Healthcare Data Privacy

Alabama Data Breach Notification Act Passed by State Senate

Posted by HIPAA Journal

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week.

Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents.

The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm.

Entities that would be required to comply with the Alabama Data Breach Notification Act are persons,

sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive personally identifying information.

Sensitive personally identifying information is defined as a first name/first initial and last name combined with any of the following data elements, provided they are not truncated, encrypted, or hashed:

  • Social Security number
  • Tax ID number
  • Driver’s license number
  • State identification card number
  • Military identification number
  • Passport number
  • Other unique government identification number
  • Medical information such as health history, treatment or diagnosis or mental/physical condition
  • Health insurance number or unique identifiers used by health insurers for identification of an individual
  • Financial account number (bank account, credit card, or debit card) combined with an expiry date, security code, PIN, password, or other information that would allow a financial transaction to be conducted
  • Username or email address along with a password or security question answer that would allow an account to be accessed

The Alabama Data Breach Notification Act also calls for entities holding the above information to implement and maintain reasonable security measures to protect sensitive personally identifiable information. A risk analysis must be conducted to identity potential security risks and safeguards would need to be adopted reduce those risks to a reasonable level. Measures to protect data should be appropriate for the sensitivity of the data, the amount of data held, the size of the organization, and the cost of safeguards relative to the company’s resources.

If the Alabama Data Breach Notification Act is passed, state residents would have to be notified of data breaches within 45 days of discovery of a breach. Companies that fail to issue the notifications could potentially be fined up to $5,000 per day for any delay in issuing notifications up to a maximum of $500,000 per breach. Lawsuits could be filed by the attorney general’s office on behalf of breach victims, although private actions would not be possible.

Breach notices would be required to include the date or estimated date of the breach, a description of the information exposed, details of the steps that can be taken by breach victims to protect themselves against harm, details of the steps taken by the breached entity to restore security and confidentiality of data, and contact information for further information about the breach. A breach notice would also need to be submitted to the state attorney general’s office if the breach impacts more than 1,000 individuals.

In contrast to data breach notification laws in some US states that exempt HIPAA covered entities that are in compliance with HIPAA laws, the Alabama Data Breach Notification Act would apply to HIPAA covered entities.

The current maximum time frame for HIPAA covered entities is 60 days from the date of discovery of a breach. For Alabama residents at least, that time frame would be reduced by 15 days.

The post Alabama Data Breach Notification Act Passed by State Senate appeared first on HIPAA Journal.

Is a HIPAA Violation Grounds for Termination?

Posted by HIPAA Journal

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules?

Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy?

Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination?

Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations.

When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for patients whose privacy has been violated, potential legal issues arising from the violation and possible action by regulators. Healthcare organizations will be keen to take action to ensure that similar violations are prevented in the future.

When an employee is discovered to have knowingly or unknowingly violated HIPAA Rules there are likely to be repercussions for the individual concerned.

An unintentional acquisition, access, or use of protected health information by a workforce member in which the acquisition, access, or use was made in good faith and within the scope of authority would not be a reportable breach and may not necessarily result in disciplinary action.

Some healthcare organizations have strict rules on violations of HIPAA Rules and regularly terminate employees for HIPAA violations. Others have a policy of dealing with minor HIPAA violations internally. Depending on the nature of the violation, the incident may warrant disciplinary action against the individual concerned which could see the employee suspended pending an investigation. Termination for a HIPAA violation is a possible outcome.

Ultimately the repercussions for a HIPAA violation will depend on the polices in place at an organization and the severity of the violation. A violation of the Minimum Necessary Information Standard may, depending on the circumstances, be considered a matter for internal disciplinary action and not termination. Viewing the medical records of any patient without authorization is likely to result in termination unless the incident is reported quickly, no harm was caused to the patient, and access was accidental or made in good faith.

Recent Cases Where Healthcare Providers Deemed a HIPAA Violation Grounds for Termination

Criminal Penalties for HIPAA Violations

Termination may not be the worst that can happen when HIPAA Rules are violated by employees. Healthcare employees may be found criminally liable for HIPAA violations and cases can be referred to the Department of Justice for prosecution.

