By Margaret Scavotto, JD
Director of Compliance Services
Management Performance Associates
This summer, Aetna made headlines when it used a contractor to send a mailing to 12,000 members. The mailing involved letters sent in windowed envelopes typical of mass business mailings. For some patients, the following language, revealing the members’ HIV status, was visible through the envelope window: “The purpose of this letter is to advise you of the options…Aetna health plan when filling prescriptions for HIV Medic…members can use a retail pharmacy or a mail order pharma….”
This breach of sensitive patient information had health care providers scratching their heads: We didn’t think about this as a risk. How can we possibly anticipate every possible HIPAA breach?
Four months later, we see another HIPAA gaffe involving – yes – a mass mailing. This time, the breach involved a not-for-profit community health plan that provides care and coverage to Medicaid patients with chronic health conditions – like HIV.
The health plan mailed flyers to HIV patients, promoting an HIV research project. The mailroom was careful to assemble the mailing so that no PHI was visible through the envelope window. But, the language “Your HIV detecta” could potentially be seen through the paper envelope.
What’s a provider to do?
Providers are already scrambling to keep up with skyrocketing cyber threats to their ePHI. These two envelope breaches are reminders that HIPAA risks are everywhere, and a HIPAA Privacy Officer’s job never ends. How do we prevent breaches that seem so hard to anticipate?
- Remember that paper still counts. Yes, healthcare is the #1 target of cyber-attacks. But paper breaches are still very common, and need our attention, too.
- Use your security risk analysis. Make an ePHI inventory.Then, expand it to include paper and verbal PHI. Include all ways PHI is stored, used, disclosed, and accessed. This should cast a wide net, and capture paper mailings.
- Use a team approach. When it comes to identifying risks in a diverse and evolving field, more heads are better than one. Talk to your Compliance Committee regularly about HIPAA. Constantly ask people what they are working on, so you can identify HIPAA risks where others may have overlooked them.
- Keep an eye on your neighbors. These two envelope examples are a cautionary tale for other providers. Watch the headlines and OCR settlements and guidance. Find out how other providers experienced breaches, and do everything you can to prevent them in your own organization.