraud, the risk of data being sold on for profit, and types of data that have been breached.