Criminal violations of HIPAA Rules can result in financial penalties and jail time for healthcare employees. A fine of up to $50,000 and one year in jail is possible when PHI is knowingly obtained and impermissibly disclosed. A fine of up to $100,000 and five years in jail is possible for violations involving false pretenses, and a fine of up to $250,000 and up to 10 years in jail is possible when HIPAA Rules have been violated for malicious reasons or for personal gain. A further 2 years can be added onto the sentence for aggravated identity theft.

The post Is a HIPAA Violation Grounds for Termination? appeared first on HIPAA Journal.

Is Google Calendar HIPAA Compliant?

Posted by HIPAA Journal

Is Google Calendar HIPAA compliant? Can the time management and calendar scheduling service be used by healthcare organizations or would use of the service be considered a violation of HIPAA Rules? This post explores whether Google supports HIPAA compliance for the Google Calendar service.  

Google Calendar was launched in 2006 and is part of Google’s G Suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added.

Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied.

A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an audit trail must be maintained.

Further, healthcare organizations covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor before any electronic protected health information is disclosed, even if the service provider says it does not access customer data.

Google has appropriate security controls in place to protect data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance hinges on whether Google is willing to enter into a business associate agreement with HIPAA-covered entities or their business associates.

Google’s Business Associate Agreement

Google is willing to sign a business associate agreement with healthcare organizations for its paid services, but not for any of its free services. The business associate agreement covers the use of G Suite, and includes Google Calendar, Google Drive, the chat messaging feature of Google Hangouts, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.

HIPAA-covered entities must enter into a BAA with Google prior to any of the above services being used with ePHI. Once a signed BAA has been obtained the services can be used, although it is the responsibility of the covered entity to ensure that the services are used in a manner compliant with HIPAA Rules. Google provides a HIPAA-compliant service, but it is still possible for organizations and employees to violate HIPAA Rules using its services.

Is Google Calendar HIPAA Compliant?

So, is Google Calendar HIPAA compliant? Provided a BAA has been obtained, Google Calendar can be considered a HIPAA compliant time management and calendar scheduling service.

The post Is Google Calendar HIPAA Compliant? appeared first on HIPAA Journal.

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

Posted by HIPAA Journal

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General.

While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members.

Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information.

The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law § 399-ddd(2)(e).

In addition to the $575,000 settlement, EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents. The results of that risk analysis must be reported to the Attorney General’s office within 180 days. Policies and procedures related to mailings must also be reviewed and updated based on the findings of the risk analysis.

EmblemHealth must catalogue, review, and monitor mailings and ensure that all employees involved in mailings receive appropriate training. They must also be instructed to report any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow prompt action to be taken manage risks to plan members. EmblemHealth is also required to report all security incidents to the Attorney General’s office for a period of 3 years from the date of the settlement.

According to Attorney General Schneiderman, New York has “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. There will now be a further push to get the SHIELD Act passed. Schneiderman claims the SHIELD Act will improve protections for state residents. Businesses will also be held accountable for data breaches that result in customers’ personal data being exposed.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

The post EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach appeared first on HIPAA Journal.

What is HIPAA Certification?

Posted by HIPAA Journal

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services.

What is HIPAA Certification?

Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors.

Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services (HHS), this is the next best thing.

Why there is No HHS-Endorsed HIPAA Certification

The Department of Health and Human Services does not endorse any type of HIPAA certification because HIPAA compliance is an on-going progress. A HIPAA certified company may have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the company will remain HIPAA compliant in the future.

There are multiple reasons why a company may not remain HIPAA compliant in the future. It may change the technologies it uses or the ways in which technologies are used. It may change business objectives, operational procedures, or change staff management policies. Any of these changes might invalidate a HIPAA certification – notwithstanding that HIPAA regulations may also change in the future.

HIPAA Training and Certification

HIPAA does not require employees to complete any specific training program and obtain HIPAA certification. However it is necessary for HIPAA training to be provided “as necessary and appropriate for members of the workforce to carry out their functions.” It is also necessary for the date and nature of the training to be documented, and the documentation maintained for at least six years.

