Can You Retain Patients After a HIPAA Breach?

When a healthcare provider is affected by a data breach and confidential patient information is exposed, disclosed or is stolen, patients are naturally upset or angry, but is it possible to retain patients after a HIPAA breach?

Healthcare providers have to face huge costs after a data breach. There are financial penalties from the Office for Civil Rights, Attorney Generals are now issuing HIPAA fines and there is the threat from class action lawsuits and the considerable cost of issuing Breach Notification letters to the victims. However a recent survey indicates that the losses may be much more severe. Healthcare providers may struggle to retain patients after a HIPAA breach.

65% of Patients Would Avoid Companies After a HIPAA Breach

Any healthcare provider or covered entity that has suffered a HIPAA breach will be well aware that patients can get angry. Their confidential data can be used to commit identity and medical fraud and the disclosure of medical information could cause embarrassment or result in losses being suffered.

A recent study conducted by TransUnion asked patients about how they would feel after a data breach and what actions they would take. The survey found that 7 out of 10 patients would consider changing healthcare providers if their confidential data was exposed or stolen. Healthcare providers should therefore try to improve trust following a breach of PHI. If nothing is done to restoire confidence, it will be harder to retain patients after a HIPAA breach.

While not all respondents would follow through and change healthcare provider after a HIPAA breach, the figures should serve as a warning to all covered entities that the failure to implement sufficient controls to safeguard PHI could result in substantial loss of revenue as patients seeking other healthcare providers.

The survey suggests that seniors would be less willing to make the change than younger patients. Close to two thirds of the respondents over the age of 55 said that they would be unlikely to change provider after a security incident exposed their data. For the 18-34 year olds, nearly three quarters (73%) said that they would consider taking their business elsewhere.

TransUnion Healthcare president, Gerry McCarthy, said that “Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new healthcare provider” but he pointed out that “With more than 80 million millennials recently entering the healthcare market, providers that are not armed with the proper tools to protect and recover from data breaches run the risk of losing potentially long-term customers.”

A Fast Breach Response CAn Help Organizations Retain Patients after a HIPAA Breach

If a healthcare provider or insurer takes decisive and rapid action after a data breach to mitigate damage and notify the individuals concerned, this can go a long way towards restoring patient confidence in an organization. Many patients would understand that data breaches are not always avoidable, but when coupled with a tardy response when it comes to issuing breach notification letters, patients are likely to be far less understanding. A fast breach response can help organizations to retain patients after a HIPAA breach.

Many healthcare providers take a number of weeks following the discovery of a breach to notify the victims, but the survey indicates that the general public expects much quicker action to be taken. 46% of respondents expected to be notified of a breach within 48 hours of it being discovered, while 31% expected to receive a notification within 3 days.

McCarthy points hour that rapid action is the key to mitigating damage and retaining patients. “The hours and days immediately following a data breach are crucial for consumers’ perceptions of a healthcare provider,” he says.

The TransUnion survey was conducted on 1,228 patients, all of whom were located in the United States. Each respondent had sought medical treatment at some point during the previous 2 years.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of