Dedicated to providing the latest
HIPAA compliance news

Mailing Error and PHI Breach Underscores Need for Greater Oversight

Share this article on:

Healthcare organizations must take care not to expose protected health information in mailings. Recently, there have been two incidents reported that involved sensitive information being disclosed as a result of a lack of oversight when corresponding with patients by mail.

A third-party error resulted in details of HIV medications used by Aetna plan members being improperly disclosed. Letters were sent in sealed envelopes, although prescribed HIV medications were clearly visible through the clear plastic windows of the envelopes.

Last year, Emblem Health sent a mailing in which patients’ Social Security numbers were accidentally printed on the outside of envelopes and the Ohio Department of Mental Health and Addiction Services sent a survey to patients on a postcard rather than using letters in sealed envelopes. In that case, the fact that the patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard.

A similar incident has recently affected patients of University of Wisconsin-Madison’s Department of Family Medicine and Community Health. UW-Madison took the decision to ask its patients how it could improve the quality of its services.

A request to take part in a survey was sent via mail, but rather than sending letters inside sealed envelopes, the decision was taken to send postcards. Printed on the postcards, in plain sight, were references to prescribed medications and family planning services: A violation of patient privacy and breach of HIPAA Rules.

UW-Madison has mailed all individuals affected by the privacy breach alerting them to the error and informing them that workflows have been reviewed and improved to prevent further privacy breaches. Additional reviews will be performed before any correspondence is sent in the future.

All of the above mailing errors have involved simple oversights, but the consequences can be severe for patients. The third-party error that resulted in the HIV medications of Aetna plan members being exposed has caused serious harm for several patients. Some plan members had their HIV positive status disclosed to family members and roommates. Some have been forced to move home out of embarrassment and fear.

These incidents serve as a reminder to all covered entities of the risk of privacy violations from mailings. Covered entities must ensure policies and procedures are implemented to ensure all mailings are reviewed prior to dispatch to ensure sensitive data is not accidentally exposed.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On