Since HIPAA Rules are complex and far-reaching, HIPAA training companies are often used as an alternative to in-house training. The training companies employ HIPAA compliance experts to train employees on the aspects of HIPAA relevant to their roles – such as the correct ways of handling protected health information (PHI), and allowable uses and disclosures of PHI.

One of the benefits to Covered Entities of using a third-party HIPAA training company is that, at the successful conclusion to a training course, they are issued with a HIPAA certification to verify and validate that employees have attended a HIPAA training course. While the certification may not be endorsed by the HHS, it will be beneficial to the Covered Entity in the event of a HIPAA audit.

Third Party Audits Confirming HIPAA Compliance

With regards to HIPAA audits, it is important to note the HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

Nonetheless, it is common for potential Business Associates of HIPAA Covered Entities to undergo audits by third party HIPAA compliance experts in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for Covered Entities´ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for Business Associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party organization that not only offers HIPAA certification services, but one that can help Business Associates implement effective HIPAA compliance programs.

The post What is HIPAA Certification? appeared first on HIPAA Journal.

How to Report a HIPAA Violation Anonymously

Posted by HIPAA Journal

One of the questions we are sometimes asked is how to report a HIPAA violation anonymously. This is because, in many cases, complaints and reports will not be reviewed or investigated without your contact details.

When you file a health information privacy complaint or a security rule violation complaint via the Office for Civil Rights´ (OCR) online Complaints Portal, the first page you are asked to complete is your name and contact details. The reason for this is because, if OCR reviews your complaint and decides to investigate it, the agency may want to contact you for further information.

You cannot go beyond the first page of the complaints process without entering any contact details; and, if you complete the form using fictitious contact details, OCR will be unable to contact you to obtain the information it needs to conduct an investigation. Consequently, it is not possible to report a HIPAA violation anonymously via the OCR Complaints Portal.

There are Other Ways of Filing a Complaint with OCR

The Complaints Portal is not the only way to file a complaint with OCR. You can download a complaint form, complete it, send it to OCR by mail or as an email attachment. The form allows you to deny consent for revealing your name or any identifying information – which is not the same as reporting a HIPAA violation anonymously and “may result in the closure of the investigation”.

You can also write anonymously to OCR, send an email from a disposable temporary email address, or call the agency directly on (800) 368-1019. If you find none of these approaches work because OCR does not want people to report a HIPAA violation anonymously, you could try one of OCR´s Regional Offices to see if one of these are willing to accept an anonymous report.

OCR is Not the Only Agency You Can Complain To

HHS´ Office for Civil Rights is not the only “enforcer” of HIPAA. Violations of the Administrative Requirements can be reported to the Centers for Medicare and Medicaid Services (CMS), violations of the Breach Notification Rule by organizations not covered by HIPAA can be reported to the Federal Trade Commission, and criminal violations can be reported to the Department of Justice.

All these agencies have complaints processes similar to OCR inasmuch as it is difficult to report a HIPAA violation anonymously. This is also usually the case with Offices of State Attorneys General. However, if you have a strong case for an investigation and explain why you are unwilling to reveal your identity, you may be able to report a HIPAA violation anonymously to a state agency.

How Else to Report a HIPAA Violation Anonymously

State and federal agencies are not the only bodies you can approach with a health information privacy complaint or a security rule violation complaint. You can also directly approach the organization responsible for the HIPAA violation. This gives you more options to report a HIPAA violation anonymously and a greater likelihood the violation you are reporting is addressed.

It is important to note that, unless the complaint involves a data breach subsequently reported to OCR by the organization, there will be no enforcement action taken by any state or federal agency. However, while there will be no record of an organization “getting into trouble” for failing to comply with HIPAA, your anonymous report may prevent somebody else experiencing an adverse event attributable to a privacy or security violation.

How to Report a HIPAA Violation Anonymously FAQs

Why doesn´t OCR want people to report a HIPAA violation anonymously?

Not only does it make it very difficult to investigate a privacy complaint without knowing who the complaint relates to, but malicious individuals could make unsubstantiated complaints that waste the time of both OCR investigators and the organization being investigated. By insisting on verifiable contact details, OCR can prevent malicious and unsubstantiated complaints – even though this requirement could dissuade some individuals from making justifiable complaints.

