Devastating HIPAA Breach – Improper Mailing Makes HIV Status Visible

We may be desensitized to the almost regular reports of cyber breaches, or HIPAA breaches. In most cases, the concern is primarily related to Social Security numbers and other personal identifiers which ultimately could lead to some variation of identity theft. There are too many cases where tens or hundreds of thousands, and even millions of personal records have been breached. However, despite the fear of damage to the individuals whose information was illegally or improperly accessed, there are virtually no reports of any sustained damage to the individual victims of a mass breach.

Numerous civil class actions have been initiated on behalf of the individuals whose personal information has been lost in mass data breaches with the resulting improper or illegal dissemination of personal financial/medical records. Most courts have not granted class-action status because the law firms and individuals who sought class-action status were not able to show real damages. Essentially, they could not show that the named plaintiffs actually sustained any loss or that the information was used to the detriment of the individuals.

What type of medical records a person would probably be most concerned about being improperly disseminated?  Mental health records and/or HIV information would probably top the list and prove to be the most embarrassing and damaging. To the extent anyone wants to disagree, they may want to ask themselves why there are special tailored medical release forms for mental health notes and HIV records.

Aetna recently mailed 12,000 letters with window envelopes that seemingly exposed more than the recipient’s name and address.

Window envelopes actually make sense if one can only see the name and address of the recipient because it limits the possibility of the wrong medical record being placed into the wrong envelope. The alternative is to either print the name and address on the envelope or attach stickers on the envelope. In either case there is a possibility that the wrong document goes into the wrong envelope which means that the wrong person gets PHI which would be a HIPAA breach. Covered Entities and/or Business Associates must decide whether to use an envelope/sticker or printed envelopes on the one hand which provide the most privacy but need extra vigilance, or, on the other hand, to use window envelopes which minimize the chances of a mix-up between envelopes and the documents they contain.

Seems like a no-brainer to use window envelopes.

The problem starts when there is information printed on the documents inside the envelope near the name and address of the recipient and the window is large enough that information that is printed near the window is or can be readily seen or can be seen if the papers inside the envelope are shift. If that happens the only question left is if the other visible printed information other than the name and address is PHI, and if so how to deal with the breach.

Unfortunately, in the case of the 12,000 letters that Aetna sent, the letters were meant to relay a change in pharmacy benefits, and text visible through the window on the envelopes listed the patients’ names and addresses and suggested a change in how they would fill prescriptions for their treatment of HIV.

It is reported that in certain cases, individuals who sought to keep this information from family members are no longer able to do so because of the Aetna letters.

Our hearts go out to the people whose privacy has been violated.

While demands have been made of Aetna to rectify the situation, the more global question is how PHI should be mailed.

Is the window envelope standard a reasonable practice provided no other information is printed on the sheet of paper with the name and address, or should letters have standard all paper envelopes with either printed names and addresses or stickers. Obviously, each protocol has its own distinct pros and cons.

What do you think?

Comments 25

  1. This should become a learning opportunity. I tend to think of HIPPA risk in terms of digital risk. This is a reminder to me that most patient correspondence still occurs on paper which in my opinion is more difficult to secure. This requires that we not forget to think in terms of analogs risks even as we forge ahead to digitize.

    1. The panel upon which the name of the patient (recipient) is typed should be designated “blank” but for the name & address. Sending sensitive information through USPS or cyberspace is ITSELF a ‘breach’ since the information (though ‘sealed’ or technically encrypted) can fall into the wrong hands.

  2. No human systems are without error.

    A brilliant plan can be screwed up by poor execution.
    Our world values information now more than almost anything.

    We need to educate everyone more on security…
    ID theft & other information crimes are growing exponentially as we invite them on larger scales.

    When Jesse James stole money from a bank he had to carry it…
    Today’s criminals using a computer need not carry anything.

    Constant reminders for users/organizations & incredibly stiff penalties for criminals are needed.

    Risk Management needs to be on everyone top priority list.
    We can no longer close the barn after the cows leaves.
    Digital technology killed that methodology.

    I help my students wrestle with such questions & find new answers.
    Over 10 years ago my students were wrestling with the risks of driver-less vehicles.

    We will be seeing those risks come to life in the next 5 to 10 years.
    Join me at NYU… No prerequisites, except a need to know more…
    You are just a click away.

    The future is now & your options are universal!

    Best wishes,
    Professor Rich

  3. Honestly there are no fool proof systems without the risk of exposure. I tend to think of HIPPA contravention in terms of a digital risk; the risks of exposure are imminent. Most communications I have with patients for the most private issues happen on letterheads or pieces of papers that could easily be conduit to mischief. Sometimes patient details can be exposed even through most water tight barriers too. Finally the onus is on the work ethics that need to appropriately preserved with integrity. Yet if something leaks out, deal with it !

Leave a Reply

Your email address will not be published. Required fields are marked *