Share this article on:
Howard Hospital in Washington D.C has announced a mailing error resulted in letters containing patient names, account numbers and the dates of past visits being sent to the wrong recipients.
In this instance, only a limited amount of data was exposed. No financial information, insurance details, health data or Social Security numbers were compromised in the incident.
The privacy violation was caused by a data error, according to a statement issued by the hospital. Howard Hospital’s Faculty Practice Plan had contracted two companies to – California Healthcare Medical Billing, Inc. and JP Recovery Services, Inc. – to send notification letters to patients advising them that their medical bills had not been paid.
The letters were sent to individuals as instructed; however a data error resulted in patients sharing the same surnames being sent letters intended for other recipients. In total 1,445 letters were sent to incorrect individuals.
The university has reviewed the incident and will be taking steps to prevent similar privacy breaches occurring in the future.
This breach may cause some confusion and annoyance among patients, but due to the limited data exposed, it is unlikely that affected individuals will suffer any harm, loss or damage. The same cannot be said for the university.
Personally Identifiable Information – patient names – were exposed along with data classed as Protected Health Information under the Health Insurance Portability and Accountability Act. The HIPAA Privacy Rule covers data relating to the provision of healthcare to an individual as well as past, present and future payments for the provision of healthcare. The HIPAA mailing therefore breaches the HIPAA Privacy Rule.
HIPAA Rules demand that breach notification letter are sent to all patients within 60 days of discovery of the breach. The mailing went out on May 6, 2015 and the university first started hearing of the mailing error on May 11, 2015. According to a Friday report in the Washington Post, the university “will individually notify all of the affected patients,” suggesting the notification letters have not yet been sent; a potential violation of the HIPAA Breach Notification Rule.
Delaying breach notifications unnecessarily and sending letters after the HIPAA deadline invites OCR attention and couple potentially result in a financial penalty. Covered entities are advised to act decisively and promptly if they discover a data breach, and should aim to issue breach notification letters well before the HIPAA deadline.