If I have to give my name, what protection do I have against retaliation?

§160.316 of the HIPAA Administrative Simplification Regulations prohibits Covered Entities and Business Associates from threatening, intimidating, coercing, harassing, discriminating against, or taking any retaliatory action against an individual who reports a HIPAA violation. This not only applies to patients and health plan members, but to any individual – including members of a Covered Entity´s or Business Associate´s workforce.

Can I report a HIPAA violation anonymously if the violation affects someone else?

Even if you are reporting a HIPAA violation on behalf of another person, OCR, CMS, the Federal Trade Commission, and Department of Justice will require your verifiable contact details to ensure the report is not malicious and unsubstantiated. You may be able to report a HIPAA violation anonymously to a State Attorney General´s office; but the best way to make a report anonymously is to approach the noncompliant organization directly.

How do I report a criminal violation of HIPAA anonymously to the Department of Justice?

Unlike some crime “tip lines”, the Department of Justice does not accept anonymous reports. The only route to reporting a criminal violation anonymously is to contact the noncompliant organization´s Privacy Officer who should investigate your complaint (subject to you having a strong case). If the Privacy Officer believes a criminal violation has occurred, they will report it to OCR, who will refer it to the Department of Justice for investigation.

What should I do if I complain anonymously to an organization, but nothing happens?

It may be difficult to know if your complaint to an organization has been ignored because the organization has no way of contacting you to explain what it is doing to correct the violation – which may take some time if it involves the development of new policies and additional workforce training. However, if you are certain your complaint has been ignored and it is still within 180 days of the violation being identified, you can escalate your complaint to OCR – albeit not anonymously.

Are HIPAA complaints anonymous?

Although you can request that your name is withheld when you make a complaint to OCR, complaints made anonymously will not be investigated. This not only applies to complaints made to OCR, but also to State Attorneys General, county HHS offices, and – where applicable – CMS, and the FTC. The option exists to phone an agency and make a complaint anonymously, but without your name, it is unlikely any further action will be taken.

The post How to Report a HIPAA Violation Anonymously appeared first on HIPAA Journal.

New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

Posted by HIPAA Journal

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of as many as 135,000 patients.

This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009.

The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty.

In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses are separate from St. Peter’s Hospital and Albany Gastroenterology Consultants. Protected health information held by those medical centers was not compromised as a result of the malware infection. Only patients who have previously visited St. Peter’s Surgery & Endoscopy Center for medical treatment have potentially been affected. Letters to affected patients were mailed on February 28, 2018 and the incident has been reported to the HHS’ Office for Civil Rights.

The information potentially accessed/copied was limited to patients’ names, addresses, dates of birth, dates of service, diagnosis codes, procedure codes, and insurance information. Some patients also had Medicare information exposed. Patients without Medicare did not have their social security numbers exposed and no patients’ banking or credit/debit card numbers were exposed.

Patients whose Medicare information was exposed have been offered one year of credit monitoring and identity theft protection services without charge “out of an abundance of caution” and all patients have been advised to check their health insurance statements carefully for any sign of fraudulent use of their information.

No information has been released on the exact nature of the security breach, such as how the hackers gained access to the server to install malware. St. Peter’s Surgery & Endoscopy Center said action is being taken to bolster security, which includes further staff training. The purchase of additional – and more elaborate – anti-virus and anti-malware solutions is also being evaluated.

The post New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach appeared first on HIPAA Journal.

Is Google Slides HIPAA Compliant?

Posted by HIPAA Journal

Is Google Slides HIPAA compliant? Can Google Slides be used by healthcare organizations without violating HIPAA Rules? This post explores whether Google Slides is HIPAA compliant and whether it is possible to use the presentation editor in connection with electronic protected health information.

Google Slides is a presentation editor that allows users to create slide shows, training material, and project presentations. It is an ideal option for users who do not regularly create slide shows or presentations and do not have a software package that offers the same functionality. Google Slides is available free of charge for consumers to use and is equivalent to Microsoft’s PowerPoint.

