HIPAA Breach Notifications: Anti-marketing in healthcare

HIPAA Breach NotificationYou’ve heard the news and so have your clients. Healthcare organizations are getting hit with data breaches, and the federal government is handing out steep fines for HIPAA violations.

Hopefully your healthcare clients have gotten the message and have fallen in line with HIPAA. But in case they haven’t, here is another thing they should worry about: their reputation.

HIPAA practically requires healthcare organizations to harm their reputations after a data breach. The breach notification rules  amount to an anti-marketing campaign, costing the organization time and money to throw mud onto its brand. Ouch.

Make sure your healthcare clients understand that if they have a data breach, word will get out. In fact, it’s practically required.

Here are a few ways that a hacked healthcare organization has to market against itself with breach notifications:

Related: HIPAA for IT Providers: The most important rules to know

Promote the breach on your homepage

The homepage is typically the most popular page of a website. It’s prime real estate online, and anything posted there receives ample attention.

If a healthcare organization does not have accurate contact information for more than 10 people affected by a data breach, then HIPAA compliance requires “conspicuous posting” of a breach notification on its homepage for 90 days.

In addition, the organization has to include a toll-free number that remains active for 90 days that people can call to learn if the breach affects their health data.

Here’s an example from UCLA Health’s homepage in response to a recent data breach:


The link circled above points to UCLA Health’s notice with more detail on the breach.

Advertise in the press

As an alternative, the organization can run a “conspicuous notice” in a major print or broadcast media outlet in the region. Imagine paying thousands of dollars for an advertisement that pushes people away from your business.

Public relations of the breach

The organization may have to start a negative PR effort. For breaches affecting more than 500 people, the organization has to contact prominent media outlets in the region and notify them of the breach within 60 days.

The media are likely to run news stories about the breach. That’s why stories, such as the one this week about a data breach at UCLA’s health system affecting 4.5 million people, never seem to stop coming.

Direct mail and email notification

Let’s not forget the anti-marketing by direct mail. Healthcare organizations have to notify every person whose health data was disclosed in a breach. If a person is deceased, then the next of kin has to be notified.

The notice must be in writing and sent by first-class mail. Email can be used as an alternative if the person agrees.
Here are two examples:

Related: HIPAA for IT Providers: The most important rules to know

Notify the HIPAA authorities

The fun doesn’t stop there. A breached organization has to notify the federal department that enforces HIPAA, the U.S. Department of Health and Human Services. The notice can be sent by submitting a report to the HSS website.

Then the HHS can decide to post about the organization’s breach on its website (and it’s safe to assume the site receives thousands of visitors each month).

This report must be made within 60 days of discovery if more than 500 people are affected. If fewer than 500 were affected, then the report must be made within 60 days of the end of the calendar year.

More than HIPAA fines

Financial penalties under HIPAA only a portion of the total cost of a breach. Additional legal fees, consultant fees, and the cost of resolving security vulnerabilities also pile on.

The damage to reputation and brand should not be understated – especially since HIPAA forces breached organizations to spend thousands of dollars marketing against themselves with notifications spread far and wide. Warn your clients.

Related resources

HIPAA Security Rules for IT: What are they?

HIPAA Security: Most business associates suffer data breaches

HIPAA 2015: Expect more attacks, enforcement, and lawsuits

Written by Calyptix

 - July 22, 2015

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram