Should Identity Theft Protection Services Be Offered to Data Breach Victims Under HIPAA?

The HIPAA Breach Notification Rule stated that covered bodies must advise people once their ePHI has been compromised. It is less clear if it is a requirement that credit monitoring and identity theft protection services should be be offered to those affected.

HIPAA does not stata outright whether credit monitoring and identity theft protection services should be given to people affected by a data violation. The decision whether or not to provide those services free of charge is left to the discretion of the covered body.

However, following a violation of unsecured protected health information, HIPAA-covered bodies are required to provide breach victims with a list of actions that should be followed to lessen risk and protect themselves.

Those actions include obtaining a report from credit reporting agencies – Equifax, Experian, and TransUnion. The credit reporting bureaus must supply consumers with a free credit report once every 12 months upon request.

Breach victims should be directed to review their accounts for any sign of fraudulent actions and should be told what to do if suspicious activity is discovered. They should also be advised to monitor their Explanation of Benefits statements for benefits that they have not been awarded. Guidance should also be provided on imposing a fraud alert and freeze on their credit files.

While HIPAA does not direct covered bodies to offer credit monitoring and identity theft protection services, state and local laws may differ. From October 1, 2015, a breach of Connecticut residents’ names and Social Security numbers requires the breached body to provide a minimum of one year of “appropriate identity theft prevention services,and if applicable, identity theft mitigation services.”

In California, while it is not obligatory to provide credit monitoring and identity theft protection services to breach victims, if those services are supplied they must be free of charge and for a minimum of 1 year. State laws are frequently amended, so covered bodies should keep up to date with new legislation introduced in the states in which their patients and members live.

Even though it may not be mandatory for healthcare groups to supply identity theft protection services to breach victims, many opt to do so. Providing those services can help to minimizing  the damage caused by a data breach.

Credit monitoring services should be supplied to data violation victims for 1 or 2 years, if credit/debit card numbers, Social Security numbers, and/or bank account information is thought to have been stolen.

Credit monitoring services advise breach victims when credit monitoring companies receive notifications of applications for credit, loans or when personal information is altered – changes of address or phone number for instance.

Identity theft protection services cover a much wider range of activities, some of which may not appear on credit reports. Included among these are the use of personal documentation such as Social Security numbers, Driver’s license numbers, medical ID numbers, and passport numbers.

The decision about which services should be offered must be based on the level of possible damage breach victims are likely to face. The level of possible damage will be determined by the nature of the attack, the likelihood of data being utilized for identity theft and fraud, the risk of data being sold on for profit, and types of data that have been accessed.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on and contact Emma at