Reducing the Risks of PHI Disclosures in Mass Mailings

business envelopesLast week a large health plan made news in a highly unenviable manner. It came to light that the company had sent out 12,000 notices to policyholders across the U.S. in envelopes that revealed highly sensitive HIV prescription information.  The backlash was severe and predictable – in addition to making national headlines, plaintiffs’ lawyers almost immediately filed class action litigation against the Company.   

When news like this occurs, we always consider how we can help our clients avoid similar fates. There is often a certain amount of bad luck involved in situations like this, and we have no first-hand insights into what happened in this unfortunate scenario. But it provides an opportunity for healthcare organizations to take stock of their patient communication protocols, and heed some general guidelines for handling protected health information (PHI), as outlined below. 

Reducing the Risks of Disclosures in Mass Mailings 

In a highly regulated industry like healthcare, cutting corners or ignoring details regarding matters of compliance can put your company or practice at serious risk of fines, litigation and reputational damage. In an effort to mitigate these risks when it comes to customer communications, companies and practices should take note of the following guidance: 

  1. Details matter: Review and approve any communication sent out to your customers or patients before it is sent. In the case of a paper mailing,  
    • Request a mock-up from the vendor or the in-house administrative staff preparing the mailing and ensure that the entire mailing, including the envelope, sufficiently conceals all PHI. 
    • Conduct a “tap test” to see how the envelope’s contents shift and check for transparency and visibility. 
  2. Budget adequately: Purchase supplies with added features and safeguards that will ensure PHI is protected. In the case of a paper mailing, 
    • Select envelopes with a smaller window that only features the customer’s address and print the company’s logo and address on the envelope directly; or better still, select envelopes with no window and print both addresses directly on the envelope. 
    • Wrap the contents of the mailing in a blank sheet of paper labeled, “This page intentionally left blank.” 
    • Use a thicker envelope made with opaque paper and consider adding a security insert to preclude transparency. 
  3. Hire the right people: Hire a vendor with a strong reputation for diligence and oversight, who utilizes security cameras and can scrutinize the assembly of mailings and help identify issues upfront.  Furthermore, ensure that both employees and vendors are well trained in privacy regulations and appropriate ways to ensure compliance. 
  4. Build teams with the right mix of people: Most organizations have at least a few detail-oriented people who are described variously as “compulsive,” “in the weeds,” “type A,” “overly zealous” and -- less charitably -- “a pain” (or worse). Although working with such individuals can be challenging at times, news like this is a great reminder that detail-oriented people bring important skills to a team.   

In highly regulated industries we believe it pays to manage and build teams that include a healthy balance of risk-averse, cautious individuals along with more aggressive risk-takers. And when it’s difficult to know whether that balance is right, it helps to have trusted advisors who are familiar with enforcement matters to keep realistic risks and rewards in perspective.  

If you have questions about any of these recommendations, or want to learn how to apply them to your organization, please contact us.

Practice Areas

  • Accountable Care & Health Care Reform Initiatives
  • Antitrust
  • Corporate Governance
  • Digital Health, Telemedicine & Health Information Technology
  • False Claims Act & Qui Tam Defense
  • Federally Qualified Health Centers
  • Government Investigations Defense
  • Health Care Transactions
  • HIPAA Compliance/Privacy & Security
  • Home Health
  • Labor & Employment
  • Regulation of Non-Profit Entities
  • Physician Organizations, Hospitals and Payers
  • Private Equity and Capital Markets Transactions (Regulatory Due Diligence)
  • Regulatory & Compliance Counseling