Table of Contents
Recent breaches involving mailings underscore the importance of having business associate agreements (BAAs) in place for mailing vendors, plus stringent quality control on all mailings regardless of whether they’re produced in-house or by a contractor, HIPAA attorneys say.
Two recent widely-publicized breaches—Aetna, Inc.’s mailing that disclosed the use of HIV medications (RPP 2/18, p. 5) and a mailing from Triple-S Management Corp. that went to the wrong addresses—show that the process of sending protected health information via the postal service has many moving parts where privacy breaches can occur.
“Although the Aetna and Triple-S incidents are pretty different, they both demonstrate that even as cyber-incidents grab most of the headlines when it comes to data breaches, paper-based mailings present plenty of opportunities for error and can be a potent source of risk for covered entities and BAs,” says Alex Pearce, attorney with Ellis & Winters LLP in Raleigh, N.C.
Meanwhile, there were at least two other breaches involving mailings in late 2017 and early 2018, including one that involved window envelopes.
◆ A vendor for Tufts Health Plan that mailed member identification cards to 70,320 Tufts Medicare Advantage members used envelopes that showed the Tufts Health Plan member ID number, in addition to the member’s name and address.
According to the breach notification posted on Tufts’ website: “The member ID number is not supposed to be visible in the address window of the envelope.” The mailing took place between Dec. 11 and Jan. 2, and Tufts says it discovered “the full extend of this error” on Jan. 18. The health plan states: “We have consulted with experts in the legal and fraud areas, and we have determined that this situation presents a very low risk to any member’s personal information.”
◆ A series of programming and printing errors at CarePlus Health Plans, a Medicare Advantage insurer in Florida, resulted in explanation of benefits (EOB) letters for some members being incorrectly sent to other members. This breach potentially affected around 11,200 individuals. The information disclosed included names, health plan identification numbers, dates of service, provider names, and services provided.
CarePlus says it is taking additional steps to protect privacy as a result of this incident, including “enhancements to our printing software to prevent formatting errors, more rigorous testing procedures and implementation of additional quality audit controls of EOBs prior to mailing.”