HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Mailing Error Exposes PHI of PHP Health Plan Subscribers

Physicians Health Plan of Northern Indiana has alerted some of its Indigo members about a breach of a limited amount of their Protected Health Information (PHI) after an error was made mailing their billing statements.

The breach involved multiple billing statements being sent on December 8, 2015, some of which were intended for other health plan subscribers. The mistake has been attributed to human error.

Only members of the Indigo individual health plans who had purchased off-Marketplace coverage and had elected to receive billing statements in the mail were affected. According to the breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights, 1,708 health plan members were affected, which is fewer than 5% of its subscribers.

The PHI printed on the paper billing statements included subscribers’ names, addresses, monthly premium amounts, and PHP identification numbers. No other data were printed on the statements.

Please see the HIPAA Journal Privacy Policy

Out of an abundance of caution Physicians Health Plan of Northern Indiana has sent breach notification letters to all patients included in the mailing, including the policyholders, their spouses, as well as any adult dependents included on the policies. PHP has pointed out that receiving a breach notification letter does not necessarily mean that that individual in question has been impacted by the breach, only that they had been included in the December 8, mailing.

They have also been provided with a postage-paid envelope to allow them to return the statements to PHP without charge. This will allow PHP to determine exactly which members have been affected, and will ensure that the letters can be securely destroyed. PHP has also included a form that members have been asked to complete and return to indicate if they have already trashed the incorrect billing statements.

Because ID numbers have been exposed there is a possibility that the information could be used inappropriately. To protect plan members, all affected individuals have been issued with new ID numbers and have been sent a new PHI card in the mail. Those cards should be delivered no later than January 6, 2016.

Physicians Health Plan of Northern Indiana now joins a growing list of HIPAA-covered entities to have experienced PHI breaches as a result of errors made during mailings. In the past four months alone, nine HIPAA-covered entities have reported the exposure of patient/plan member information as a result of printing and mailing errors.

There is a growing threat of cyberattacks and insider data theft, but covered entities must also ensure that controls are put in place to limit the potential for errors such as these to be made by employees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.