Recently, a class-action suit was filed against health insurer Aetna, alleging patient privacy rights were violated by inadvertently exposing HIV statuses through an ill-fitted transparent window leaving a reference to filling HIV medications visible to anyone who handled the envelope.
The letter contained information about the changes in pharmacy benefits and access to HIV medications. At least 12,000 customers in 23 states were affected by the breach. Aetna has since apologized and investigated the issue with the vendor who handled the mailing.
We've asked our compliance and audit manager, Jill Stefka to weigh-in on the topic.
"Basically, it boils down to attention to detail," says Stefka. It’s one of the easiest ways healthcare organizations can safeguard against breaches and mitigate risk. Slowing down, looking for patterns, and taking the time to follow the process reduces the chance a breach will occur.
One Simple Thing
Let's look at another example. Many hospitals and healthcare organizations manually print and mail claims to the insurance company. This can be an area of potential risk because protected health information can inadvertently be exposed by human error. When printing multiple claims at a time, it's important to make sure all the information matches when placed in the envelope. Attention to detail will catch mistakes before it leaves your door and the insurance company is notifying receiving PHI not related to the claim. Quickly double-check the patient name matches on every sheet before placed in the envelope. It's simple but effective.
Danger's in the Routine
“The danger comes when things become routine,” says Jill. This is the best time to step back and double check your work. Performing repetitive tasks increases the chance you could become blind to PHI risks — putting your healthcare organization at liable. Whether your healthcare role involves taking patient information at registration, entering in payments over the phone, or printing paper claims, attention to detail directly impacts your hospital’s liability.
Risk Management Program
HIPAA compliance is everyone's responsibility, including vendors. Healthcare organizations who work with mailing vendors now have a heightened awareness after the Aetna breach.
Make sure you implement a risk management program so that you routinely assess the risk of each vendor has on your healthcare organization.
If this situation happened here, we expect the vendor to notify us of the breach and require a developed action plan on how they would prevent it from occurring in the future.
The Aetna breach reminds healthcare organizations to keep it simple — attention to detail is the simplest thing they can do to mitigate risk.