Over on HealthITSecurity.com, Patrick Ouellette notes that American Health Information Management Association’s (AHIMA) recently published a Breach Management Toolkit.
Patrick reports that the toolkit discusses five critical pieces of information that AHIMA says should be included in any breach notification letter. Their five critical pieces, as summarized by Patrick, are consistent with what I have been advising for years:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
- A description of the types of unsecured PHI that were involved in the breach (i.e., full name, Social Security number, date of birth, home address, account number, diagnosis, or disability code)
- Any steps individuals should take to protect themselves from potential harm resulting from the breach
- A brief description of what the organization is doing to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Website, or postal address if appropriate.
Suiting their action to the word, on April 2, AHIMA notified the Maryland Attorney General’s Office that a temporary worker employed between September 26, 2013 and January 27, 2014 had misused some customers’ credit card information in February that she had collected from their telephone orders for merchandise. AHIMA had evidence that a few customers had their information misused and decided to notify all customers potentially affected, i.e., all customers who had orders taken on the phone by the now-former employee.
Their notification letter to customers, which you can read here (pdf), does include pretty much all the critical elements they describe in their toolkit. I would have preferred to see them offer an e-mail address in lieu of a postal address, as I think that would be more convenient for more customers, and they do not offer them a toll-free number or indicate the days and hours for which their phone support is available, but overall, it’s a good notification letter.
Perhaps the only thing they could have made clearer is that the former employee did not start misusing customer data until after her employment terminated (meaning that she took information with her, which is different than her misusing data she still had access to at work). In general, I find the phrase “former employee” is often confusing. Does it mean that the employee had already been terminated before the incident, or was the employee terminated after the incident or discovery of same? For this case, and because they did not tell those affected the employee’s dates of employment, it probably would have been clearer to write something like, “We learned that one month after the employee’s position was terminated, she misused three customers’ credit card information to make purchases” (or something like that).
Sometimes it’s easy to write a clear breach notification letter. Other times, it may seem clear to you but not to an uninformed reader. Having someone who doesn’t know the details of a case read the draft letter to see what questions they may have can help you write a more effective letter. I don’t know if that’s in AHIMA’s toolkit, but it’s my advice to you.