Recently, two incidents were reported to OCR that illustrate the point. In one of the incidents, a third-party error resulted in details of HIV medications used by Aetna health plan members, being improperly disclosed. Although the letters were mailed in sealed envelopes, which is a reasonable safeguard, the envelopes contained plastic windows. The names of the medications were clearly visible through these windows. OCR found, in this instance, that reasonable safeguards were not taken to avoid PHI disclosure. Disclosure could have been avoided by not using a plastic window, or by using an envelope thick enough such that PHI could not be viewed unless the envelope was opened.
The emotional costs to affected patients were severe. The third-party error that resulted in the HIV medications of Aetna plan members being exposed has caused serious harm for several patients. Some plan members had their HIV positive status disclosed to family members and roommates. Some have been forced to move home out of embarrassment and fear.
In another incident, Emblem Health sent a mailing in which the Social Security numbers of patients were accidentally printed on the outside of the mailing envelopes. This disclosure could have been avoided simply by inspecting the envelope to ensure PHI was not visible.
Government is not immune to these mistakes either. Recently, the Ohio Department of Mental Health and Addiction Services mailed a survey to patients on a postcard – instead of mailing letters in sealed envelopes. Because the contents of the postcard were visible, the fact that a patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard.
Reasonable safeguards must be employed by an organization regardless of what kind of information is being mailed. Medical records, prescription records, appointment reminders, and patient surveys, all must be mailed using reasonable safeguards that ensure PHI is not visible.