Find the latest The Compliance & Ethics Blog updates online · complianceandethics.org
Don't forget to subcribe to the daily digest · bit.ly/SCCEBlogSubscribe
HCCA The Compliance & Ethics Blog Highlights
Contact Doug Stupca at 952.405.7900 or email him at firstname.lastname@example.org with any questions about HCCA's Blog.
Window woes Aetna made headlines when it used a contractor to send a mailing to 12,000
members. For some patients, the following language, revealing HIV status, was visible through
the envelope window: “…Aetna health plan when
filling prescriptions for HIV Medic…”1
This breach puzzled providers: How can we
anticipate every breach?
Too much transparency
Four months later, we saw
another HIPAA gaffe involving a mass
mailing. A health plan mailed flyers
promoting research to HIV patients.
The mailroom carefully assembled the
mailing so no PHI was visible through
the envelope window. But, “Your HIV
detecta” could potentially be seen through
the envelope. 2
EmblemHealth subsidiary Group Health, Inc.
mailed a Medicare Prescription Drug Plan
Evidence of Coverage to patients. GHI’s mailing
procedure uses patient identifiers: random numbers that cannot identify the patient. However,
GHI accidentally sent patient Health Insurance
Claim Numbers (HCINs) to the mailing vendor,
which ended up on the mailing labels. The
HICNs include patient Social Security numbers. EmblemHealth notified patients of the
potential breach. 3
What can we do?
Providers already scramble to keep up with
skyrocketing cyber threats. How do we prevent
breaches that are hard for even the best compli-
ance officers to anticipate?
· Paper counts. Healthcare is the #1 cyber attack
target. But paper breaches are common and
· Don’t forget the BAA. If you outsource mailings, get a business associate agreement.
· Involve your Privacy Officer. Can the Officer
preview a sample of mailings? This precaution might prevent inadvertent vendor errors.
If a preview process is burdensome, put
together mailing protocols. Distribute the protocols to vendors — or incorporate them into
· Use your risk analysis. Add paper and verbal
PHI to your ePHI inventory. Cast a wide net.
Don’t forget mailings!
· Use your team. When it comes to identifying risks in a diverse and evolving
field, more heads are better than one. Ask
people what they are working on, so you can
identify HIPAA risks where others might
· Know your neighbors. Watch the headlines
and OCR guidance. Find out how others
experienced breaches, and prevent them in
For more compliance news and insights, visit The Compliance
& Ethics Blog at complianceandethics.org, and don’t forget to
subscribe to the daily digest at bit.ly/SCCEBlogSubscribe
1. Susan Morse: “Aetna violated HIPAA when envelope windows
exposed HIV medication news, attorneys say” Healthcare Finance,
August 25, 2017. Available at http://bit.ly/2C0ORKu
2. Leslie Small: “Payer Roundup — Amida Care reports HIV privacy
breach; UnitedHealth eyes new markets in Minnesota” Fierce
Healthcare, October 16, 2017. Available at: http://bit.ly/2BQbh LY
3. Elizabeth Snell: “Potential Horizon BCBS Data Breach for 170k from
Printing Error” HealthI T Security, November 17, 2016. Available at: