This “Data Breach Response – How To” article is part of our larger series by Heather Noonan.
If you find that your healthcare data breach population includes minors or decedents, it is highly encouraged that you provide additional care for them. You already have a HIPAA privacy breach of personal identifiable information and now you have children and deceased involved, one of the most sensitive and loved groups in any population. You will find yourself in a very difficult position, but one that can be dealt with sensitivity, compassion, and attention to detail.
For both of these groups, it is also highly advocated and perceived that you address your notification to the actual individual who will be reading the letter. In the case of minors, it is often the parents or guardians who will be receiving and opening the letter. For the decedents, the letter will most likely go to the next of kin, guarantor, or spouse.
An important part of your forensics work and addressing the notification letters will involve researching who the letter should go to. My recommendation for the minors, is to spend the time and pull the parents or guardians names, and for the deceased, pull the wife or next of kin’s name when you can. In some cases you won’t have their names, but if you are a hospital and you have their information, add it. The other rule of thumb is to address the letter “In care of”. This is a softer, gentler approach. You acknowledge that this individual may be a minor or deceased and are sending the letter “In care of” their attention.
When working with minors or deceased you also need to provide adequate resources for them. For example with the minors, one of the biggest obstacles will be if they have a credit file. For deceased individuals, the next of kin or spouse will have to verify if the decedent has been flagged as “deceased” by the Social Security Administration. Why do I mention this? Well, it becomes important if credit monitoring or recovery services are being offered or if the individual wants to obtain a credit report, place a fraud alert or a security freeze. The list goes on.
Basically put, for minor or deceased populations, a mother, father, spouse, sister, attorney, etc; will need to assist. Make it easy on these people. Give them accurate information and resources. Hold their hands too.
Senior Project Manager-Data Breach Response Team