We may be desensitized to the almost regular reports of cyber breaches, or HIPAA breaches. In most cases, the concern is primarily related to Social Security numbers and other personal identifiers which ultimately could lead to some variation of identity theft. There are too many cases where tens or hundreds of thousands, and even millions of personal records have been breached. However, despite the fear of damage to the individuals whose information was illegally or improperly accessed, there are virtually no reports of any sustained damage to the individual victims of a mass breach.
Numerous civil class actions have been initiated on behalf of the individuals whose personal information has been lost in mass data breaches with the resulting improper or illegal dissemination of personal financial/medical records. Most courts have not granted class-action status because the law firms and individuals who sought class-action status were not able to show real damages. Essentially, they could not show that the named plaintiffs actually sustained any loss or that the information was used to the detriment of the individuals.
What type of medical records a person would probably be most concerned about being improperly disseminated? Mental health records and/or HIV information would probably top the list and prove to be the most embarrassing and damaging. To the extent anyone wants to disagree, they may want to ask themselves why there are special tailored medical release forms for mental health notes and HIV records.
Aetna recently mailed 12,000 letters with window envelopes that seemingly exposed more than the recipient’s name and address.
Window envelopes actually make sense if one can only see the name and address of the recipient because it limits the possibility of the wrong medical record being placed into the wrong envelope. The alternative is to either print the name and address on the envelope or attach stickers on the envelope. In either case there is a possibility that the wrong document goes into the wrong envelope which means that the wrong person gets PHI which would be a HIPAA breach. Covered Entities and/or Business Associates must decide whether to use an envelope/sticker or printed envelopes on the one hand which provide the most privacy but need extra vigilance, or, on the other hand, to use window envelopes which minimize the chances of a mix-up between envelopes and the documents they contain.
Seems like a no-brainer to use window envelopes.
The problem starts when there is information printed on the documents inside the envelope near the name and address of the recipient and the window is large enough that information that is printed near the window is or can be readily seen or can be seen if the papers inside the envelope are shift. If that happens the only question left is if the other visible printed information other than the name and address is PHI, and if so how to deal with the breach.
Unfortunately, in the case of the 12,000 letters that Aetna sent, the letters were meant to relay a change in pharmacy benefits, and text visible through the window on the envelopes listed the patients’ names and addresses and suggested a change in how they would fill prescriptions for their treatment of HIV.
It is reported that in certain cases, individuals who sought to keep this information from family members are no longer able to do so because of the Aetna letters.
Our hearts go out to the people whose privacy has been violated.
While demands have been made of Aetna to rectify the situation, the more global question is how PHI should be mailed.
Is the window envelope standard a reasonable practice provided no other information is printed on the sheet of paper with the name and address, or should letters have standard all paper envelopes with either printed names and addresses or stickers. Obviously, each protocol has its own distinct pros and cons.
What do you think?