The St. Vincent Breast Center in Indianapolis has reported a HIPAA marketing violation which has affected 63,325 of its patients.
The accidental disclosure of PHI occurred as a result of a marketing communications that was sent by mail to a proportion of the center’s patients; however those letters contained personal information and appointment details relating to patients other than the addressee.
The HIPAA Marketing violation, which has been attributed to a clerical error, was noticed approximately 10 days after the communications were sent. The medical center started receiving reports from patients saying they had received communications containing incorrect information.
According to a statement released by St. Vincent’s, the error was made on May 10, 2014 with the marketing communication sent to patients of the Indianapolis Breast Center P.C. and Solis Women’s Health Breast Imaging Specialists of Indiana P.C. The communication was intended to welcome the patients to the medical center and to confirm their appointment details.
The Health Insurance Portability and Accountability Act serves to protect the privacy of patients by restricting how their healthcare information is used. The legislation also prohibits the disclosure of PHI to unauthorized individuals, and when this occurs, the institutions responsible can be fined for their actions.
When deciding if a fine is appropriate, the Office for Civil Rights assesses the severity of the violation and considers the number of people affected; the type of data which has been disclosed; the effect that the disclosure is likely to have on the victims; and how the breach was caused. The OCR looks at the actions taken by the healthcare provider – or other covered entity – after the breach has occurred before a corrective action is decided. In some cases, such as with severe HIPAA violations, the decision is made to issue a financial penalty.
Although a large number of patients have been affected by this HIPAA marketing violation, the data that was disclosed is unlikely to cause any damage to the patients. A fine may not be warranted on this occasion, although an action plan is likely to be issued by the OCR to ensure that the healthcare provider does not cause any further HIPAA violations.
Breach Notification Letters Sent to All Affected Individuals
All HIPAA-covered entities have a number of obligations after PHI has been disclosed to unauthorized individuals, one of which is to send breach notification letters to all affected individuals to advise them of the information that has potentially been disclosed. St. Vincent Breast Center has now completed dispatching the letters to all affected individuals.
The letters state that the hospital made an error which resulted in a limited amount of Protected Health Information being disclosed. St. Vincent’s confirmed that any letters that are returned as undeliverable will be securely destroyed and patients were also informed that policies and procedures at the hospital will be updated to prevent similar administration errors from occurring in the future.
Even though the risk to patients is very low, patients have been advised to monitor their credit reports and benefits statements for any sign of fraudulent activity. Since Social Security numbers and financial information were not disclosed, it is unlikely that patients will suffer any loss or damage as a result of the HIPAA marketing violation. Because of this, the healthcare provider will not be providing credit monitoring services free of charge, although patients have been given information to advise them how they can obtain a free credit report.