MS Center of Saint Louis and Mercy Clinic Neurology Town and Country told 1,081 of its patients that some pharmaceutical firms and third-party agencies may contact them for purposes of marketing and research, but these entities did not get permission or instruction from the hospitals.
Under HIPAA Rules, patients are not allowed to be contacted for the purpose of marketing or research except if the patients gave their consent first. But because of an error, the patients’ information were disclosed to third parties. As a result, the patients may possibly be contacted by phone, mail or email as.
The MS Center and Mercy Clinic Neurology Town and Country stated that they accidentally sent the medication onboarding forms to pharmaceutical companies, despite the fact that the patients have not signed the forms yet. The error likewise resulted in the impermissible disclosure of patients’ protected health information (PHI).
PHI specified on the forms included the patients’ names, home and email addresses, phone numbers, medical insurance details, and in some instances, treatment and prescription medication details and Social Security numbers.
Because of the sensitive nature of the PHI exposed, there is a probability that the data may be used wrongly, though MS Center and Mercy Clinic Neurology Town and Country are convinced that the data was been utilized for any other reason except for marketing and research. Nevertheless, as a precaution, all impacted persons were given the chance to sign-up for a year of credit monitoring and identity theft protection services for free.
Upon finding out about the error, the matter was investigated and the personnel likely involved were questioned regarding the occurrence. Policies and procedures were already adjusted to avoid the same incidents from happening again later on.