Healthcare organizations that are looking to create training courses and slideshows that involve the use of data protected by HIPAA need to exercise caution. Use of Google Slides with electronic protected health information could potentially violate HIPAA Rules and patient privacy. That could all too easily result in a financial penalty.

Google Slides is a web-based presentation program that is not exempt from HIPAA under the HIPAA Conduit Exception Rule. The use of any ePHI with Google Slides is prohibited by the Privacy Rule unless healthcare organizations enter into a business associate agreement with Google prior to the use of Google Slides.

How to Make Google Slides HIPAA Compliant

The first step to take before using Google Slides in connection with any ePHI is to enter into a business associate agreement with Google. Google offers a BAA for healthcare organizations covering G Suite and Google Drive, which includes Google Docs, Google Sheets, Google Forms, and Google Slides.

As with all Google Drive services, it is essential to control who has access to files created on Google Drive. Healthcare organizations must ensure that any files created can only be accessed by individuals authorized to view the files and links to the files can only be shared with specific people. Sharing permissions should be carefully configured to prevent any accidental disclosures of ePHI.

It is important that no ePHI is included in the titles of any files created on Google Drive and third-party applications should be disabled. If applications need to be used, the security of those applications must be assessed and the developer’s documentation carefully checked. Third-party application developers would also be considered business associates and BAAs would be necessary.

Provided a BAA has been obtained from Google, Google Drive permissions are configured correctly, and best practices are followed, the Google Drive suite of products can be used by healthcare organizations in connection with ePHI.

The post Is Google Slides HIPAA Compliant? appeared first on HIPAA Journal.

Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members

Posted by HIPAA Journal

Tufts Health Plan is alerting 70,320 of its members that their health plan member ID numbers have been exposed.

A mailing vendor used by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage members between December 11, 2017 and January 2, 2018.

Window envelopes were used which naturally allowed plan members’ names and addresses to be seen, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing error was discovered by Tufts Health Plan on January 18.

Tufts Health Plan notes that its member IDs are not comprised of Social Security numbers or Medicare numbers, but potentially the member ID numbers could be misused by individuals to receive services covered by the health plan.

Legal experts were consulted about the breach to assess the potential risk to plan members. The risk of misuse of the numbers is believed to be very low as the only individuals likely to see the member IDs would be employees of the postal service. Plan members have been told that in the unlikely event that their member IDs are misused they will not be responsible for any charges.

Plan members should check their Explanation of Benefits statements carefully and should report any services detailed on the statements that have not been received.

The health plan reports that it has been working closely with its vendor to ensure similar incidents do not occur in the future. The mailing vendor has confirmed that the error that caused the privacy incident has now been fixed.

In this case, the privacy breach was limited and patients should not be adversely affected, but similar incidents have occurred at other healthcare organizations that have caused serious problems for some individuals.

On July 28, 2017, a business associate of Aetna sent a mailing to approximately 12,000 plan members detailing a change to pharmacy benefits for individuals who were receiving HIV medications. The medications are prescribed to treat HIV and as Pre-exposure Prophylaxis (PrEP) to prevent contraction of HIV. Information about those medications were clearly visible through the plastic windows of the envelopes. The disclosure was not limited to the postal service. In some cases, the information was inadvertently disclosed to family members and roommates.

A class-action lawsuit was filed against Aetna which was recently settled for $17 million. Aetna was also fined $1.15 million by the New York Attorney General over the privacy breach and further actions may be taken against the health insurer by other state attorneys general and the HHS’ Office for Civil Rights.

A similar privacy incident affected Amida Care in 2017, again involving information related to HIV. In that case, the words “Your HIV detecta” were visible through the clear plastic windows of envelopes next to the name and the address, even though an additional sheet of paper had been inserted to prevent information on the enclosed double-sided flyer from being visible.

These incidents clearly highlight the risks of using window envelopes for healthcare mailings. If the decision is taken to use this type of envelope, stringent checks should be conducted to ensure that the letters cannot slip to reveal sensitive information and that the content of the mailings cannot be seen.

The post Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members appeared first on HIPAA Journal.