HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA-Breaching Email Exposed BJC HealthCare Patients’ Data

BJC HealthCare, a not-for-profit health system based in St. Louis, MO., has started notifying 2,393 of its patients that some of their protected health information has been exposed as a result of an email error that occurred on December 30, 2015.

An email containing sensitive data covered by HIPAA was emailed to another medical group. While HIPAA permits the sharing of healthcare data for certain healthcare operations, the Security Rule requires any shared data to be protected in transit.

If ePHI is to be shared electronically with another covered entity or business associate, it must be adequately protected to prevent unauthorized access and to protect the integrity of those data. Controls to protect the integrity of ePHI are addressable issued under 45 CFR § 164.312(e).

In this case, the data were not encrypted to the standards required by the Security Rule, and consequently the data could potentially have been intercepted in transit.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

HIPAA requires covered entities to notify individuals when their PHI has been exposed or viewed by a third party to allow them to take precautions to protect their identities and reduce the risk of loss or harm.

Patients have been advised by mail that their name, date of birth, gender, and Medicare Beneficiary information were included in the email, although Social Security numbers were not exposed, and no financial or medical data were contained in the email. Patients affected by the email error were part of the healthcare provider’s accountable care organization.

An investigation into the incident showed that the email was received by the intended recipient and no other individual appeared to have gained access to any patient data, although the possibility cannot be ruled out. Out of an abundance of caution, all affected individuals have been offered complimentary credit monitoring services for a period of one year.

In order to prevent similar errors from occurring in the future, BJO HealthCare will be conducting further staff training exercises to ensure that staff members are aware of the protocols that must be followed when transmitting data covered by HIPAA.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.