Federal Health Data Security Rules: What Happens When Your Medical Information Is Breached

Health data breaches are becoming increasingly common, affecting millions of Americans each year. When your medical information is compromised, federal and state laws provide specific protections and notification rights, but many patients do not understand what they are entitled to or how to protect themselves after a breach.

Understanding your rights under HIPAA, state privacy laws, and federal breach notification requirements can help you respond effectively when your health data is compromised and take steps to prevent further harm.

Types of Health Data Breaches

Health data breaches can take many forms, and the type of breach affects what information was potentially compromised and what protections apply.

Common types of health data breaches:

Hacking incidents where cybercriminals gain unauthorized access to health system computer networks. These often involve electronic health records, billing systems, and patient portals.

Lost or stolen devices including laptops, tablets, or mobile phones containing patient information that were not properly encrypted.

Unauthorized access by employees who accessed patient records outside the scope of their job duties or shared information inappropriately.

Business associate breaches where third-party vendors who handle health information on behalf of healthcare providers experience data compromises.

Improper disposal of medical records, including paper records thrown away without shredding or electronic media discarded without proper data destruction.

Information typically involved in health data breaches:

Names, addresses, and contact information

Social Security numbers and dates of birth

Medical record numbers and patient account numbers

Health insurance information

Medical diagnoses and treatment information

Prescription information

Financial information related to medical care

HIPAA Breach Notification Requirements

Under HIPAA, healthcare providers and their business associates must notify patients when their protected health information has been breached. These notification requirements include specific timing and content requirements.

Who must provide breach notification:

Healthcare providers (hospitals, clinics, physicians)

Health plans (insurance companies, HMOs)

Healthcare clearinghouses

Business associates of covered entities

When notification is required:

HIPAA requires notification for breaches involving 500 or more individuals within 60 days of discovery. For smaller breaches, notification must be provided within 60 days of the end of the calendar year in which the breach was discovered.

However, many state laws require faster notification, and most healthcare organizations provide immediate notification regardless of breach size.

What breach notification must include:

Description of what happened and when the breach occurred

Types of information that were involved in the breach

What steps are being taken to investigate the breach and protect against further breaches

What steps you can take to protect yourself

Contact information for asking questions about the breach

Your Rights After a Health Data Breach

When you receive notification of a health data breach, you have specific rights under federal and state law that can help protect you from further harm.

Immediate rights after breach notification:

Right to request detailed information about what specific information of yours was involved in the breach. Healthcare providers must provide this information if it is available.

Right to request an accounting of disclosures, showing who has accessed your health information and when, if the breach may have resulted in unauthorized access to your records.

Right to request restrictions on future uses and disclosures of your health information, though providers are not always required to agree to these restrictions.

Right to request copies of your medical records to monitor for any unauthorized changes or additions.

Free credit monitoring and identity theft protection:

Many healthcare organizations offer free credit monitoring and identity theft protection services to patients affected by data breaches. You should take advantage of these services even if you do not think your financial information was involved.

State-specific rights:

Some states provide additional rights beyond federal requirements, including longer credit monitoring periods, legal remedies for emotional distress, and stronger notification requirements.

Steps to Take After a Health Data Breach

Receiving breach notification can be concerning, but taking specific steps can help protect you from identity theft and medical identity theft.

Immediate steps after receiving breach notification:

Contact the healthcare provider or organization that experienced the breach to get more specific information about what of your information was involved.

Review your medical records and insurance explanation of benefits statements for any unauthorized activity or unfamiliar services.

Check your credit reports from all three credit bureaus for any unauthorized activity. You are entitled to free credit reports annually, and many breach situations entitle you to additional free reports.

Consider placing fraud alerts or credit freezes on your credit files to prevent unauthorized accounts from being opened in your name.

Ongoing monitoring:

Medical identity theft can occur months or years after the initial breach. Continue monitoring your medical records, insurance statements, and credit reports for unauthorized activity.

Set up account alerts with your health insurance company to receive notifications when claims are processed or when your information is accessed.

Review annual Medicare or Medicaid statements carefully for any services you did not receive.

Medical Identity Theft Protection

Medical identity theft occurs when someone uses your health insurance information to receive medical care, prescription medications, or medical equipment. This can be particularly harmful because it can result in incorrect information being added to your medical records.

Signs of medical identity theft:

Bills for medical services you did not receive

Insurance explanation of benefits for providers you did not visit

Collection calls for medical debts you did not incur

Medical records showing diagnoses or treatments you did not receive

Insurance company contact about claims you did not file

Steps to address medical identity theft:

Contact your health insurance company immediately to report suspected fraudulent claims.

Request copies of medical records from any providers listed on suspicious claims to check for inaccurate information.

File a complaint with your state insurance commissioner if your insurance company is not responsive.

File a police report if you have evidence of criminal activity.

Contact the Federal Trade Commission to report identity theft and get a recovery plan.

Correcting medical records:

If medical identity theft has resulted in incorrect information being added to your medical records, you have the right to request corrections under HIPAA. Healthcare providers must respond to correction requests and either make the requested changes or explain why they cannot be made.

State Data Breach Laws

Many states have data breach notification laws that provide stronger protections than federal law, particularly for breaches that do not involve healthcare information covered by HIPAA.

States with enhanced breach notification laws:

California requires notification within specific timeframes and provides private rights of action for certain types of breaches.

Illinois has strong biometric data protections and breach notification requirements.

New York requires notification to state authorities and has specific requirements for data security measures.

Texas provides enhanced notification requirements and identity theft protection services.

State-specific protections may include:

Shorter notification timeframes

Requirements for free identity theft protection services

Legal remedies for damages caused by breaches

Enhanced security requirements to prevent future breaches

Business Associate Breaches

Many health data breaches involve business associates – third-party companies that handle health information on behalf of healthcare providers. Understanding business associate relationships can help you understand your rights when these breaches occur.

Common business associates that may experience breaches:

Medical billing companies

Electronic health record vendors

Cloud storage providers

Medical device manufacturers

Pharmacy benefit managers

Insurance claims processors

Your rights in business associate breaches:

Even when a business associate experiences the breach, the healthcare provider that hired them is responsible for notifying you and protecting your information.

You have the same rights to information and protection services regardless of whether the breach occurred at the healthcare provider or their business associate.

Questions to ask about business associate breaches:

What type of business associate was involved and what services did they provide?

What information did the business associate have access to?

What security measures were in place to protect your information?

What steps is the healthcare provider taking to prevent similar breaches?

Long-term Monitoring and Protection

Health data breaches can have long-lasting effects, and protecting yourself requires ongoing vigilance beyond the immediate response to breach notification.

Long-term monitoring strategies:

Set up annual reviews of your complete medical records from all healthcare providers to check for accuracy and unauthorized additions.

Monitor prescription drug monitoring program databases if your state allows patient access, to check for unauthorized prescription activity.

Regularly review health insurance coverage and benefits to ensure unauthorized changes have not been made to your policy.

Consider ongoing identity monitoring services beyond any free services provided immediately after the breach.

Building stronger privacy protection:

Ask healthcare providers about their data security measures and how they protect patient information.

Understand your rights under HIPAA to restrict uses and disclosures of your health information.

Be cautious about sharing health information on social media or through unsecured communication methods.

Review patient portal security settings and use strong, unique passwords for all health-related accounts.

Understanding your rights and taking proactive steps after health data breaches can help protect your medical privacy and prevent further compromise of your sensitive health information.