Managing patient communication during data breaches

When data breaches occur, patients may have questions related to the breach, its effects, and the continuation of services. Clear, honest, and timely communication will help organizations manage the immediate crisis and ensure the ongoing trust of patients.

Why maintain communication?

Data breaches can be concerning for various stakeholders–from patients to practitioners, third parties and others. Keeping communication lines open amid the crisis ensures everyone is well-informed on the mitigation process.  

How to community with stakeholders

The FTC suggests that organizations “create a comprehensive plan that reaches all affected audiences — employees, customers [patients], investors, business partners, and other stakeholders. Don’t make misleading statements about the breach. And don’t withhold key details that might help consumers protect themselves and their information. Also, don’t publicly share information that might put consumers at further risk.” 

Patients

“Of all stakeholders, customers [patients] are perhaps the most critical. In the aftermath of a breach, proactive and transparent communication is paramount,” writes Forbes.

• Transparent updates: Patients need to be regularly informed about the nature of the breach, what information was affected, and the specific steps being taken to secure their data.
• Trust building: Clear communication can help maintain trust. By providing regular updates about the mitigation efforts and any changes in the breach’s status, patients can have peace of mind knowing that efforts are being implemented to secure their data.

Employees

• Internal briefings: Employees should be briefed on the breach as soon as it is detected. This includes understanding what happened, what data was compromised, and the steps they need to follow. “Depending on the size and nature of your company, they [breach response team] may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management,” suggests the FTC. 
• Guidance on handling inquiries: Employees should be trained on how to respond to inquiries from patients, the media, or other external parties to ensure consistent messaging.
• Job security and roles: Addressing employee concerns, especially if the breach was linked to internal factors like human error, will help to maintain morale.

Healthcare providers

• Collaboration: Healthcare providers should be informed about any specific impacts the breach may have on patient care, including delays or changes in accessing patient data.
• Protocol for continuity of care: Clear instructions on how to handle ongoing patient care without compromising security should be given to providers.
• Preventive measures: Healthcare providers should be updated on steps being taken to prevent further breaches, such as system upgrades or changes in data-handling protocols.

Regulatory bodies

• Compliance reporting: Reporting the breach within the specified timelines ensures continued regulatory compliance (e.g., within 60 days under HIPAA).
• Documentation of efforts: Provide detailed documentation of the breach, including how it occurred, what data was affected, how patients were notified, and the steps taken to rectify the situation.

The public and media

• Public transparency: If the breach affects a large number of individuals, informing the public through media channels may be necessary. Public communication should focus on transparency, explaining what happened and the impact on affected individuals.
• Crisis management team: A designated team should handle media inquiries, ensuring that messaging remains consistent and appropriate to avoid speculation or misinformation.

Partners and third parties

• Contractual obligations: If third-party vendors or business associates are involved, they must be informed immediately, especially if the breach impacts their systems or the data they handle.

Best practices

Immediate notification

• Timeliness: Notify patients as soon as a breach is detected or confirmed. HIPAA mandates that affected individuals be informed within 60 days of the breach discovery.
• Clear and transparent language: Use clear, non-technical language to explain what happened, what information was exposed, and how it might impact the patient. Assure them that the organization is taking steps to mitigate the breach.
• Medium of communication: Reach out through multiple communication channels (email, phone, or texting) to ensure all affected individuals are notified.

Provide breach details

• Nature of the breach: Explain what happened, such as unauthorized access, a hacking incident, or employee negligence.
• Types of data exposed: Inform patients about what specific data was involved, whether it's medical records, personal identification information, financial data, or other sensitive information.
• Potential risks: Educate patients on the potential risks resulting from the breach, such as identity theft or misuse of health data.

Offer solutions and support

• Provide resources: Offer patients access to resources like credit monitoring services or identity protection tools to help mitigate the risk of misuse of personal information.
• Helplines and support: Establish dedicated lines for patient inquiries, where they can get more information or ask questions.
• Explain remediation efforts: Inform patients about the steps the organization is taking to prevent future breaches, such as enhanced security measures or staff training.

Maintain HIPAA compliance

• Breach reporting: Ensure compliance with HIPAA Breach Notification Rules. Report the breach to the U.S. Department of Health and Human Services (HHS) and, if necessary, the media if more than 500 patients are affected.
• Documentation: Keep a thorough record of all communications, including notifications and responses for audit purposes.

Monitor and follow up

• Ongoing communication: Keep patients informed about any developments related to the breach. If new information becomes available, proactively update affected individuals.
• Post-breach feedback: Gather feedback from patients on the communication process to improve future responses.

Related: How to respond to a data breach

Paubox

Paubox Email Suite

Paubox Email Suite is a secure email platform designed to streamline and protect communication in healthcare, making it an ideal tool for managing sensitive communications during data breaches. Its HIPAA compliant encryption ensures that all emails containing protected health information (PHI) are transmitted securely, without requiring recipients to log in to external portals.

During a breach, healthcare organizations can use Paubox Email Suite to:

• Notify affected individuals: Send secure, personalized emails to affected patients, providing details about the breach and steps they can take to protect their information.
• Streamline stakeholder updates: Use the platform to communicate consistently with other stakeholders, including employees, third-party vendors, and regulatory bodies, without compromising data security.

Learn more: HIPAA Compliant Email: The Definitive Guide

Paubox Texting

Paubox Texting offers a secure, HIPAA compliant platform for rapid communication during data breaches, ensuring that sensitive information is delivered safely to affected individuals. It enables healthcare organizations to notify patients promptly about a breach, provide updates, and share actionable guidance without compromising their privacy.

The benefits of using Paubox Texting in breach communication include:

• Secure messaging: Messages sent through Paubox Texting are encrypted, protecting sensitive patient data even during a crisis.
• Real-time notifications: Immediate delivery ensures patients are informed quickly about potential risks and mitigation measures.
• Personalized communication: Paubox Texting allows tailored messages to individual patients, offering reassurance and specific instructions.
• Accessibility: Patients are more likely to check and respond to text messages compared to emails or letters, making it an efficient way to reach them during emergencies.

Learn more: The guide to HIPAA compliant text messaging

FAQs

What information should be included in a breach notification?

A breach notification should include:

• A description of the breach (what happened and when).
• The types of data exposed.
• Steps the organization is taking to mitigate the breach.
• Actions patients can take to protect themselves.
• Contact information for questions or further assistance.

How can organizations prevent communication missteps during a breach?

Develop a breach communication plan in advance. This should include templates for notifications, assigned roles for crisis management, and a protocol for ensuring consistent messaging across all communication channels.