HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

1,600 Ohio Patients Notified of Impermissible PHI Disclosure

993 Ohioans who receive benefits from Medicaid or the Ohio Department of Job and Family Services (ODJFS) are being notified that some of their protected health information has been disclosed to unauthorized individuals as a result of a computer error.

Three separate incidents were identified. On February 16, 2019, a computer error resulted in a limited amount of protected health information (PHI) of 250 users of the Ohio Benefits Self-Service Portal to appear in another user’s account. The error was identified and corrected the same day.

Two further incidents occurred on March 20, 2019. A computer error caused information entered into the Ohio Benefits portal to be saved to incorrect accounts. The computer error has been temporarily fixed and a permanent solution is being developed to prevent any recurrences. As many as 100 individuals were affected.

608 members of ODJFS, 34 recipients of Medicaid benefits, and one individual who received both types of benefits, had some of their PHI mailed to 5 different people as a result of a computer error. The computer error was corrected on March 22, 2019.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In all cases, the privacy breach was limited to names, contain information, dates of birth, case numbers, and claim numbers stored in the Ohio Benefits System. Affected individuals have been offered identity theft protection services for 12 months at no cost as a precaution.

840 University Hospitals Rainbow Babies & Children’s Hospital Patients Notified of Impermissible PHI Disclosure

University Hospitals Rainbow Babies & Children’s Hospital in Cleveland, OH, has discovered the PHI of 840 patients has been accidentally disclosed due to an error made by one of its employees.

The employee sent an email to a group of patients that contained a limited amount of personally identifiable information. The email was sent on February 28, and while information about patients was not detailed in the message, it implied that all individuals to whom the email had been sent suffer from the same medical condition.

The employee should have added the message recipients to the BCC field but made an error and included their emails in the ‘to’ field. As a result, the email addresses of all recipients of the email were visible to other members.

Al individuals affected have been notified of the privacy breach and the hospital has sanctioned the employee “in a manner deemed appropriate for the violation.” The employee has been reeducated on proper mail procedures and further education on patient privacy and HIPAA requirements will be provided to other staff members.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.