How to Notify Clients About a HIPAA Breach

Most modern mental health practices gather and store client information digitally. Doing so can be convenient and secure—improving the efficiency of your practice and providing you with more time for client care. 

However, even well-protected data comes with some risk. For many practitioners, just the words “HIPAA breach” are enough to conjure fear and dread.

It’s essential for practitioners to choose an EHR system and practice management software with HIPAA-compliant privacy, security, and data protection features. 

Believe it or not, most HIPAA breaches are not caused by hackers exploiting flaws in software, rather they are caused by simple human errors. 

Common human errors leading to HIPAA breaches

Perhaps a client asked you to send them a treatment summary via email–and you accidentally sent it to the wrong email address. Perhaps a staff member was not being careful about HIPAA-compliant billing practices and mistakenly sent information on all of the clients in your practice to a payor, when they meant to just send information relevant to that payor. Or perhaps one of the clinicians in your group practice took an unencrypted device home to work on notes or reports, and they accidentally left it on the table at a coffee shop or restaurant.

Of course, we do what we can to limit such occurrences. You should have data security policies and practices in place in your practice to minimize these risks. 

However, well-intentioned people sometimes make mistakes, and if a HIPAA breach occurs, you need to follow the proper steps to address it.

Evaluating a HIPAA breach

When you discover that client data has been lost, stolen, or improperly shared, your first step is to investigate. 

You need to get a handle on how much data was shared, what form that data is in, and the likelihood that the data was improperly accessed. 

Read our article on What to Do After a HIPAA Violation for more information on how to evaluate potential risks and violations.  

By investigating, you will determine whether an impermissible use or disclosure of client data actually qualifies as a breach under HIPAA. The default position is that it does. 

If your investigation determines that an exception to the definition of a HIPAA breach applies, then you have no further reporting requirement. Still, you should review and adjust any policies and practices as needed to prevent similar issues in the future. If a breach has occurred, then you will need to notify clients and the U.S. Department of Health and Human Services (HHS).

Notifying the HHS

All HIPAA-covered entities must notify the HHS of data breaches. 

If the breach impacts fewer than 500 clients’ data, then you can notify HHS in the first 60 days of the next calendar year. If the breach impacts the data of 500 or more clients, you must notify HHS immediately. You can submit a breach notification through the HIPAA breach reporting portal.

Therapists may worry that the notification process amounts to admission of a crime, particularly if the breach occurred due to a human error or lost device, but this is not necessarily true. 

HHS gathers information on data breaches largely to get a better understanding of how these breaches occur. And the overwhelming majority of breach reports do not result in any action against the entity making the report. 

Enforcement tends to be limited to situations where the breach was egregious, willful, or where there has been a history of repeated past breaches and the entity has not taken adequate steps to improve the protection of client data. Even HHS understands that some risks can’t be foreseen, and that some data breaches are not the result of malicious behavior.

In any event, failure to report a breach out of embarrassment or concern over possible enforcement only increases the risk to the therapist. While a breach may or may not be a crime, depending on the context, failure to report a breach can lead to civil and criminal penalties.

Notifying clients

Any client whose data may have been impacted by a data breach must be notified within 60 days.

Here are the required components of that notification:

• A brief description of what happened that led to the breach
• Types of information potentially disclosed
• Steps the client should take to protect themselves from potential harm
• What you are doing to investigate, mitigate the harm, and prevent further breaches
• Your contact information 

If the breach involves information leaked to or by a business associate, you maintain responsibility for ensuring that impacted clients are notified. However, the actual notification may come from you or from the business associate, depending on who is best positioned to provide it.

You can send this notification via email to clients who have previously agreed to receive email communications. For all others, you should send the notification via regular first-class mail.

In some cases, you might find that you don’t have current contact information for clients impacted by a breach. If you don’t have current contact information for less than 10 impacted clients, you can reach out to them by phone, an “alternate form of written notice,” or other means, depending on what information you do have. 

If your current contact information is out of date or incorrect for 10 or more impacted clients, you either need to include the breach notification on the homepage of your web site for at least 90 days, or include it in “major print or broadcast media” where the impacted clients live. You also must maintain a toll-free phone number for at least 90 days where clients can learn whether their data was impacted.

More information about the individual breach notifications required under HIPAA is available on the HHS website. You can also use our HIPAA Breach Notification Letter Template if you need to reach out to your clients about a breach. 

Client reactions

Clinicians may be concerned about how their reputation may be impacted when sending out a HIPAA breach notice, however their fears don’t typically line up with their clients’ reactions to data breach notifications. 

Many clients shrug off such notices, especially if the impacted data doesn’t include financial information or if it otherwise seems like their exposure of personal information was low. Others may be grateful for the transparency and any additional steps you’re taking to improve data security going forward. 

This, too, is why the tone of a breach notification can be as important as its content. 

You want clients to be informed in a straightforward, factual way. You don’t want to be seen as hiding information that clients would reasonably want and expect in such a situation. 

At the same time, you want to reassure clients, to the degree appropriate, that this kind of an occurrence is rare and that you’re learning from it in ways that will benefit them and all clients in the future.

We’ve created a sample HIPAA breach notification letter to help you inform your clients of a data breach. Since much of the information in a notice is dependent on the specific circumstances of the breach, you may want to run the notification through an attorney and/or your professional liability insurer before sending it out.

SimplePractice provides HIPAA-compliant client messaging

SimplePractice practice management software is an EHR system that includes HIPAA-compliant Secure Messaging that makes it easy to securely communicate with your clients and team members.

Try SimplePractice free for 30 days. No credit card required.

READ NEXT: 

• What Does It Mean for a Therapist to be HIPAA Compliant?
• The Key to HIPAA-Compliant Email for Therapists
• Why Health Practitioners Should Care about Two-Step Verification