What Should Clinicians Do After a Data Breach?

A mental health professional checks if he has been hacked. The transition to digital records has made it easier for clients to view years of health care data in a single portal. Clinicians can seamlessly communicate across time and distances, ensuring better care. But digital records also expose therapists and their clients to data breaches, where personal data is exposed to an unauthorized third party. In fact, most personal data breaches occur within the health care industry.

There’s a lot more than privacy at stake. Personal information can enable stalkers to find their victims, empower abusers to gain custody of their children or manipulate court proceedings, or even affect a client’s employment. Therapists have a legal and moral obligation to protect confidential health data. When there is a known or suspected breach, here’s what to do.

What Counts as a Data Breach?

A breach happens any time a client’s data was inappropriately exposed to a third party. This includes potential breaches, such as when a client’s data could have been exposed but the extent of the exposure is uncertain.

Some examples of data breaches include:

Accidentally leaving patient paperwork, passwords, or contact information in a public location.
Revealing patient data to a third party. For example, a receptionist or other employee might not understand privacy rules and share that a client has sought treatment with you.
Hacking initiatives that enable third parties to access client passwords or contact information.

The person to whom the confidential information is revealed does not need to have nefarious intentions—or any specific intentions at all—for the revelation to be considered a breach. However, privacy violations that reveal client data to criminals, hackers, abusers, and others with malicious intentions are more dangerous.

Notifying Your Clients

Therapists and other health care providers are legally required to notify clients of any suspected or actual data breach. You do not have to know for certain that the client data was misused—only that the data was or might have been breached.

Notify your client in writing at their last known address with specific details about the nature of the breach. The information should provide sufficient details for the client to proactively protect their own privacy. Simply telling a client that a breach occurred is inadequate.

If the breach was serious enough, consult an attorney about what you can do to reduce your legal exposure and protect your clients. A lawyer may also be able to help you discuss the breach with clients and draft notification forms.

While not legally required, it can also be helpful to discuss the breach with clients in person. Avoid defensiveness or minimization. Instead, tell the client what you did to mitigate the effects of the breach and what you are doing differently going forward. Encourage your client to discuss with you how the violation has affected their life and your therapeutic relationship. Do not attempt to dissuade clients from suing or taking other legal action.

When a data breach affects your client’s ability to trust you, you may need to refer the client to another therapist. Similarly, if a client sues you or pursues other legal action, you may need to end your relationship.

The U.S. Department of Health and Human Services (HHS), which monitors privacy violations and data breaches, says that clinicians should assume by default that a suspected breach has occurred and has compromised client data. Clinicians may only assume that a breach has not occurred after conducting a risk assessment that looks at relevant factors, including:

Whether protected information was actually viewed or acquired.
The extent to which the risk of exposure has been mitigated.
The type of health information involved, including the likelihood that the information will be connected to a specific person. Anonymized data presents a lower risk than information tied to a specific address or Social Security number.
The person or entity who used the information or to whom the breach was disclosed.

In most cases, you may also be required to notify the Department of Health and Human Services of data breaches. Follow this link for a notification form and details about your notification requirements.

Consequences of a Security Breach

A security breach can have lasting consequences in a client’s life. The client might be subjected to abuse or court action by an abuser, humiliation at work, public exposure, or financial losses. Some people spend years correcting credit and financial errors that stem from health care security breaches.

Licensing boards, courts, and HHS all take security breaches very seriously.

When you violate the Health Insurance Portability and Accountability Act (HIPAA), an individual or organization may file a complaint against you. The government will investigate this complaint and may penalize you. HIPAA fines range from $100 to $50,000 per violation. The amount you pay will depend on your culpability for the violation. Knowing disclosures are the most serious and carry the highest fines, while inadvertent disclosures carry lower penalties.

Other potential penalties include:

Lawsuits. Clients and other people affected by disclosures can sue you in civil court to recover damages and attorney’s fees. These suits can be costly, and you may shell out thousands in attorney’s fees even if you eventually win.

Licensing issues. Clients may be able to file a complaint with your state licensing board. If they can show you were negligent or malicious, you could lose your license or face other professional discipline.

Criminal charges. Criminal charges for data breaches are very rare. If, however, you engaged in criminal conduct—such as hacking into a health care database—or a court determines your actions were so negligent they were criminal, you could face jail time or criminal fines.

Loss of reputation. If you violate client privacy, there may be media coverage or negative reviews. Mental health care demands a high degree of trust. If you lose your clients’ trust, you may lose your clients and professional reputation.

Therapists must proactively guard client data. Yet it can be challenging to remain in compliance with evolving privacy regulations while choosing technological solutions for managing your practice. GoodTherapy.org supports therapists with up-to-date regulatory information, technological advice, and more. Therapists also have access to our high-traffic directory and a wide range of continuing education seminars, including seminars on privacy and ethics.

Get listed in our directory and enjoy all the benefits of membership today!

References:

Breach notification rule. (2013). Retrieved from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Cohen, J. (2019, April 26). HHS to cap HIPAA fines based on 'culpability'. Retrieved from https://www.modernhealthcare.com/government/hhs-cap-hipaa-fines-based-culpability
HIPAA violation fines. (n.d.) HIPAA Journal. Retrieved from https://www.hipaajournal.com/hipaa-violation-fines
Lovell, T. (2019, August 28). Statistics reveal healthcare is the sector most affected by personal data breaches. Retrieved from https://www.healthcareitnews.com/news/europe/statistics-reveal-healthcare-sector-most-affected-personal-data-breaches

Last Update: 11-26-2019

Professional Resources

Learn from Experts: Improve Your Practice and Business

Trusted by thousands of mental health professionals just like you.

Every month, GoodTherapy will send you great content, curated from leading experts, on how to improve your practice and run a healthier business. Get the latest on technology, software, new ideas, marketing, client retention, and more... Sign up today.