HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI

Two communication errors have been reported by HIPAA-covered entities in the past few days, which have resulted in the impermissible disclosure of 5,339 patients’ personal and protected health information (PHI).

Mercy Health Physician Partners Southwest Discovers Impermissible Disclosure of PHI

Mercy Health Physician Partners Southwest in Byron Center, MI, started sending breach notification letters to patients on February 10, 2019 informing them that a third-party vendor contracted to Mercy Health made an error with a recent mailing.

Mercy Health had provided the mailing vendor with a list of 3,164 names and addresses to send letters to patients informing them about the recent departure of a physician. An error in the mailing resulted in names being mismatched with addresses and 2,487 patients were sent a letter addressed to a different patient. No other sensitive information was disclosed.

During the breach investigation it was discovered that there was no business associate agreement (BAA) in place with the vendor. The provision of the patient list was therefore an impermissible disclosure of PHI under HIPAA. Mercy Health has received satisfactory assurances that the mailing vendor is aware of its responsibilities under HIPAA and a BAA is now in place.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Hawaii Hospital Notifies Patients of Email Error

On February 3, 2019, an employee of The Queen’s Health Systems in Hawaii sent an email with an attachment containing the PHI of 2,852 patients to an incorrect recipient. The attached file contained the PHI of 2,852 patients of The Queen’s Medical Center and Queen’s North Hawaii Community Hospital. The email error was detected the following day.

Efforts were made to contact the person who had been sent the email in error to ensure the patient list is deleted, but no response has been received. The email attachment included patient names, admission dates, discharge dates, health plan ID numbers, and limited information about the care received. The file also contained the diagnoses of 300 patients. The breach affected patients who received medical services after June 1, 2019.

No reports have been received to suggest patient information has been misused. Patients have been advised to monitor their explanation of benefits statements and to report any services that are listed but have not been received.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.