Aetna Learns a Hard Lesson: Paper and Snail Mail Don’t Prevent HIPAA Sins

Stories of privacy and confidentiality breaches abound like autumn leaves as summer transitions to fall. It’s enough to make a health plan move to paper for sensitive information. Really, what can go wrong with paper? A lot, Aetna learned recently, if safeguards are relaxed because the medium is paper sent through the US mail, as revealed in a press release by the AIDS Law Project of Pennsylvania on August 24, 2017.

It probably seemed like a good idea at the time: With email security increasingly suspect, send notices to HIV-positive subscribers, and those on HIV prophylaxis (a prevention regimen) via “snail-mail.” Apparently, though Aetna’s vendor used window envelopes, and when the paper inside shifted during transportation of the letters the HIV information became visible through the window, next to the name of the recipient.  Anyone viewing the letter, then, would know that the recipient was under treatment for HIV and/or AIDS or was undergoing regimen for prevention of HIV.

HIV-AIDS information is perhaps the most sensitive in the healthcare universe. In addition to HIPAA and other federal regulations, diagnostic and treatment information is protected by laws of many states and several of those provisions offer stricter protection than HIPAA. This is for good reason: Discrimination against HIV-positive individuals in housing, employment and education is still pervasive.

Aetna sent the letters on July 28 to approximately 12,000 individuals, and CNN has reported numerous complaints from affected individuals to a number of law firms. Aetna subsequently sent a notice to affected patients (with the curious heading “Welcome to Your Aetna New Pharmacy”), advising of the mishap and providing the recipient with information for filing a HIPAA Complaint with the Office of Civil Rights of the U.S. Department of Health and Human Services, the agency that enforces the HIPAA rules.

Expect many of them to take Aetna’s advice in this regard.

If you have questions regarding HIPAA compliance, for paper as well as electronic communications, please contact Kenneth N. Rashbaum.