Greater Oversight Needed to Avoid Mailing Error and PHI Breach

What are the Responsibilities of a HIPAA Compliance Officer?

Healthcare providers should be careful not to disclose protected health information (PHI) in mailings. Lately, there were two incidents submitted concerning the disclosure of sensitive information due to insufficiency of oversight while communicating with patients through mail.

A third-party mistake caused the improper disclosure of information of HIV medicines utilized by Aetna plan members. Aetna sent letters in sealed envelopes, however prescribed HIV medicines were obviously seen through the envelopes’ clear plastic windows.

In the previous year, Emblem Health sent mail wherein patients’ Social Security numbers were unintentionally printed on the exterior of envelopes and the Ohio Department of Mental Health and Addiction Services dispatched a postcard survey to patients instead of utilizing letters enclosed in envelopes. In that instance, the patient’s condition of undergoing  mental health treatment can be revealed to any person who happened to look at the postcard.

The same occurrence has lately impacted University of Wisconsin-Madison’s Department of Family Medicine and Community Health patients. UW-Madison made the decision to inquire from its patients how the quality of services can be improved.

UW-Madison sent a survey in a sealed envelope to patients. But a reminder regarding that survey was delivered on a postcard. A reference to the prescribed medicines as well as family planning services was imprinted in plain sight on the reminder cards. This is a violation of patient privacy and HIPAA Rules.

UW-Madison has notified all people impacted by the privacy breach telling them about the mistake and telling them that processes were assessed and improved to avoid more privacy breaches. More reviews will be carried out prior to sending correspondence in the future.

The mailing errors mentioned above all involved simple oversights, however the effects were serious for patients. The third-party mistake which caused the HIV medications of Aetna plan members to be disclosed caused significant harm to a number of patients. A number of plan members had their HIV positive condition revealed to family members and even roommates. A few were forced to relocate due to humiliation and fear.

These occurrences remind all covered entities about the danger of privacy violations resulting from mailings. Covered entities need to make sure the proper implementation of policies and procedures. Reviewing mailings before dispatch is recommended to be sure sensitive data is not inadvertently exposed.