HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Mailing Error and PHI Breach Underscores Need for Greater Oversight

Healthcare organizations must take care not to expose protected health information in mailings. Recently, there have been two incidents reported that involved sensitive information being disclosed as a result of a lack of oversight when corresponding with patients by mail.

A third-party error resulted in details of HIV medications used by Aetna plan members being improperly disclosed. Letters were sent in sealed envelopes, although prescribed HIV medications were clearly visible through the clear plastic windows of the envelopes.

Last year, Emblem Health sent a mailing in which patients’ Social Security numbers were accidentally printed on the outside of envelopes and the Ohio Department of Mental Health and Addiction Services sent a survey to patients on a postcard rather than using letters in sealed envelopes. In that case, the fact that the patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard.

A similar incident has recently affected patients of University of Wisconsin-Madison’s Department of Family Medicine and Community Health. UW-Madison took the decision to ask its patients how it could improve the quality of its services.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A survey was sent to patients in a sealed envelope. However, a reminder about that survey was sent out on a postcard. Printed on the reminder cards, in plain sight, was a reference to prescribed medications and family planning services: A violation of patient privacy and breach of HIPAA Rules.

UW-Madison has mailed all individuals affected by the privacy breach alerting them to the error and informing them that workflows have been reviewed and improved to prevent further privacy breaches. Additional reviews will be performed before any correspondence is sent in the future.

The above mailing errors have involved simple oversights, but the consequences were severe for patients. The third-party error that resulted in the HIV medications of Aetna plan members being exposed has caused serious harm for several patients. Some plan members had their HIV positive status disclosed to family members and roommates. Some have been forced to move home out of embarrassment and fear.

These incidents serve as a reminder to all covered entities of the risk of privacy violations from mailings. Covered entities must ensure policies and procedures are implemented to ensure all mailings are reviewed prior to dispatch to ensure sensitive data is not accidentally exposed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.