Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI

Share this article on:

Two communication errors have been reported by HIPAA-covered entities in the past few days, which have resulted in the impermissible disclosure of 5,339 patients’ personal and protected health information (PHI).

Mercy Health Physician Partners Southwest Discovers Impermissible Disclosure of PHI

Mercy Health Physician Partners Southwest in Byron Center, MI, started sending breach notification letters to patients on February 10, 2019 informing them that a third-party vendor contracted to Mercy Health made an error with a recent mailing.

Mercy Health had provided the mailing vendor with a list of 3,164 names and addresses to send letters to patients informing them about the recent departure of a physician. An error in the mailing resulted in names being mismatched with addresses and 2,487 patients were sent a letter addressed to a different patient. No other sensitive information was disclosed.

During the breach investigation it was discovered that there was no business associate agreement (BAA) in place with the vendor. The provision of the patient list was therefore an impermissible disclosure of PHI under HIPAA. Mercy Health has received satisfactory assurances that the mailing vendor is aware of its responsibilities under HIPAA and a BAA is now in place.

Hawaii Hospital Notifies Patients of Email Error

On February 3, 2019, an employee of The Queen’s Health Systems in Hawaii sent an email with an attachment containing the PHI of 2,852 patients to an incorrect recipient. The attached file contained the PHI of 2,852 patients of The Queen’s Medical Center and Queen’s North Hawaii Community Hospital. The email error was detected the following day.

Efforts were made to contact the person who had been sent the email in error to ensure the patient list is deleted, but no response has been received. The email attachment included patient names, admission dates, discharge dates, health plan ID numbers, and limited information about the care received. The file also contained the diagnoses of 300 patients. The breach affected patients who received medical services after June 1, 2019.

No reports have been received to suggest patient information has been misused. Patients have been advised to monitor their explanation of benefits statements and to report any services that are listed but have not been received.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On