The Instance of the Revealing Envelope: HIPAA Confidentiality Obligations Extend Beyond Electronic Systems 

Published  on  8/25/2017  by  Gul, Saad

The Instance of the Revealing Envelope: HIPAA Confidentiality Obligations Extend Beyond Electronic Systems
By Saad Gul and Michael E. Slipsky
Violations of the Health Insurance Portability and Accountability Act (HIPAA) generally involve computer breaches or procedural snafus. But a recent incident involving a mailing by insurer Aetna illustrates that HIPAA obligations are equally applicable to paper communication.
Consumer advocates complained that a July 28, 2017 letter from the insurer effectively exposed the HIV status of approximately 12,000 recipients. The letter, outlining options for HIV medication prescriptions, may have been visible through a window in the envelope.
Aetna apologized, while noting that not every envelope in the mailing was affected. Nevertheless, it is in the process of contacting both state and federal regulators. Since HIPAA defines the inadvertent disclosure of personal health information as a breach, the incident is being treated as one. Aetna has notified potentially affected individuals. The notification stressed that “the viewable information did not include the name of any particular medication or any statement that you have been diagnosed with a specific condition.”
If the complaints are borne out, Aetna could be fined for violating HIPAA provisions on safeguarding PHI as well as state regulatory obligations governing disclosure of patient health information,
The incident highlights the need for all covered entitled entities and business associates to regularly review their practices to ensure protection of PHI confidentiality. While media and public attention remains focused on hackers, sometimes the threat may simply be the wrong envelope.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or Mike may be reached at 919.783.2851 or

Links to this post


Name *:

CAPTCHA Image Validation