HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Mailing Error Causes Howard University Privacy Breach

Howard Hospital in Washington D.C has announced a mailing error resulted in letters containing patient names, account numbers and the dates of past visits being sent to the wrong recipients.

In this instance, only a limited amount of data was exposed. No financial information, insurance details, health data or Social Security numbers were compromised in the incident.

The privacy violation was caused by a data error, according to a statement issued by the hospital. Howard Hospital’s Faculty Practice Plan had contracted two companies toCalifornia Healthcare Medical Billing, Inc. and JP Recovery Services, Inc. – to send notification letters to patients advising them that their medical bills had not been paid.

The letters were sent to individuals as instructed; however a data error resulted in patients sharing the same surnames being sent letters intended for other recipients. In total 1,445 letters were sent to incorrect individuals.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The university has reviewed the incident and will be taking steps to prevent similar privacy breaches occurring in the future.

This breach may cause some confusion and annoyance among patients, but due to the limited data exposed, it is unlikely that affected individuals will suffer any harm, loss or damage. The same cannot be said for the university.

Personally Identifiable Information – patient names – were exposed along with data classed as Protected Health Information under the Health Insurance Portability and Accountability Act. The HIPAA Privacy Rule covers data relating to the provision of healthcare to an individual as well as past, present and future payments for the provision of healthcare. The HIPAA mailing therefore breaches the HIPAA Privacy Rule.

HIPAA Rules demand that breach notification letter are sent to all patients within 60 days of discovery of the breach. The mailing went out on May 6, 2015 and the university first started hearing of the mailing error on May 11, 2015. According to a Friday report in the Washington Post, the university “will individually notify all of the affected patients,” suggesting the notification letters have not yet been sent; a potential violation of the HIPAA Breach Notification Rule.

Delaying breach notifications unnecessarily and sending letters after the HIPAA deadline invites OCR attention and couple potentially result in a financial penalty. Covered entities are advised to act decisively and promptly if they discover a data breach, and should aim to issue breach notification letters well before the HIPAA deadline.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.