Sounding the alarm. Knowing when to notify patients of a data breach can be unclear.

The laptop was missing. Previously stationed in the EEG department of NorthShore University HealthSystem, the laptop had been connected to equipment used by staff to treat patients. Just who took the laptop from the Evanston, IL-based facility—an employee, patient, or visitor—was not known. What was known was that 250 patients had personal information stored on the machine, including their names and Social Security numbers. NorthShore’s chief privacy officer and director of HIM is Teresa Bunsen, RHIA. When she was notified of the theft, her thoughts raced to the missing patient information. The laptop was not encrypted, leaving sensitive information exposed to potential theft. It was clearly and officially a breach that threatened patient privacy, and Bunsen sounded the alarm. That triggered an investigation and a breach notification letter sent to the 250 patients. Most providers operate under state laws that require them to alert patients and employees if their data were involved in a privacy or security breach. However, few of the laws are specific, which can leave privacy officers wondering just how and when to send a notification. Send too early, and a false alarm could cause patients unnecessary worry and damage the organization’s credibility. Wait too long, and identity theft and state fines will make a bad situation worse. Establishing policies, procedures, an operations team, and staff training helps organizations make the best choices when they find themselves in the middle of a breach situation. What Constitutes a Breach? Data breaches are serious matters for both patients and healthcare facilities. The threat of unauthorized record access strikes at the core of a facility’s promise to keep information confidential. When information is breached, quickly notifying patients or employees can greatly improve their chances of combating harm from identity theft. Currently 44 states have data breach notification laws, which require stewards of personal information, such as healthcare facilities, to notify customers and employees if their personal health information is improperly accessed or stolen. California was the pioneer in enacting breach laws in 2002. California again has come into the national spotlight with two new breach notification laws that took effect January 1. The laws