When patients become casualties of healthcare data breaches, they may find themselves with a lot of concerns and troubles. That’s because with stolen protected health information (PHI), criminals can cause much harm to patients. They can commit insurance fraud, ruin credit ratings and scores, and create new victims of ransom demands.
The HIPAA Act ensures that patients are granted particular rights that give them more control over their PHI. While they can’t stop breaches from occurring, they can decide what information is shared and with whom, as well as what to do after a malicious incident.
Learn more: HIPAA compliant email: the definitive guide
Patients’ PHI: a breakdown
PHI refers to any information related to an individual’s health. This includes treatment plans and payment methods and encompasses anything that can link a record to a specific person. Eighteen PHI identifiers can be used to identify a person and cover a broad range of demographic details. The identifiers are:
- Names
- Geographic references such as a physical address
- Dates related to an individual
- Telephone numbers
- Vehicle identifiers and serial numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- URLs
- Social security numbers
- IP addresses
- Medical record numbers
- Biometric identifiers
- Health plan beneficiary numbers
- Full-face photographs and any comparable images
- Account numbers
- Any other unique identifying number, characteristic, or code
- Certificate/license number
The HIPAA Act establishes strict guidelines for the protection of PHI. According to the Health & Human Services’ Office for Civil Rights (OCR), safeguarding PHI ensures “its confidentiality, integrity, and availability” and prevents “unauthorized or inappropriate access, use, or disclosure.”
HIPAA breaches: what happens to patients
A HIPAA breach is a type of violation that involves the unauthorized access, use, or disclosure of PHI. HIPAA's regulations protect PHI from such incidences by insisting on patient control and strong safeguards. Common examples of breaches that result in exposed PHI include unauthorized employee access, lost or stolen devices, hacking incidents, and phishing/ransomware attacks.
A violation is said to occur when an organization cannot demonstrate that it did everything possible to block a breach. When a breach involves unprotected PHI, healthcare organizations must inform the impacted individuals and OCR under the Breach Notification Rule. This notification process promotes accountability and transparency and guarantees that patients know of potential violations of their privacy.
After a breach, a patient can have a lot of stress and issues related to stolen PHI. For example, cyberattackers might:
- Alter a patient’s medical records
- Misuse or sell personal data
- Commit identity theft
- Steal money
An altered medical record may further lead to improper treatment, psychological issues, and other related medical problems. Last year, more than 133 million patient records were breached, doubling the total from 2022.
Read more: What happens to my personal information after a data breach?
What can patients do to organizations after a breach?
After a breach, organizations must notify those affected about the breach, the nature of the information exposed, and what is being offered as protection. Healthcare organizations are bound by HIPAA to keep data secure and must demonstrate to patients how they will remedy the situation.
If insufficient, patients could submit complaints directly to OCR (an online Compliant Portal Assistant helps to speed up the process) or state attorneys general. In most cases, the complaints are investigated. Action may be taken against the organization if the complaint is substantiated, and if HIPAA rules have been violated.
If the action is not enough, patients can explore taking legal action against healthcare providers, either individually or through a class-action lawsuit. Under the HIPAA Act, however, it is not possible for a patient to directly sue for a HIPAA violation. Rather, damages need to be settled for state law violations. Patients need to prove that harm or damage has been suffered, which is why joining a class-action lawsuit strengthens the case against a healthcare organization.
What can patients do for themselves?
After a breach, patients should ask their doctors for a copy of their records that may have been exposed. Most importantly, they should ask if the organization is offering credit monitoring. Alerts and possibly a freeze should be implemented on credit reports even if the breached organization does not offer any help. Other steps to possibly take, depending on the information exposed:
- Notify banks
- Update passwords and PINs
- Enable multifactor authentication
- Monitor financial accounts and reports
Patients must understand the security practices of their healthcare providers and ensure that they align with their personal comfort level and expectations. Patients should not hesitate to ask questions about how their PHI is handled and stored. Moreover, they should immediately report any suspected misuse to OCR and/or state attorneys general.
No matter what, patients must remain vigilant and prepared against fraudulence. Complying with HIPAA and its responsibilities helps organizations strengthen the trust between patients and themselves.
FAQs
What rights do patients have regarding their PHI?
Patients' rights related to their PHI include the ability to access their health records, request corrections for inaccuracies, and ask for restrictions on the use and disclosure of their PHI. If their rights are violated, patients can file complaints to reinforce the importance of protecting their privacy.
What if a patient requests their medical records electronically?
Patients have the right to request their medical records electronically under HIPAA. According to the HHS, "The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more "designated record sets" maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual's choice."
What if a patient requests an accounting of disclosures of their PHI?
Patients can request an accounting of disclosures of their PHI under HIPAA. Covered entities must provide patients with the requested information, including details of disclosures made, within the specified timeframe.
Kapua Iao
