Recently, a law suit was filed against Aetna in a federal court in Pennsylvania alleging that Aetna repeatedly failed to respect the privacy rights of people on HIV-medications. This is not the first law suit brought against Aetna for violation of privacy laws. A prior law suit alleged that Aetna jeopardized the privacy of its beneficiaries by requiring them to receive their HIV medications through mail and not allowing them to pick up their medications at the pharmacy. The parties reached a settlement and Aetna sent out notices to its beneficiaries taking HIV medications instructing on how they can opt out of the mail order program. The instructions were sent in opaque envelopes with large transparent glassine windows.  Specifically, the visible portion of the letter clearly indicated that it was a communication from Aetna regarding filling prescriptions for HIV medications. As a result, this current action was commenced. The filed complaint may be accessed here.

Aetna agreed to pay more than $17 million to settle accusations that it wrongly disclosed the HIV-status of nearly 14,000 people when it mailed the notices (an automatic payment of at least $500 to everyone who received the notice, along with an opportunity to request up to $20,000 in additional payments for financial and non-financial harm).  Aetna also agreed to change its business practices to better protect private health information in the future.

Prior to the settlement, Aetna offered to provide “immediate relief” to people who were financially harmed by the breach. Through this program, Aetna has approved two requests for counseling services and 13 requests for reimbursement of relocation expenses.

The settlement still must be approved by the court. The patients’ lawyers are allowed to seek attorneys’ fees of nearly $4.3 million. As you can see, a privacy violation could be expensive, and early prevention of a breach can save the business. There are a few common mistakes healthcare provides make when working with Protected Health Information (PHI).

  1. Providers are not clear what qualifies as PHI. For example, very often providers disclose their patients’ addresses or phone numbers – erroneously assuming that it is not PHI. Normally, just an address or a phone number will not be PHI. However, if this information was ever PHI – it is still PHI – and the provider has to de-identify it (redact) or obtain the patient’s authorization to disclose it.

2.   Providers often disclose PHI to patient’s family or friends.

      Healthcare providers should not be disclosing PHI to family or friends, unless:

              – the patient is unconscious or incapacitated and the provider believes sharing information with family and close friends involved in the patient’s care is in the best interests of the patient; and

– where the provider believes that sharing information will prevent or lessen a serious and imminent threat to the patient’s health or safety.

3.   When individual providers leave healthcare practices, they often take their patients’ medical files with them.

      The practice is the covered entity responsible for maintaining the records and the patient has not expressly allowed the disclosure of his or her records to the departing provider. The patient may request that his records be sent to the departing provider or when the patient is seen by the provider at the new location, the practice may share his PHI under the “treatment” exception. A better approach is to have the departing provider sign a records custodian agreement and a Business Associate Agreement with the departing doctor.

4.  Providers often text, email, or fax PHI without assuring proper safeguards.

     HIPAA and related federal privacy laws allow a covered entity to communicate with patients electronically, provided they apply reasonable safeguards when doing so.

     While a covered entity usually encrypts its electronic communication, it cannot control the security of the communication once an email leaves the organization’s server. To assure safe transmission, the patient would need to use an email service that supports HIPAA-level encryption. To go around this requirement, HIPAA allows patients to receive communication in formats they prefer, such as unencrypted email. Providers should prepare “opt-in agreements” for patients consenting to email or SMS communication, and acknowledging that they are aware of the risks.

On faxing PHI, see a related blog post.