The answer is sometimes “yes” and it is a violation of the law.
Healthcare providers routinely send mailers to patients about upcoming procedures or informational material; however, sending such information must not be sent to the wrong recipients.
Once health information is mailed, it is very difficult to recapture — If the mailings went to the wrong recipients, it may be a data breach.
Molina Healthcare, a multi-state healthcare organization, reported that a postcard mailing error in March had resulted in 5,261 former members’ Social Security numbers being inadvertently exposed. Article.
The report indicates that only Washington State residents were affected by the data breach and that the mix-up occurred when the Social Security numbers were mistaken for tracking numbers.
“The big question here, of course, is what type of business associate agreement Molina had in place with the printing contractor and whether there otherwise was an indemnification or breach notification agreement in place.”
Health care providers need to:
- Work with a HIPAA/HITECH attorney to ensure that their PHI is protected by all vendors and subcontractors
- Be wary when their vendors provide the healthcare provider with the vendor’s version of its own business associate agreement. The document must be reviewed to ensure appropriate protection for the healthcare provider.
- Perform a HIPAA risk assessment to determine where the potential HIPAA risks are
- Formulate a HIPAA security plan to protect against mistakes and potential breaches.
Tell us how your organization protects its information? Share your ideas with us by clicking on the comment button below. We’d love to hear from you.
Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.